openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:3937-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.2.2024.3937.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2024:3937-1)

Summary: The remote host is missing an update for the 'go1.23-openssl' package(s) announced via the SUSE-SU-2024:3937-1 advisory.

Description: Summary:
The remote host is missing an update for the 'go1.23-openssl' package(s) announced via the SUSE-SU-2024:3937-1 advisory.

Vulnerability Insight:
This update for go1.23-openssl fixes the following issues:

This update ships go1.23-openssl version 1.23.2.2. (jsc#SLE-18320)

- go1.23.2 (released 2024-10-01) includes fixes to the compiler,
cgo, the runtime, and the maps, os, os/exec, time, and unique
packages.

* go#69119 os: double close pidfd if caller uses pidfd updated by os.StartProcess
* go#69156 maps: segmentation violation in maps.Clone
* go#69219 cmd/cgo: alignment issue with int128 inside of a struct
* go#69240 unique: fatal error: found pointer to free object
* go#69333 runtime,time: timer.Stop returns false even when no value is read from the channel
* go#69383 unique: large string still referenced, after interning only a small substring
* go#69402 os/exec: resource leak on exec failure
* go#69511 cmd/compile: mysterious crashes and non-determinism with range over func

- Update to version 1.23.1.1 cut from the go1.23-fips-release
branch at the revision tagged go1.23.1-1-openssl-fips.

* Update to Go 1.23.1 (#238)

- go1.23.1 (released 2024-09-05) includes security fixes to the
encoding/gob, go/build/constraint, and go/parser packages, as
well as bug fixes to the compiler, the go command, the runtime,
and the database/sql, go/types, os, runtime/trace, and unique
packages.

CVE-2024-34155 CVE-2024-34156 CVE-2024-34158:

- go#69143 go#69138 bsc#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions
- go#69145 go#69139 bsc#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode
- go#69149 go#69141 bsc#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse
- go#68812 os: TestChtimes failures
- go#68894 go/types: 'under' panics on Alias type
- go#68905 cmd/compile: error in Go 1.23.0 with generics, type aliases and indexing
- go#68907 os: CopyFS overwrites existing file in destination.
- go#68973 cmd/cgo: aix c-archive corrupting stack
- go#68992 unique: panic when calling unique.Make with string casted as any
- go#68994 cmd/go: any invocation creates read-only telemetry configuration file under GOMODCACHE
- go#68995 cmd/go: multi-arch build via qemu fails to exec go binary
- go#69041 database/sql: panic in database/sql.(*connRequestSet).deleteIndex
- go#69087 runtime/trace: crash during traceAdvance when collecting call stack for cgo-calling goroutine
- go#69094 cmd/go: breaking change in 1.23rc2 with version constraints in GOPATH mode

- go1.23 (released 2024-08-13) is a major release of Go.
go1.23.x minor releases will be provided through August 2025.
[link moved to references]
go1.23 arrives six months after go1.22. Most of its changes are
in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.

* Language change: Go 1.23 makes ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'go1.23-openssl' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-34155
Common Vulnerability Exposure (CVE) ID: CVE-2024-34156
Common Vulnerability Exposure (CVE) ID: CVE-2024-34158

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.2.2024.3937.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2024:3937-1)
Summary:	The remote host is missing an update for the 'go1.23-openssl' package(s) announced via the SUSE-SU-2024:3937-1 advisory.
Description:	Summary: The remote host is missing an update for the 'go1.23-openssl' package(s) announced via the SUSE-SU-2024:3937-1 advisory. Vulnerability Insight: This update for go1.23-openssl fixes the following issues: This update ships go1.23-openssl version 1.23.2.2. (jsc#SLE-18320) - go1.23.2 (released 2024-10-01) includes fixes to the compiler, cgo, the runtime, and the maps, os, os/exec, time, and unique packages. * go#69119 os: double close pidfd if caller uses pidfd updated by os.StartProcess * go#69156 maps: segmentation violation in maps.Clone * go#69219 cmd/cgo: alignment issue with int128 inside of a struct * go#69240 unique: fatal error: found pointer to free object * go#69333 runtime,time: timer.Stop returns false even when no value is read from the channel * go#69383 unique: large string still referenced, after interning only a small substring * go#69402 os/exec: resource leak on exec failure * go#69511 cmd/compile: mysterious crashes and non-determinism with range over func - Update to version 1.23.1.1 cut from the go1.23-fips-release branch at the revision tagged go1.23.1-1-openssl-fips. * Update to Go 1.23.1 (#238) - go1.23.1 (released 2024-09-05) includes security fixes to the encoding/gob, go/build/constraint, and go/parser packages, as well as bug fixes to the compiler, the go command, the runtime, and the database/sql, go/types, os, runtime/trace, and unique packages. CVE-2024-34155 CVE-2024-34156 CVE-2024-34158: - go#69143 go#69138 bsc#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions - go#69145 go#69139 bsc#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode - go#69149 go#69141 bsc#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse - go#68812 os: TestChtimes failures - go#68894 go/types: 'under' panics on Alias type - go#68905 cmd/compile: error in Go 1.23.0 with generics, type aliases and indexing - go#68907 os: CopyFS overwrites existing file in destination. - go#68973 cmd/cgo: aix c-archive corrupting stack - go#68992 unique: panic when calling unique.Make with string casted as any - go#68994 cmd/go: any invocation creates read-only telemetry configuration file under GOMODCACHE - go#68995 cmd/go: multi-arch build via qemu fails to exec go binary - go#69041 database/sql: panic in database/sql.(connRequestSet).deleteIndex - go#69087 runtime/trace: crash during traceAdvance when collecting call stack for cgo-calling goroutine - go#69094 cmd/go: breaking change in 1.23rc2 with version constraints in GOPATH mode - go1.23 (released 2024-08-13) is a major release of Go. go1.23.x minor releases will be provided through August 2025. [link moved to references] go1.23 arrives six months after go1.22. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Language change: Go 1.23 makes ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'go1.23-openssl' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-34155 Common Vulnerability Exposure (CVE) ID: CVE-2024-34156 Common Vulnerability Exposure (CVE) ID: CVE-2024-34158
Copyright	Copyright (C) 2025 Greenbone AG