Discover Government News

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2729-1
Container Tags        : bci/golang:1.20 , bci/golang:1.20-2.2.1 , bci/golang:oldstable , bci/golang:oldstable-2.2.1
Container Release     : 2.1
Severity              : important
Type                  : security
References            : 1206346 1206346 1206346 1206346 1206346 1206346 1208269 1208270
                        1208271 1208272 1209030 1210127 1210127 1210128 1210128 1210129
                        1210129 1210130 1210130 1210938 1210963 1211029 1211030 1211031
                        1212073 1212074 1212075 1212076 1213229 1213880 CVE-2022-41722
                        CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24532 CVE-2023-24534
                        CVE-2023-24534 CVE-2023-24536 CVE-2023-24536 CVE-2023-24537 CVE-2023-24537
                        CVE-2023-24538 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400
                        CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405 CVE-2023-29406
                        CVE-2023-29409 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:735-1
Released:    Tue Mar 14 18:07:46 2023
Summary:     Security update for go1.20
Type:        security
Severity:    important
References:  1206346,1208269,1208270,1208271,1208272,1209030,CVE-2022-41722,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24532
This update for go1.20 fixes the following issues:

- Improvements to go1.x packaging spec:

  * On Tumbleweed bootstrap with current default gcc13 and gccgo118
  * On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
    using go1.x package (%bcond_without gccgo). This is no longer
    needed on current SLE-12:Update and removing will consolidate
    the build configurations used.
  * Change source URLs to go.dev as per Go upstream
  * On x86_64 export GOAMD64=v1 as per the current baseline.
    At this time forgo GOAMD64=v3 option for x86_64_v3 support.
  * On x86_64 %define go_amd64=v1 as current instruction baseline
  * In %check on x86_64 use value %go_amd64=v1 as GOAMD64=v1 to
    grep correct TSAN version is checked out from LLVM with new
    spelling for internal/amd64v1/race_linux.syso

go1.20.2 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the compiler,
the covdata command, the linker, the runtime, and the
crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. (boo#1206346)

* CVE-2023-24532: crypto/elliptic: Fixed that specific unreduced P-256 scalars produce incorrect results (boo#1209030)

* cmd/covdata: short read on string table when merging coverage counters
* runtime: some linkname signatures do not match
* cmd/compile: inline static init cause compile time error
* cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry
* crypto/ecdh: ECDH method doesn't check curve
* cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
* crypto/internal/bigmod: flag amd64 assembly as noescape
* runtime: endless traceback when panic in generics funtion
* runtime: long latency of sweep assists
* syscall.Faccessat and os.LookPath regression in Go 1.20
* os: cmd/go gets error 'copy_file_range: function not implemented'
* net: TestTCPSelfConnect failures due to unexpected connections
* syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
* cmd/compile: ICE on method value involving imported anonymous interface
* crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey
* crypto/x509: TestSystemVerify consistently failing

go1.20.1 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the time package. (bsc#1206346)

- CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725

  * bsc#1208269 security: fix CVE-2022-41722 path/filepath: path traversal in filepath.Clean on Windows
  * bsc#1208270 security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding
  * bsc#1208271 security: fix CVE-2022-41724 crypto/tls: large handshake records may cause panics
  * bsc#1208272 security: fix CVE-2022-41725 net/http, mime/multipart: denial of service from excessive resource consumption
  * time: update zoneinfo_abbrs on Windows
  * cmd/link: .go.buildinfo is gc'ed by --gc-sections
  * cmd/compile/internal/pgo: Detect sample value position instead of hard-coding
  * cmd/compile: constant overflows when assigned to package level var (Go 1.20 regression)
  * cmd/compile: internal compiler error: panic: interface conversion: ir.Node is *ir.CompLitExpr, not *ir.Name
  * cmd/compile: internal compiler error: Type.Elem UNION
  * runtime: GOOS=ios fails Apple's app validation due to use of private API
  * cmd/go/internal/test: stale flagdefs.go not detected by tests
  * all: test failures with ETXTBSY
  * cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing

- go1.20 (released 2023-02-01) is a major release of Go.
  go1.20.x minor releases will be provided through February 2024.
  https://github.com/golang/go/wiki/Go-Release-Cycle
  go1.20 arrives six months after go1.19. Most of its changes are
  in the implementation of the toolchain, runtime, and libraries.
  As always, the release maintains the Go 1 promise of
  compatibility. We expect almost all Go programs to continue to
  compile and run as before. ( bsc#1206346 jsc#PED-1962 )

* Go 1.20 includes four changes to the language

  * Language change: Go 1.17 added conversions from slice to an
    array pointer. Go 1.20 extends this to allow conversions from a
    slice to an array
  * Language change: The unsafe package defines three new functions
    SliceData, String, and StringData. Along with Go 1.17's Slice,
    these functions now provide the complete ability to construct
    and deconstruct slice and string values, without depending on
    their exact representation.
  * Language change: The specification now defines that struct
    values are compared one field at a time, considering fields in
    the order they appear in the struct type definition, and
    stopping at the first mismatch. The specification could
    previously have been read as if all fields needed to be
    compared beyond the first mismatch. Similarly, the
    specification now defines that array values are compared one
    element at a time, in increasing index order. In both cases,
    the difference affects whether certain comparisons must
    panic. Existing programs are unchanged: the new spec wording
    describes what the implementations have always done.
  * Language change: Comparable types (such as ordinary interfaces)
    may now satisfy comparable constraints, even if the type
    arguments are not strictly comparable (comparison may panic at
    runtime). This makes it possible to instantiate a type
    parameter constrained by comparable (e.g., a type parameter for
    a user-defined generic map key) with a non-strictly comparable
    type argument such as an interface type, or a composite type
    containing an interface type.
  * go command: The directory $GOROOT/pkg no longer stores
    pre-compiled package archives for the standard library: go
    install no longer writes them, the go build no longer checks
    for them, and the Go distribution no longer ships
    them. Instead, packages in the standard library are built as
    needed and cached in the build cache, just like packages
    outside GOROOT. This change reduces the size of the Go
    distribution and also avoids C toolchain skew for packages that
    use cgo. Refs jsc#PED-1962
  * go command: The implementation of go test -json has been
    improved to make it more robust. Programs that run go test
    -json do not need any updates. Programs that invoke go tool
    test2json directly should now run the test binary with
    -v=test2json (for example, go test -v=test2json or ./pkg.test
    -test.v=test2json) instead of plain -v.
  * go command: A related change to go test -json is the addition
    of an event with Action set to start at the beginning of each
    test program's execution. When running multiple tests using the
    go command, these start events are guaranteed to be emitted in
    the same order as the packages named on the command line.
  * go command: The go command now defines architecture feature
    build tags, such as amd64.v2, to allow selecting a package
    implementation file based on the presence or absence of a
    particular architecture feature. See go help buildconstraint
    for details.
  * go command: The go subcommands now accept -C  to change
    directory to  before performing the command, which may be
    useful for scripts that need to execute commands in multiple
    different modules.
  * go command: The go build and go test commands no longer accept
    the -i flag, which has been deprecated since Go 1.16.
  * go command: The go generate command now accepts -skip 
    to skip //go:generate directives matching .
  * go command: The go test command now accepts -skip  to
    skip tests, subtests, or examples matching .
  * go command: When the main module is located within GOPATH/src,
    go install no longer installs libraries for non-main packages
    to GOPATH/pkg, and go list no longer reports a Target field for
    such packages. (In module mode, compiled packages are stored in
    the build cache only, but a bug had caused the GOPATH install
    targets to unexpectedly remain in effect.)
  * go command: The go build, go install, and other build-related
    commands now support a -pgo flag that enables profile-guided
    optimization, which is described in more detail in the Compiler
    section below. The -pgo flag specifies the file path of the
    profile. Specifying -pgo=auto causes the go command to search
    for a file named default.pgo in the main package's directory
    and use it if present. This mode currently requires a single
    main package to be specified on the command line, but we plan
    to lift this restriction in a future release. Specifying
    -pgo=off turns off profile-guided optimization.
  * go command: The go build, go install, and other build-related
    commands now support a -cover flag that builds the specified
    target with code coverage instrumentation. This is described in
    more detail in the Cover section below.
  * go version: The go version -m command now supports reading more
    types of Go binaries, most notably, Windows DLLs built with go
    build -buildmode=c-shared and Linux binaries without execute
    permission.
  * Cgo: The go command now disables cgo by default on systems
    without a C toolchain. More specifically, when the CGO_ENABLED
    environment variable is unset, the CC environment variable is
    unset, and the default C compiler (typically clang or gcc) is
    not found in the path, CGO_ENABLED defaults to 0. As always,
    you can override the default by setting CGO_ENABLED explicitly.
    The most important effect of the default change is that when Go
    is installed on a system without a C compiler, it will now use
    pure Go builds for packages in the standard library that use
    cgo, instead of using pre-distributed package archives (which
    have been removed, as noted above) or attempting to use cgo and
    failing. This makes Go work better in some minimal container
    environments as well as on macOS, where pre-distributed package
    archives have not been used for cgo-based packages since Go
    1.16.
    The packages in the standard library that use cgo are net,
    os/user, and plugin. On macOS, the net and os/user packages
    have been rewritten not to use cgo: the same code is now used
    for cgo and non-cgo builds as well as cross-compiled builds. On
    Windows, the net and os/user packages have never used cgo. On
    other systems, builds with cgo disabled will use a pure Go
    version of these packages.
    On macOS, the race detector has been rewritten not to use cgo:
    race-detector-enabled programs can be built and run without
    Xcode. On Linux and other Unix systems, and on Windows, a host
    C toolchain is required to use the race detector.
  * go cover: Go 1.20 supports collecting code coverage profiles
    for programs (applications and integration tests), as opposed
    to just unit tests. To collect coverage data for a program,
    build it with go build's -cover flag, then run the resulting
    binary with the environment variable GOCOVERDIR set to an
    output directory for coverage profiles. See the 'coverage for
    integration tests' landing page for more on how to get
    started. For details on the design and implementation, see the
    proposal.
  * go vet: Improved detection of loop variable capture by nested
    functions. The vet tool now reports references to loop
    variables following a call to T.Parallel() within subtest
    function bodies. Such references may observe the value of the
    variable from a different iteration (typically causing test
    cases to be skipped) or an invalid state due to unsynchronized
    concurrent access.
  * go vet: The tool also detects reference mistakes in more
    places. Previously it would only consider the last statement
    of the loop body, but now it recursively inspects the last
    statements within if, switch, and select statements.
  * go vet: New diagnostic for incorrect time formats. The vet tool
    now reports use of the time format 2006-02-01 (yyyy-dd-mm) with
    Time.Format and time.Parse. This format does not appear in
    common date standards, but is frequently used by mistake when
    attempting to use the ISO 8601 date format (yyyy-mm-dd).
  * Runtime: Some of the garbage collector's internal data
    structures were reorganized to be both more space and CPU
    efficient. This change reduces memory overheads and improves
    overall CPU performance by up to 2%.
  * Runtime: The garbage collector behaves less erratically with
    respect to goroutine assists in some circumstances.
  * Runtime: Go 1.20 adds a new runtime/coverage package containing
    APIs for writing coverage profile data at runtime from
    long-running and/or server programs that do not terminate via
    os.Exit().
  * Compiler: Go 1.20 adds preview support for profile-guided
    optimization (PGO). PGO enables the toolchain to perform
    application- and workload-specific optimizations based on
    run-time profile information. Currently, the compiler supports
    pprof CPU profiles, which can be collected through usual means,
    such as the runtime/pprof or net/http/pprof packages. To enable
    PGO, pass the path of a pprof profile file via the -pgo flag to
    go build, as mentioned above. Go 1.20 uses PGO to more
    aggressively inline functions at hot call sites. Benchmarks for
    a representative set of Go programs show enabling
    profile-guided inlining optimization improves performance about
    3–4%. See the PGO user guide for detailed documentation. We
    plan to add more profile-guided optimizations in future
    releases. Note that profile-guided optimization is a preview,
    so please use it with appropriate caution.
  * Compiler: The Go 1.20 compiler upgraded its front-end to use a
    new way of handling the compiler's internal data, which fixes
    several generic-types issues and enables type declarations
    within generic functions and methods.
  * Compiler: The compiler now rejects anonymous interface cycles
    with a compiler error by default. These arise from tricky uses
    of embedded interfaces and have always had subtle correctness
    issues, yet we have no evidence that they're actually used in
    practice. Assuming no reports from users adversely affected by
    this change, we plan to update the language specification for
    Go 1.22 to formally disallow them so tools authors can stop
    supporting them too.
  * Compiler: Go 1.18 and 1.19 saw regressions in build speed,
    largely due to the addition of support for generics and
    follow-on work. Go 1.20 improves build speeds by up to 10%,
    bringing it back in line with Go 1.17. Relative to Go 1.19,
    generated code performance is also generally slightly improved.
  * Linker: On Linux, the linker now selects the dynamic
    interpreter for glibc or musl at link time.
  * Linker: On Windows, the Go linker now supports modern
    LLVM-based C toolchains.
  * Linker: Go 1.20 uses go: and type: prefixes for
    compiler-generated symbols rather than go. and type.. This
    avoids confusion for user packages whose name starts with
    go.. The debug/gosym package understands this new naming
    convention for binaries built with Go 1.20 and newer.
  * Bootstrap: When building a Go release from source and
    GOROOT_BOOTSTRAP is not set, previous versions of Go looked for
    a Go 1.4 or later bootstrap toolchain in the directory
    $HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go 1.18
    and Go 1.19 looked first for $HOME/go1.17 or $HOME/sdk/go1.17
    before falling back to $HOME/go1.4, in anticipation of
    requiring Go 1.17 for use when bootstrapping Go 1.20. Go 1.20
    does require a Go 1.17 release for bootstrapping, but we
    realized that we should adopt the latest point release of the
    bootstrap toolchain, so it requires Go 1.17.13. Go 1.20 looks
    for $HOME/go1.17.13 or $HOME/sdk/go1.17.13 before falling back
    to $HOME/go1.4 (to support systems that hard-coded the path
    $HOME/go1.4 but have installed a newer Go toolchain there). In
    the future, we plan to move the bootstrap toolchain forward
    approximately once a year, and in particular we expect that Go
    1.22 will require the final point release of Go 1.20 for
    bootstrap.
  * Library: Go 1.20 adds a new crypto/ecdh package to provide
    explicit support for Elliptic Curve Diffie-Hellman key
    exchanges over NIST curves and Curve25519. Programs should use
    crypto/ecdh instead of the lower-level functionality in
    crypto/elliptic for ECDH, and third-party modules for more
    advanced use cases.
  * Error handling: Go 1.20 expands support for error wrapping to
    permit an error to wrap multiple other errors.
  * Error handling: An error e can wrap more than one error by
    providing an Unwrap method that returns a []error.
  * Error handling: The errors.Is and errors.As functions have been
    updated to inspect multiply wrapped errors.
  * Error handling: The fmt.Errorf function now supports multiple
    occurrences of the %w format verb, which will cause it to
    return an error that wraps all of those error operands.
  * Error handling: The new function errors.Join returns an error
    wrapping a list of errors.
  * HTTP ResponseController: The new 'net/http'.ResponseController
    type provides access to extended per-request functionality not
    handled by the 'net/http'.ResponseWriter interface. The
    ResponseController type provides a clearer, more discoverable
    way to add per-handler controls. Two such controls also added
    in Go 1.20 are SetReadDeadline and SetWriteDeadline, which
    allow setting per-request read and write deadlines.
  * New ReverseProxy Rewrite hook: The httputil.ReverseProxy
    forwarding proxy includes a new Rewrite hook function,
    superseding the previous Director hook.
  * archive/tar: When the GODEBUG=tarinsecurepath=0 environment
    variable is set, Reader.Next method will now return the error
    ErrInsecurePath for an entry with a file name that is an
    absolute path, refers to a location outside the current
    directory, contains invalid characters, or (on Windows) is a
    reserved name such as NUL. A future version of Go may disable
    insecure paths by default.
  * archive/zip: When the GODEBUG=zipinsecurepath=0 environment
    variable is set, NewReader will now return the error
    ErrInsecurePath when opening an archive which contains any file
    name that is an absolute path, refers to a location outside the
    current directory, contains invalid characters, or (on Windows)
    is a reserved names such as NUL. A future version of Go may
    disable insecure paths by default.
  * archive/zip: Reading from a directory file that contains file
    data will now return an error. The zip specification does not
    permit directory files to contain file data, so this change
    only affects reading from invalid archives.
  * bytes: The new CutPrefix and CutSuffix functions are like
    TrimPrefix and TrimSuffix but also report whether the string
    was trimmed.
  * bytes: The new Clone function allocates a copy of a byte slice.
  * context: The new WithCancelCause function provides a way to
    cancel a context with a given error. That error can be
    retrieved by calling the new Cause function.
  * crypto/ecdsa: When using supported curves, all operations are
    now implemented in constant time. This led to an increase in
    CPU time between 5% and 30%, mostly affecting P-384 and P-521.
  * crypto/ecdsa: The new PrivateKey.ECDH method converts an
    ecdsa.PrivateKey to an ecdh.PrivateKey.
  * crypto/ed25519: The PrivateKey.Sign method and the
    VerifyWithOptions function now support signing pre-hashed
    messages with Ed25519ph, indicated by an Options.HashFunc that
    returns crypto.SHA512. They also now support Ed25519ctx and
    Ed25519ph with context, indicated by setting the new
    Options.Context field.
  * crypto/rsa: The new field OAEPOptions.MGFHash allows
    configuring the MGF1 hash separately for OAEP decryption.
  * crypto/rsa: crypto/rsa now uses a new, safer, constant-time
    backend. This causes a CPU runtime increase for decryption
    operations between approximately 15% (RSA-2048 on amd64) and
    45% (RSA-4096 on arm64), and more on 32-bit
    architectures. Encryption operations are approximately 20x
    slower than before (but still 5-10x faster than
    decryption). Performance is expected to improve in future
    releases. Programs must not modify or manually generate the
    fields of PrecomputedValues.
  * crypto/subtle: The new function XORBytes XORs two byte slices
    together.
  * crypto/tls: Parsed certificates are now shared across all
    clients actively using that certificate. The memory savings can
    be significant in programs that make many concurrent
    connections to a server or collection of servers sharing any
    part of their certificate chains.
  * crypto/tls: For a handshake failure due to a certificate
    verification failure, the TLS client and server now return an
    error of the new type CertificateVerificationError, which
    includes the presented certificates.
  * crypto/x509: ParsePKCS8PrivateKey and MarshalPKCS8PrivateKey
    now support keys of type *crypto/ecdh.PrivateKey.
    ParsePKIXPublicKey and MarshalPKIXPublicKey now support keys of
    type *crypto/ecdh.PublicKey. Parsing NIST curve keys still
    returns values of type *ecdsa.PublicKey and *ecdsa.PrivateKey.
    Use their new ECDH methods to convert to the crypto/ecdh types.
  * crypto/x509: The new SetFallbackRoots function allows a program
    to define a set of fallback root certificates in case an
    operating system verifier or standard platform root bundle is
    unavailable at runtime. It will most commonly be used with a
    new package, golang.org/x/crypto/x509roots/fallback, which will
    provide an up to date root bundle.
  * debug/elf: Attempts to read from a SHT_NOBITS section using
    Section.Data or the reader returned by Section.Open now return
    an error.
  * debug/elf: Additional R_LARCH_* constants are defined for use
    with LoongArch systems.
  * debug/elf: Additional R_PPC64_* constants are defined for use
    with PPC64 ELFv2 relocations.
  * debug/elf: The constant value for R_PPC64_SECTOFF_LO_DS is
    corrected, from 61 to 62.
  * debug/gosym: Due to a change of Go's symbol naming conventions,
    tools that process Go binaries should use Go 1.20's debug/gosym
    package to transparently handle both old and new binaries.
  * debug/pe: Additional IMAGE_FILE_MACHINE_RISCV* constants are
    defined for use with RISC-V systems.
  * encoding/binary: The ReadVarint and ReadUvarint functions will
    now return io.ErrUnexpectedEOF after reading a partial value,
    rather than io.EOF.
  * encoding/xml: The new Encoder.Close method can be used to check
    for unclosed elements when finished encoding.
  * encoding/xml: The decoder now rejects element and attribute
    names with more than one colon, such as , as well as
    namespaces that resolve to an empty string, such as xmlns:a=''.
  * encoding/xml: The decoder now rejects elements that use
    different namespace prefixes in the opening and closing tag,
    even if those prefixes both denote the same namespace.
  * errors: The new Join function returns an error wrapping a list
    of errors.
  * fmt: The Errorf function supports multiple occurrences of the
    %w format verb, returning an error that unwraps to the list of
    all arguments to %w.
  * fmt: The new FormatString function recovers the formatting
    directive corresponding to a State, which can be useful in
    Formatter. implementations.
  * go/ast: The new RangeStmt.Range field records the position of
    the range keyword in a range statement.
  * go/ast: The new File.FileStart and File.FileEnd fields record
    the position of the start and end of the entire source file.
  * go/token: The new FileSet.RemoveFile method removes a file from
    a FileSet. Long-running programs can use this to release memory
    associated with files they no longer need.
  * go/types: The new Satisfies function reports whether a type
    satisfies a constraint. This change aligns with the new
    language semantics that distinguish satisfying a constraint
    from implementing an interface.
  * io: The new OffsetWriter wraps an underlying WriterAt and
    provides Seek, Write, and WriteAt methods that adjust their
    effective file offset position by a fixed amount.
  * io/fs: The new error SkipAll terminates a WalkDir immediately
    but successfully.
  * math/big: The math/big package's wide scope and input-dependent
    timing make it ill-suited for implementing cryptography. The
    cryptography packages in the standard library no longer call
    non-trivial Int methods on attacker-controlled inputs. In the
    future, the determination of whether a bug in math/big is
    considered a security vulnerability will depend on its wider
    impact on the standard library.
  * math/rand: The math/rand package now automatically seeds the
    global random number generator (used by top-level functions
    like Float64 and Int) with a random value, and the top-level
    Seed function has been deprecated. Programs that need a
    reproducible sequence of random numbers should prefer to
    allocate their own random source, using
    rand.New(rand.NewSource(seed)).
  * math/rand: Programs that need the earlier consistent global
    seeding behavior can set GODEBUG=randautoseed=0 in their
    environment.
  * math/rand: The top-level Read function has been deprecated. In
    almost all cases, crypto/rand.Read is more appropriate.
  * mime: The ParseMediaType function now allows duplicate
    parameter names, so long as the values of the names are the
    same.
  * mime/multipart: Methods of the Reader type now wrap errors
    returned by the underlying io.Reader.
  * net: The LookupCNAME function now consistently returns the
    contents of a CNAME record when one exists. Previously on Unix
    systems and when using the pure Go resolver, LookupCNAME would
    return an error if a CNAME record referred to a name that with
    no A, AAAA, or CNAME record. This change modifies LookupCNAME
    to match the previous behavior on Windows, allowing LookupCNAME
    to succeed whenever a CNAME exists.
  * net: Interface.Flags now includes the new flag FlagRunning,
    indicating an operationally active interface. An interface
    which is administratively configured but not active (for
    example, because the network cable is not connected) will have
    FlagUp set but not FlagRunning.
  * net: The new Dialer.ControlContext field contains a callback
    function similar to the existing Dialer.Control hook, that
    additionally accepts the dial context as a parameter. Control
    is ignored when ControlContext is not nil.
  * net: The Go DNS resolver recognizes the trust-ad resolver
    option. When options trust-ad is set in resolv.conf, the Go
    resolver will set the AD bit in DNS queries. The resolver does
    not make use of the AD bit in responses.
  * net: DNS resolution will detect changes to /etc/nsswitch.conf
    and reload the file when it changes. Checks are made at most
    once every five seconds, matching the previous handling of
    /etc/hosts and /etc/resolv.conf.
  * net/http: The ResponseWriter.WriteHeader function now supports
    sending 1xx status codes.
  * net/http: The new Server.DisableGeneralOptionsHandler
    configuration setting allows disabling the default OPTIONS *
    handler.
  * net/http: The new Transport.OnProxyConnectResponse hook is
    called when a Transport receives an HTTP response from a proxy
    for a CONNECT request.
  * net/http: The HTTP server now accepts HEAD requests containing
    a body, rather than rejecting them as invalid.
  * net/http: HTTP/2 stream errors returned by net/http functions
    may be converted to a golang.org/x/net/http2.StreamError using
    errors.As.
  * net/http: Leading and trailing spaces are trimmed from cookie
    names, rather than being rejected as invalid. For example, a
    cookie setting of 'name =value' is now accepted as setting the
    cookie 'name'.
  * net/netip: The new IPv6LinkLocalAllRouters and IPv6Loopback
    functions are the net/netip equivalents of net.IPv6loopback and
    net.IPv6linklocalallrouters.
  * os: On Windows, the name NUL is no longer treated as a special
    case in Mkdir and Stat.
  * os: On Windows, File.Stat now uses the file handle to retrieve
    attributes when the file is a directory. Previously it would
    use the path passed to Open, which may no longer be the file
    represented by the file handle if the file has been moved or
    replaced. This change modifies Open to open directories without
    the FILE_SHARE_DELETE access, which match the behavior of
    regular files.
  * os: On Windows, File.Seek now supports seeking to the beginning
    of a directory.
  * os/exec: The new Cmd fields Cancel and WaitDelay specify the
    behavior of the Cmd when its associated Context is canceled or
    its process exits with I/O pipes still held open by a child
    process.
  * path/filepath: The new error SkipAll terminates a Walk
    immediately but successfully.
  * path/filepath: The new IsLocal function reports whether a path
    is lexically local to a directory. For example, if IsLocal(p)
    is true, then Open(p) will refer to a file that is lexically
    within the subtree rooted at the current directory.
  * reflect: The new Value.Comparable and Value.Equal methods can
    be used to compare two Values for equality. Comparable reports
    whether Equal is a valid operation for a given Value receiver.
  * reflect: The new Value.Grow method extends a slice to guarantee
    space for another n elements.
  * reflect: The new Value.SetZero method sets a value to be the
    zero value for its type.
  * reflect: Go 1.18 introduced Value.SetIterKey and
    Value.SetIterValue methods. These are optimizations:
    v.SetIterKey(it) is meant to be equivalent to
    v.Set(it.Key()). The implementations incorrectly omitted a
    check for use of unexported fields that was present in the
    unoptimized forms. Go 1.20 corrects these methods to include
    the unexported field check.
  * regexp: Go 1.19.2 and Go 1.18.7 included a security fix to the
    regular expression parser, making it reject very large
    expressions that would consume too much memory. Because Go
    patch releases do not introduce new API, the parser returned
    syntax.ErrInternalError in this case. Go 1.20 adds a more
    specific error, syntax.ErrLarge, which the parser now returns
    instead.
  * runtime/cgo: Go 1.20 adds new Incomplete marker type. Code
    generated by cgo will use cgo.Incomplete to mark an incomplete
    C type.
  * runtime/metrics: Go 1.20 adds new supported metrics, including
    the current GOMAXPROCS setting (/sched/gomaxprocs:threads), the
    number of cgo calls executed (/cgo/go-to-c-calls:calls), total
    mutex block time (/sync/mutex/wait/total:seconds), and various
    measures of time spent in garbage collection.
  * runtime/metrics: Time-based histogram metrics are now less
    precise, but take up much less memory.
  * runtime/pprof: Mutex profile samples are now pre-scaled, fixing
    an issue where old mutex profile samples would be scaled
    incorrectly if the sampling rate changed during execution.
  * runtime/pprof: Profiles collected on Windows now include memory
    mapping information that fixes symbolization issues for
    position-independent binaries.
  * runtime/trace: The garbage collector's background sweeper now
    yields less frequently, resulting in many fewer extraneous
    events in execution traces.
  * strings: The new CutPrefix and CutSuffix functions are like
    TrimPrefix and TrimSuffix but also report whether the string
    was trimmed.
  * sync: The new Map methods Swap, CompareAndSwap, and
    CompareAndDelete allow existing map entries to be updated
    atomically.
  * syscall: On FreeBSD, compatibility shims needed for FreeBSD 11
    and earlier have been removed.
  * syscall: On Linux, additional CLONE_* constants are defined for
    use with the SysProcAttr.Cloneflags field.
  * syscall: On Linux, the new SysProcAttr.CgroupFD and
    SysProcAttr.UseCgroupFD fields provide a way to place a child
    process into a specific cgroup.
  * testing: The new method B.Elapsed reports the current elapsed
    time of the benchmark, which may be useful for calculating
    rates to report with ReportMetric.
  * time: The new time layout constants DateTime, DateOnly, and
    TimeOnly provide names for three of the most common layout
    strings used in a survey of public Go source code.
  * time: The new Time.Compare method compares two times.
  * time: Parse now ignores sub-nanosecond precision in its input,
    instead of reporting those digits as an error.
  * time: The Time.MarshalJSON method is now more strict about
    adherence to RFC 3339.
  * unicode/utf16: The new AppendRune function appends the UTF-16
    encoding of a given rune to a uint16 slice, analogous to
    utf8.AppendRune.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1791-1
Released:    Thu Apr  6 15:37:30 2023
Summary:     Security update for go1.20
Type:        security
Severity:    important
References:  1206346,1210127,1210128,1210129,1210130,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538
This update for go1.20 fixes the following issues:

Update to version 1.20.3:

* CVE-2023-24534: security: net/http, net/textproto: denial of service from excessive memory allocation (bsc#1210127)
* CVE-2023-24536: security: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (bsc#1210128)
* CVE-2023-24537: security: go/parser: infinite loop in parsing (bsc#1210129)
* CVE-2023-24538: security: html/template: backticks not treated as string delimiters (bsc#1210130)
* x/text: building as a plugin failure on darwin/arm64
* cmd/go: timeout on darwin-amd64-race builder
* internal/testpty: fails on some Linux machines due to incorrect error handling
* cmd/link: Incorrect symbol linked in darwin/arm64
* cmd/link: linker fails on linux/amd64 when gcc's lto options are used
* cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
* time: time zone lookup using extend string makes wrong start time for non-DST zones
* runtime: crash on linux-ppc64le
* cmd/compile: crypto/elliptic build error under -linkshared mode
* cmd/compile: unsafe.SliceData incoherent resuilt with nil argument

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2105-1
Released:    Fri May  5 08:34:09 2023
Summary:     Security update for go1.20
Type:        security
Severity:    important
References:  1206346,1210127,1210128,1210129,1210130,1210938,1210963,1211029,1211030,1211031,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538,CVE-2023-24539,CVE-2023-24540,CVE-2023-29400
This update for go1.20 fixes the following issues:

Update to 1.20.4 (bnc#1206346):
- CVE-2023-24539: Fixed an improper sanitization of CSS values (boo#1211029).
- CVE-2023-24540: Fixed an improper handling of JavaScript whitespace (boo#1211030).
- CVE-2023-29400: Fixed an improper handling of empty HTML attributes (boo#1211031).
- runtime: automatically bump RLIMIT_NOFILE on Unix.
- crypto/subtle: xor fails when run with race+purego.
- cmd/compile: encoding/binary.PutUint16 sometimes doesn't write.
- cmd/compile: internal compiler error: cannot call SetType(go.shape.int) on v (type int).
- cmd/compile: miscompilation in star-tex.org/x/cmd/star-tex.
- net/http: FileServer no longer serves content for POST.
- crypto/tls: TLSv1.3 connection fails with invalid PSK binder.
- cmd/compile: incorrect inline function variable.
- cmd/compile: Unified IR exports table is binary unstable in presence of generics.
- go/internal/gcimporter: lookupGorootExport should use the go command from build.Default.GOROOT.

Non-security fixes:

- Reverted go1.x Suggests go1.x-race (boo#1210963).
- Re-enabled binary stripping and debuginfo (boo#1210938).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2526-1
Released:    Fri Jun 16 17:33:35 2023
Summary:     Security update for go1.20
Type:        security
Severity:    moderate
References:  1206346,1212073,1212074,1212075,1212076,CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405
This update for go1.20 fixes the following issues:

Update to go1.20.5 (bsc#1206346):

- CVE-2023-29402: cmd/go: Fixed cgo code injection (bsc#1212073).                                                                                                                              
- CVE-2023-29403: runtime: Fixed unexpected behavior of setuid/setgid binaries (bsc#1212074).                                                                                                  
- CVE-2023-29404: cmd/go: Fixed improper sanitization of LDFLAGS (bsc#1212075).                                                                                                                
- CVE-2023-29405: cmd/go: Fixed improper sanitization of LDFLAGS (bsc#1212076).                                                                                                                

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2846-1
Released:    Mon Jul 17 08:39:40 2023
Summary:     Security update for go1.20
Type:        security
Severity:    moderate
References:  1206346,1213229,CVE-2023-29406
This update for go1.20 fixes the following issues:

  go was updated to version 1.20.6 (bsc#1206346):

  - CVE-2023-29406: Fixed insufficient sanitization of Host header in net/http (bsc#1213229).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3181-1
Released:    Thu Aug  3 21:34:12 2023
Summary:     Security update for go1.20
Type:        security
Severity:    important
References:  1206346,1213880,CVE-2023-29409
This update for go1.20 fixes the following issues:

- Update to go v1.20.7 (released 2023-08-01) (bsc#1206346)
- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880)


The following package changes have been done:

- go1.20-doc-1.20.7-150000.1.20.1 added
- go1.20-1.20.7-150000.1.20.1 added
- go1.20-race-1.20.7-150000.1.20.1 added
- go1.19-1.19.12-150000.1.40.1 removed
- go1.19-doc-1.19.12-150000.1.40.1 removed
- go1.19-race-1.19.12-150000.1.40.1 removed

SUSE: 2023:2729-1 bci/golang Security Update

August 20, 2023
The container bci/golang was updated

Summary

Advisory ID: SUSE-SU-2023:735-1 Released: Tue Mar 14 18:07:46 2023 Summary: Security update for go1.20 Type: security Severity: important Advisory ID: SUSE-SU-2023:1791-1 Released: Thu Apr 6 15:37:30 2023 Summary: Security update for go1.20 Type: security Severity: important Advisory ID: SUSE-SU-2023:2105-1 Released: Fri May 5 08:34:09 2023 Summary: Security update for go1.20 Type: security Severity: important Advisory ID: SUSE-SU-2023:2526-1 Released: Fri Jun 16 17:33:35 2023 Summary: Security update for go1.20 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:2846-1 Released: Mon Jul 17 08:39:40 2023 Summary: Security update for go1.20 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:3181-1 Released: Thu Aug 3 21:34:12 2023 Summary: Security update for go1.20 Type: security Severity: important

References

References : 1206346 1206346 1206346 1206346 1206346 1206346 1208269 1208270

1208271 1208272 1209030 1210127 1210127 1210128 1210128 1210129

1210129 1210130 1210130 1210938 1210963 1211029 1211030 1211031

1212073 1212074 1212075 1212076 1213229 1213880 CVE-2022-41722

CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24532 CVE-2023-24534

CVE-2023-24534 CVE-2023-24536 CVE-2023-24536 CVE-2023-24537 CVE-2023-24537

CVE-2023-24538 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400

CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405 CVE-2023-29406

CVE-2023-29409

1206346,1208269,1208270,1208271,1208272,1209030,CVE-2022-41722,CVE-2022-41723,CVE-2022-41724,CVE-2022-41725,CVE-2023-24532

This update for go1.20 fixes the following issues:

- Improvements to go1.x packaging spec:

* On Tumbleweed bootstrap with current default gcc13 and gccgo118

* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap

using go1.x package (%bcond_without gccgo). This is no longer

needed on current SLE-12:Update and removing will consolidate

the build configurations used.

* Change source URLs to go.dev as per Go upstream

* On x86_64 export GOAMD64=v1 as per the current baseline.

At this time forgo GOAMD64=v3 option for x86_64_v3 support.

* On x86_64 %define go_amd64=v1 as current instruction baseline

* In %check on x86_64 use value %go_amd64=v1 as GOAMD64=v1 to

grep correct TSAN version is checked out from LLVM with new

spelling for internal/amd64v1/race_linux.syso

go1.20.2 (released 2023-03-07) includes a security fix to the

crypto/elliptic package, as well as bug fixes to the compiler,

the covdata command, the linker, the runtime, and the

crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. (boo#1206346)

* CVE-2023-24532: crypto/elliptic: Fixed that specific unreduced P-256 scalars produce incorrect results (boo#1209030)

* cmd/covdata: short read on string table when merging coverage counters

* runtime: some linkname signatures do not match

* cmd/compile: inline static init cause compile time error

* cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry

* crypto/ecdh: ECDH method doesn't check curve

* cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'

* crypto/internal/bigmod: flag amd64 assembly as noescape

* runtime: endless traceback when panic in generics funtion

* runtime: long latency of sweep assists

* syscall.Faccessat and os.LookPath regression in Go 1.20

* os: cmd/go gets error 'copy_file_range: function not implemented'

* net: TestTCPSelfConnect failures due to unexpected connections

* syscall: Environ uses an invalid unsafe.Pointer conversion on Windows

* cmd/compile: ICE on method value involving imported anonymous interface

* crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey

* crypto/x509: TestSystemVerify consistently failing

go1.20.1 (released 2023-02-14) includes security fixes to the

crypto/tls, mime/multipart, net/http, and path/filepath packages,

as well as bug fixes to the compiler, the go command, the linker,

the runtime, and the time package. (bsc#1206346)

- CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725

* bsc#1208269 security: fix CVE-2022-41722 path/filepath: path traversal in filepath.Clean on Windows

* bsc#1208270 security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding

* bsc#1208271 security: fix CVE-2022-41724 crypto/tls: large handshake records may cause panics

* bsc#1208272 security: fix CVE-2022-41725 net/http, mime/multipart: denial of service from excessive resource consumption

* time: update zoneinfo_abbrs on Windows

* cmd/link: .go.buildinfo is gc'ed by --gc-sections

* cmd/compile/internal/pgo: Detect sample value position instead of hard-coding

* cmd/compile: constant overflows when assigned to package level var (Go 1.20 regression)

* cmd/compile: internal compiler error: panic: interface conversion: ir.Node is *ir.CompLitExpr, not *ir.Name

* cmd/compile: internal compiler error: Type.Elem UNION

* runtime: GOOS=ios fails Apple's app validation due to use of private API

* cmd/go/internal/test: stale flagdefs.go not detected by tests

* all: test failures with ETXTBSY

* cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing

- go1.20 (released 2023-02-01) is a major release of Go.

go1.20.x minor releases will be provided through February 2024.

https://github.com/golang/go/wiki/Go-Release-Cycle

go1.20 arrives six months after go1.19. Most of its changes are

in the implementation of the toolchain, runtime, and libraries.

As always, the release maintains the Go 1 promise of

compatibility. We expect almost all Go programs to continue to

compile and run as before. ( bsc#1206346 jsc#PED-1962 )

* Go 1.20 includes four changes to the language

* Language change: Go 1.17 added conversions from slice to an

array pointer. Go 1.20 extends this to allow conversions from a

slice to an array

* Language change: The unsafe package defines three new functions

SliceData, String, and StringData. Along with Go 1.17's Slice,

these functions now provide the complete ability to construct

and deconstruct slice and string values, without depending on

their exact representation.

* Language change: The specification now defines that struct

values are compared one field at a time, considering fields in

the order they appear in the struct type definition, and

stopping at the first mismatch. The specification could

previously have been read as if all fields needed to be

compared beyond the first mismatch. Similarly, the

specification now defines that array values are compared one

element at a time, in increasing index order. In both cases,

the difference affects whether certain comparisons must

panic. Existing programs are unchanged: the new spec wording

describes what the implementations have always done.

* Language change: Comparable types (such as ordinary interfaces)

may now satisfy comparable constraints, even if the type

arguments are not strictly comparable (comparison may panic at

runtime). This makes it possible to instantiate a type

parameter constrained by comparable (e.g., a type parameter for

a user-defined generic map key) with a non-strictly comparable

type argument such as an interface type, or a composite type

containing an interface type.

* go command: The directory $GOROOT/pkg no longer stores

pre-compiled package archives for the standard library: go

install no longer writes them, the go build no longer checks

for them, and the Go distribution no longer ships

them. Instead, packages in the standard library are built as

needed and cached in the build cache, just like packages

outside GOROOT. This change reduces the size of the Go

distribution and also avoids C toolchain skew for packages that

use cgo. Refs jsc#PED-1962

* go command: The implementation of go test -json has been

improved to make it more robust. Programs that run go test

-json do not need any updates. Programs that invoke go tool

test2json directly should now run the test binary with

-v=test2json (for example, go test -v=test2json or ./pkg.test

-test.v=test2json) instead of plain -v.

* go command: A related change to go test -json is the addition

of an event with Action set to start at the beginning of each

test program's execution. When running multiple tests using the

go command, these start events are guaranteed to be emitted in

the same order as the packages named on the command line.

* go command: The go command now defines architecture feature

build tags, such as amd64.v2, to allow selecting a package

implementation file based on the presence or absence of a

particular architecture feature. See go help buildconstraint

for details.

* go command: The go subcommands now accept -C

to change

directory to

before performing the command, which may be

useful for scripts that need to execute commands in multiple

different modules.

* go command: The go build and go test commands no longer accept

the -i flag, which has been deprecated since Go 1.16.

* go command: The go generate command now accepts -skip

to skip //go:generate directives matching .

* go command: The go test command now accepts -skip to

skip tests, subtests, or examples matching .

* go command: When the main module is located within GOPATH/src,

go install no longer installs libraries for non-main packages

to GOPATH/pkg, and go list no longer reports a Target field for

such packages. (In module mode, compiled packages are stored in

the build cache only, but a bug had caused the GOPATH install

targets to unexpectedly remain in effect.)

* go command: The go build, go install, and other build-related

commands now support a -pgo flag that enables profile-guided

optimization, which is described in more detail in the Compiler

section below. The -pgo flag specifies the file path of the

profile. Specifying -pgo=auto causes the go command to search

for a file named default.pgo in the main package's directory

and use it if present. This mode currently requires a single

main package to be specified on the command line, but we plan

to lift this restriction in a future release. Specifying

-pgo=off turns off profile-guided optimization.

* go command: The go build, go install, and other build-related

commands now support a -cover flag that builds the specified

target with code coverage instrumentation. This is described in

more detail in the Cover section below.

* go version: The go version -m command now supports reading more

types of Go binaries, most notably, Windows DLLs built with go

build -buildmode=c-shared and Linux binaries without execute

permission.

* Cgo: The go command now disables cgo by default on systems

without a C toolchain. More specifically, when the CGO_ENABLED

environment variable is unset, the CC environment variable is

unset, and the default C compiler (typically clang or gcc) is

not found in the path, CGO_ENABLED defaults to 0. As always,

you can override the default by setting CGO_ENABLED explicitly.

The most important effect of the default change is that when Go

is installed on a system without a C compiler, it will now use

pure Go builds for packages in the standard library that use

cgo, instead of using pre-distributed package archives (which

have been removed, as noted above) or attempting to use cgo and

failing. This makes Go work better in some minimal container

environments as well as on macOS, where pre-distributed package

archives have not been used for cgo-based packages since Go

1.16.

The packages in the standard library that use cgo are net,

os/user, and plugin. On macOS, the net and os/user packages

have been rewritten not to use cgo: the same code is now used

for cgo and non-cgo builds as well as cross-compiled builds. On

Windows, the net and os/user packages have never used cgo. On

other systems, builds with cgo disabled will use a pure Go

version of these packages.

On macOS, the race detector has been rewritten not to use cgo:

race-detector-enabled programs can be built and run without

Xcode. On Linux and other Unix systems, and on Windows, a host

C toolchain is required to use the race detector.

* go cover: Go 1.20 supports collecting code coverage profiles

for programs (applications and integration tests), as opposed

to just unit tests. To collect coverage data for a program,

build it with go build's -cover flag, then run the resulting

binary with the environment variable GOCOVERDIR set to an

output directory for coverage profiles. See the 'coverage for

integration tests' landing page for more on how to get

started. For details on the design and implementation, see the

proposal.

* go vet: Improved detection of loop variable capture by nested

functions. The vet tool now reports references to loop

variables following a call to T.Parallel() within subtest

function bodies. Such references may observe the value of the

variable from a different iteration (typically causing test

cases to be skipped) or an invalid state due to unsynchronized

concurrent access.

* go vet: The tool also detects reference mistakes in more

places. Previously it would only consider the last statement

of the loop body, but now it recursively inspects the last

statements within if, switch, and select statements.

* go vet: New diagnostic for incorrect time formats. The vet tool

now reports use of the time format 2006-02-01 (yyyy-dd-mm) with

Time.Format and time.Parse. This format does not appear in

common date standards, but is frequently used by mistake when

attempting to use the ISO 8601 date format (yyyy-mm-dd).

* Runtime: Some of the garbage collector's internal data

structures were reorganized to be both more space and CPU

efficient. This change reduces memory overheads and improves

overall CPU performance by up to 2%.

* Runtime: The garbage collector behaves less erratically with

respect to goroutine assists in some circumstances.

* Runtime: Go 1.20 adds a new runtime/coverage package containing

APIs for writing coverage profile data at runtime from

long-running and/or server programs that do not terminate via

os.Exit().

* Compiler: Go 1.20 adds preview support for profile-guided

optimization (PGO). PGO enables the toolchain to perform

application- and workload-specific optimizations based on

run-time profile information. Currently, the compiler supports

pprof CPU profiles, which can be collected through usual means,

such as the runtime/pprof or net/http/pprof packages. To enable

PGO, pass the path of a pprof profile file via the -pgo flag to

go build, as mentioned above. Go 1.20 uses PGO to more

aggressively inline functions at hot call sites. Benchmarks for

a representative set of Go programs show enabling

profile-guided inlining optimization improves performance about

3–4%. See the PGO user guide for detailed documentation. We

plan to add more profile-guided optimizations in future

releases. Note that profile-guided optimization is a preview,

so please use it with appropriate caution.

* Compiler: The Go 1.20 compiler upgraded its front-end to use a

new way of handling the compiler's internal data, which fixes

several generic-types issues and enables type declarations

within generic functions and methods.

* Compiler: The compiler now rejects anonymous interface cycles

with a compiler error by default. These arise from tricky uses

of embedded interfaces and have always had subtle correctness

issues, yet we have no evidence that they're actually used in

practice. Assuming no reports from users adversely affected by

this change, we plan to update the language specification for

Go 1.22 to formally disallow them so tools authors can stop

supporting them too.

* Compiler: Go 1.18 and 1.19 saw regressions in build speed,

largely due to the addition of support for generics and

follow-on work. Go 1.20 improves build speeds by up to 10%,

bringing it back in line with Go 1.17. Relative to Go 1.19,

generated code performance is also generally slightly improved.

* Linker: On Linux, the linker now selects the dynamic

interpreter for glibc or musl at link time.

* Linker: On Windows, the Go linker now supports modern

LLVM-based C toolchains.

* Linker: Go 1.20 uses go: and type: prefixes for

compiler-generated symbols rather than go. and type.. This

avoids confusion for user packages whose name starts with

go.. The debug/gosym package understands this new naming

convention for binaries built with Go 1.20 and newer.

* Bootstrap: When building a Go release from source and

GOROOT_BOOTSTRAP is not set, previous versions of Go looked for

a Go 1.4 or later bootstrap toolchain in the directory

$HOME/go1.4 (%HOMEDRIVE%%HOMEPATH%\go1.4 on Windows). Go 1.18

and Go 1.19 looked first for $HOME/go1.17 or $HOME/sdk/go1.17

before falling back to $HOME/go1.4, in anticipation of

requiring Go 1.17 for use when bootstrapping Go 1.20. Go 1.20

does require a Go 1.17 release for bootstrapping, but we

realized that we should adopt the latest point release of the

bootstrap toolchain, so it requires Go 1.17.13. Go 1.20 looks

for $HOME/go1.17.13 or $HOME/sdk/go1.17.13 before falling back

to $HOME/go1.4 (to support systems that hard-coded the path

$HOME/go1.4 but have installed a newer Go toolchain there). In

the future, we plan to move the bootstrap toolchain forward

approximately once a year, and in particular we expect that Go

1.22 will require the final point release of Go 1.20 for

bootstrap.

* Library: Go 1.20 adds a new crypto/ecdh package to provide

explicit support for Elliptic Curve Diffie-Hellman key

exchanges over NIST curves and Curve25519. Programs should use

crypto/ecdh instead of the lower-level functionality in

crypto/elliptic for ECDH, and third-party modules for more

advanced use cases.

* Error handling: Go 1.20 expands support for error wrapping to

permit an error to wrap multiple other errors.

* Error handling: An error e can wrap more than one error by

providing an Unwrap method that returns a []error.

* Error handling: The errors.Is and errors.As functions have been

updated to inspect multiply wrapped errors.

* Error handling: The fmt.Errorf function now supports multiple

occurrences of the %w format verb, which will cause it to

return an error that wraps all of those error operands.

* Error handling: The new function errors.Join returns an error

wrapping a list of errors.

* HTTP ResponseController: The new 'net/http'.ResponseController

type provides access to extended per-request functionality not

handled by the 'net/http'.ResponseWriter interface. The

ResponseController type provides a clearer, more discoverable

way to add per-handler controls. Two such controls also added

in Go 1.20 are SetReadDeadline and SetWriteDeadline, which

allow setting per-request read and write deadlines.

* New ReverseProxy Rewrite hook: The httputil.ReverseProxy

forwarding proxy includes a new Rewrite hook function,

superseding the previous Director hook.

* archive/tar: When the GODEBUG=tarinsecurepath=0 environment

variable is set, Reader.Next method will now return the error

ErrInsecurePath for an entry with a file name that is an

absolute path, refers to a location outside the current

directory, contains invalid characters, or (on Windows) is a

reserved name such as NUL. A future version of Go may disable

insecure paths by default.

* archive/zip: When the GODEBUG=zipinsecurepath=0 environment

variable is set, NewReader will now return the error

ErrInsecurePath when opening an archive which contains any file

name that is an absolute path, refers to a location outside the

current directory, contains invalid characters, or (on Windows)

is a reserved names such as NUL. A future version of Go may

disable insecure paths by default.

* archive/zip: Reading from a directory file that contains file

data will now return an error. The zip specification does not

permit directory files to contain file data, so this change

only affects reading from invalid archives.

* bytes: The new CutPrefix and CutSuffix functions are like

TrimPrefix and TrimSuffix but also report whether the string

was trimmed.

* bytes: The new Clone function allocates a copy of a byte slice.

* context: The new WithCancelCause function provides a way to

cancel a context with a given error. That error can be

retrieved by calling the new Cause function.

* crypto/ecdsa: When using supported curves, all operations are

now implemented in constant time. This led to an increase in

CPU time between 5% and 30%, mostly affecting P-384 and P-521.

* crypto/ecdsa: The new PrivateKey.ECDH method converts an

ecdsa.PrivateKey to an ecdh.PrivateKey.

* crypto/ed25519: The PrivateKey.Sign method and the

VerifyWithOptions function now support signing pre-hashed

messages with Ed25519ph, indicated by an Options.HashFunc that

returns crypto.SHA512. They also now support Ed25519ctx and

Ed25519ph with context, indicated by setting the new

Options.Context field.

* crypto/rsa: The new field OAEPOptions.MGFHash allows

configuring the MGF1 hash separately for OAEP decryption.

* crypto/rsa: crypto/rsa now uses a new, safer, constant-time

backend. This causes a CPU runtime increase for decryption

operations between approximately 15% (RSA-2048 on amd64) and

45% (RSA-4096 on arm64), and more on 32-bit

architectures. Encryption operations are approximately 20x

slower than before (but still 5-10x faster than

decryption). Performance is expected to improve in future

releases. Programs must not modify or manually generate the

fields of PrecomputedValues.

* crypto/subtle: The new function XORBytes XORs two byte slices

together.

* crypto/tls: Parsed certificates are now shared across all

clients actively using that certificate. The memory savings can

be significant in programs that make many concurrent

connections to a server or collection of servers sharing any

part of their certificate chains.

* crypto/tls: For a handshake failure due to a certificate

verification failure, the TLS client and server now return an

error of the new type CertificateVerificationError, which

includes the presented certificates.

* crypto/x509: ParsePKCS8PrivateKey and MarshalPKCS8PrivateKey

now support keys of type *crypto/ecdh.PrivateKey.

ParsePKIXPublicKey and MarshalPKIXPublicKey now support keys of

type *crypto/ecdh.PublicKey. Parsing NIST curve keys still

returns values of type *ecdsa.PublicKey and *ecdsa.PrivateKey.

Use their new ECDH methods to convert to the crypto/ecdh types.

* crypto/x509: The new SetFallbackRoots function allows a program

to define a set of fallback root certificates in case an

operating system verifier or standard platform root bundle is

unavailable at runtime. It will most commonly be used with a

new package, golang.org/x/crypto/x509roots/fallback, which will

provide an up to date root bundle.

* debug/elf: Attempts to read from a SHT_NOBITS section using

Section.Data or the reader returned by Section.Open now return

an error.

* debug/elf: Additional R_LARCH_* constants are defined for use

with LoongArch systems.

* debug/elf: Additional R_PPC64_* constants are defined for use

with PPC64 ELFv2 relocations.

* debug/elf: The constant value for R_PPC64_SECTOFF_LO_DS is

corrected, from 61 to 62.

* debug/gosym: Due to a change of Go's symbol naming conventions,

tools that process Go binaries should use Go 1.20's debug/gosym

package to transparently handle both old and new binaries.

* debug/pe: Additional IMAGE_FILE_MACHINE_RISCV* constants are

defined for use with RISC-V systems.

* encoding/binary: The ReadVarint and ReadUvarint functions will

now return io.ErrUnexpectedEOF after reading a partial value,

rather than io.EOF.

* encoding/xml: The new Encoder.Close method can be used to check

for unclosed elements when finished encoding.

* encoding/xml: The decoder now rejects element and attribute

names with more than one colon, such as , as well as

namespaces that resolve to an empty string, such as xmlns:a=''.

* encoding/xml: The decoder now rejects elements that use

different namespace prefixes in the opening and closing tag,

even if those prefixes both denote the same namespace.

* errors: The new Join function returns an error wrapping a list

of errors.

* fmt: The Errorf function supports multiple occurrences of the

%w format verb, returning an error that unwraps to the list of

all arguments to %w.

* fmt: The new FormatString function recovers the formatting

directive corresponding to a State, which can be useful in

Formatter. implementations.

* go/ast: The new RangeStmt.Range field records the position of

the range keyword in a range statement.

* go/ast: The new File.FileStart and File.FileEnd fields record

the position of the start and end of the entire source file.

* go/token: The new FileSet.RemoveFile method removes a file from

a FileSet. Long-running programs can use this to release memory

associated with files they no longer need.

* go/types: The new Satisfies function reports whether a type

satisfies a constraint. This change aligns with the new

language semantics that distinguish satisfying a constraint

from implementing an interface.

* io: The new OffsetWriter wraps an underlying WriterAt and

provides Seek, Write, and WriteAt methods that adjust their

effective file offset position by a fixed amount.

* io/fs: The new error SkipAll terminates a WalkDir immediately

but successfully.

* math/big: The math/big package's wide scope and input-dependent

timing make it ill-suited for implementing cryptography. The

cryptography packages in the standard library no longer call

non-trivial Int methods on attacker-controlled inputs. In the

future, the determination of whether a bug in math/big is

considered a security vulnerability will depend on its wider

impact on the standard library.

* math/rand: The math/rand package now automatically seeds the

global random number generator (used by top-level functions

like Float64 and Int) with a random value, and the top-level

Seed function has been deprecated. Programs that need a

reproducible sequence of random numbers should prefer to

allocate their own random source, using

rand.New(rand.NewSource(seed)).

* math/rand: Programs that need the earlier consistent global

seeding behavior can set GODEBUG=randautoseed=0 in their

environment.

* math/rand: The top-level Read function has been deprecated. In

almost all cases, crypto/rand.Read is more appropriate.

* mime: The ParseMediaType function now allows duplicate

parameter names, so long as the values of the names are the

same.

* mime/multipart: Methods of the Reader type now wrap errors

returned by the underlying io.Reader.

* net: The LookupCNAME function now consistently returns the

contents of a CNAME record when one exists. Previously on Unix

systems and when using the pure Go resolver, LookupCNAME would

return an error if a CNAME record referred to a name that with

no A, AAAA, or CNAME record. This change modifies LookupCNAME

to match the previous behavior on Windows, allowing LookupCNAME

to succeed whenever a CNAME exists.

* net: Interface.Flags now includes the new flag FlagRunning,

indicating an operationally active interface. An interface

which is administratively configured but not active (for

example, because the network cable is not connected) will have

FlagUp set but not FlagRunning.

* net: The new Dialer.ControlContext field contains a callback

function similar to the existing Dialer.Control hook, that

additionally accepts the dial context as a parameter. Control

is ignored when ControlContext is not nil.

* net: The Go DNS resolver recognizes the trust-ad resolver

option. When options trust-ad is set in resolv.conf, the Go

resolver will set the AD bit in DNS queries. The resolver does

not make use of the AD bit in responses.

* net: DNS resolution will detect changes to /etc/nsswitch.conf

and reload the file when it changes. Checks are made at most

once every five seconds, matching the previous handling of

/etc/hosts and /etc/resolv.conf.

* net/http: The ResponseWriter.WriteHeader function now supports

sending 1xx status codes.

* net/http: The new Server.DisableGeneralOptionsHandler

configuration setting allows disabling the default OPTIONS *

handler.

* net/http: The new Transport.OnProxyConnectResponse hook is

called when a Transport receives an HTTP response from a proxy

for a CONNECT request.

* net/http: The HTTP server now accepts HEAD requests containing

a body, rather than rejecting them as invalid.

* net/http: HTTP/2 stream errors returned by net/http functions

may be converted to a golang.org/x/net/http2.StreamError using

errors.As.

* net/http: Leading and trailing spaces are trimmed from cookie

names, rather than being rejected as invalid. For example, a

cookie setting of 'name =value' is now accepted as setting the

cookie 'name'.

* net/netip: The new IPv6LinkLocalAllRouters and IPv6Loopback

functions are the net/netip equivalents of net.IPv6loopback and

net.IPv6linklocalallrouters.

* os: On Windows, the name NUL is no longer treated as a special

case in Mkdir and Stat.

* os: On Windows, File.Stat now uses the file handle to retrieve

attributes when the file is a directory. Previously it would

use the path passed to Open, which may no longer be the file

represented by the file handle if the file has been moved or

replaced. This change modifies Open to open directories without

the FILE_SHARE_DELETE access, which match the behavior of

regular files.

* os: On Windows, File.Seek now supports seeking to the beginning

of a directory.

* os/exec: The new Cmd fields Cancel and WaitDelay specify the

behavior of the Cmd when its associated Context is canceled or

its process exits with I/O pipes still held open by a child

process.

* path/filepath: The new error SkipAll terminates a Walk

immediately but successfully.

* path/filepath: The new IsLocal function reports whether a path

is lexically local to a directory. For example, if IsLocal(p)

is true, then Open(p) will refer to a file that is lexically

within the subtree rooted at the current directory.

* reflect: The new Value.Comparable and Value.Equal methods can

be used to compare two Values for equality. Comparable reports

whether Equal is a valid operation for a given Value receiver.

* reflect: The new Value.Grow method extends a slice to guarantee

space for another n elements.

* reflect: The new Value.SetZero method sets a value to be the

zero value for its type.

* reflect: Go 1.18 introduced Value.SetIterKey and

Value.SetIterValue methods. These are optimizations:

v.SetIterKey(it) is meant to be equivalent to

v.Set(it.Key()). The implementations incorrectly omitted a

check for use of unexported fields that was present in the

unoptimized forms. Go 1.20 corrects these methods to include

the unexported field check.

* regexp: Go 1.19.2 and Go 1.18.7 included a security fix to the

regular expression parser, making it reject very large

expressions that would consume too much memory. Because Go

patch releases do not introduce new API, the parser returned

syntax.ErrInternalError in this case. Go 1.20 adds a more

specific error, syntax.ErrLarge, which the parser now returns

instead.

* runtime/cgo: Go 1.20 adds new Incomplete marker type. Code

generated by cgo will use cgo.Incomplete to mark an incomplete

C type.

* runtime/metrics: Go 1.20 adds new supported metrics, including

the current GOMAXPROCS setting (/sched/gomaxprocs:threads), the

number of cgo calls executed (/cgo/go-to-c-calls:calls), total

mutex block time (/sync/mutex/wait/total:seconds), and various

measures of time spent in garbage collection.

* runtime/metrics: Time-based histogram metrics are now less

precise, but take up much less memory.

* runtime/pprof: Mutex profile samples are now pre-scaled, fixing

an issue where old mutex profile samples would be scaled

incorrectly if the sampling rate changed during execution.

* runtime/pprof: Profiles collected on Windows now include memory

mapping information that fixes symbolization issues for

position-independent binaries.

* runtime/trace: The garbage collector's background sweeper now

yields less frequently, resulting in many fewer extraneous

events in execution traces.

* strings: The new CutPrefix and CutSuffix functions are like

TrimPrefix and TrimSuffix but also report whether the string

was trimmed.

* sync: The new Map methods Swap, CompareAndSwap, and

CompareAndDelete allow existing map entries to be updated

atomically.

* syscall: On FreeBSD, compatibility shims needed for FreeBSD 11

and earlier have been removed.

* syscall: On Linux, additional CLONE_* constants are defined for

use with the SysProcAttr.Cloneflags field.

* syscall: On Linux, the new SysProcAttr.CgroupFD and

SysProcAttr.UseCgroupFD fields provide a way to place a child

process into a specific cgroup.

* testing: The new method B.Elapsed reports the current elapsed

time of the benchmark, which may be useful for calculating

rates to report with ReportMetric.

* time: The new time layout constants DateTime, DateOnly, and

TimeOnly provide names for three of the most common layout

strings used in a survey of public Go source code.

* time: The new Time.Compare method compares two times.

* time: Parse now ignores sub-nanosecond precision in its input,

instead of reporting those digits as an error.

* time: The Time.MarshalJSON method is now more strict about

adherence to RFC 3339.

* unicode/utf16: The new AppendRune function appends the UTF-16

encoding of a given rune to a uint16 slice, analogous to

utf8.AppendRune.

1206346,1210127,1210128,1210129,1210130,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538

This update for go1.20 fixes the following issues:

Update to version 1.20.3:

* CVE-2023-24534: security: net/http, net/textproto: denial of service from excessive memory allocation (bsc#1210127)

* CVE-2023-24536: security: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (bsc#1210128)

* CVE-2023-24537: security: go/parser: infinite loop in parsing (bsc#1210129)

* CVE-2023-24538: security: html/template: backticks not treated as string delimiters (bsc#1210130)

* x/text: building as a plugin failure on darwin/arm64

* cmd/go: timeout on darwin-amd64-race builder

* internal/testpty: fails on some Linux machines due to incorrect error handling

* cmd/link: Incorrect symbol linked in darwin/arm64

* cmd/link: linker fails on linux/amd64 when gcc's lto options are used

* cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation

* time: time zone lookup using extend string makes wrong start time for non-DST zones

* runtime: crash on linux-ppc64le

* cmd/compile: crypto/elliptic build error under -linkshared mode

* cmd/compile: unsafe.SliceData incoherent resuilt with nil argument

1206346,1210127,1210128,1210129,1210130,1210938,1210963,1211029,1211030,1211031,CVE-2023-24534,CVE-2023-24536,CVE-2023-24537,CVE-2023-24538,CVE-2023-24539,CVE-2023-24540,CVE-2023-29400

This update for go1.20 fixes the following issues:

Update to 1.20.4 (bnc#1206346):

- CVE-2023-24539: Fixed an improper sanitization of CSS values (boo#1211029).

- CVE-2023-24540: Fixed an improper handling of JavaScript whitespace (boo#1211030).

- CVE-2023-29400: Fixed an improper handling of empty HTML attributes (boo#1211031).

- runtime: automatically bump RLIMIT_NOFILE on Unix.

- crypto/subtle: xor fails when run with race+purego.

- cmd/compile: encoding/binary.PutUint16 sometimes doesn't write.

- cmd/compile: internal compiler error: cannot call SetType(go.shape.int) on v (type int).

- cmd/compile: miscompilation in star-tex.org/x/cmd/star-tex.

- net/http: FileServer no longer serves content for POST.

- crypto/tls: TLSv1.3 connection fails with invalid PSK binder.

- cmd/compile: incorrect inline function variable.

- cmd/compile: Unified IR exports table is binary unstable in presence of generics.

- go/internal/gcimporter: lookupGorootExport should use the go command from build.Default.GOROOT.

Non-security fixes:

- Reverted go1.x Suggests go1.x-race (boo#1210963).

- Re-enabled binary stripping and debuginfo (boo#1210938).

1206346,1212073,1212074,1212075,1212076,CVE-2023-29402,CVE-2023-29403,CVE-2023-29404,CVE-2023-29405

This update for go1.20 fixes the following issues:

Update to go1.20.5 (bsc#1206346):

- CVE-2023-29402: cmd/go: Fixed cgo code injection (bsc#1212073).

- CVE-2023-29403: runtime: Fixed unexpected behavior of setuid/setgid binaries (bsc#1212074).

- CVE-2023-29404: cmd/go: Fixed improper sanitization of LDFLAGS (bsc#1212075).

- CVE-2023-29405: cmd/go: Fixed improper sanitization of LDFLAGS (bsc#1212076).

1206346,1213229,CVE-2023-29406

This update for go1.20 fixes the following issues:

go was updated to version 1.20.6 (bsc#1206346):

- CVE-2023-29406: Fixed insufficient sanitization of Host header in net/http (bsc#1213229).

1206346,1213880,CVE-2023-29409

This update for go1.20 fixes the following issues:

- Update to go v1.20.7 (released 2023-08-01) (bsc#1206346)

- CVE-2023-29409: Restrict RSA keys in certificates to less than or equal to 8192 bits to avoid DoSing client/server while validating signatures for extremely large RSA keys. (bsc#1213880)

The following package changes have been done:

- go1.20-doc-1.20.7-150000.1.20.1 added

- go1.20-1.20.7-150000.1.20.1 added

- go1.20-race-1.20.7-150000.1.20.1 added

- go1.19-1.19.12-150000.1.40.1 removed

- go1.19-doc-1.19.12-150000.1.40.1 removed

- go1.19-race-1.19.12-150000.1.40.1 removed

Severity
Container Advisory ID : SUSE-CU-2023:2729-1
Container Tags : bci/golang:1.20 , bci/golang:1.20-2.2.1 , bci/golang:oldstable , bci/golang:oldstable-2.2.1
Container Release : 2.1
Severity : important
Type : security

Related News