Security update for go1.15 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0192-1 Final 1 1 2021-01-29T19:14:21Z current 2021-01-29T19:14:21Z 2021-01-29T19:14:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.15 This update for go1.15 fixes the following issues: Go was updated to version 1.15.7 (bsc#1175132). Security issues fixed: - CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145). - CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-192 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DLSYUO4X4LW4VZTYIOWDRLII23FZ4LSP/ E-Mail link for openSUSE-SU-2021:0192-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175132 SUSE Bug 1175132 https://bugzilla.suse.com/1181145 SUSE Bug 1181145 https://bugzilla.suse.com/1181146 SUSE Bug 1181146 https://www.suse.com/security/cve/CVE-2021-3114/ SUSE CVE CVE-2021-3114 page https://www.suse.com/security/cve/CVE-2021-3115/ SUSE CVE CVE-2021-3115 page openSUSE Leap 15.2 go1.15-1.15.7-lp152.8.1 go1.15-doc-1.15.7-lp152.8.1 go1.15-race-1.15.7-lp152.8.1 go1.15-1.15.7-lp152.8.1 as a component of openSUSE Leap 15.2 go1.15-doc-1.15.7-lp152.8.1 as a component of openSUSE Leap 15.2 go1.15-race-1.15.7-lp152.8.1 as a component of openSUSE Leap 15.2 In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVE-2021-3114 openSUSE Leap 15.2:go1.15-1.15.7-lp152.8.1 openSUSE Leap 15.2:go1.15-doc-1.15.7-lp152.8.1 openSUSE Leap 15.2:go1.15-race-1.15.7-lp152.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DLSYUO4X4LW4VZTYIOWDRLII23FZ4LSP/ https://www.suse.com/security/cve/CVE-2021-3114.html CVE-2021-3114 https://bugzilla.suse.com/1181145 SUSE Bug 1181145 Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). CVE-2021-3115 openSUSE Leap 15.2:go1.15-1.15.7-lp152.8.1 openSUSE Leap 15.2:go1.15-doc-1.15.7-lp152.8.1 openSUSE Leap 15.2:go1.15-race-1.15.7-lp152.8.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DLSYUO4X4LW4VZTYIOWDRLII23FZ4LSP/ https://www.suse.com/security/cve/CVE-2021-3115.html CVE-2021-3115 https://bugzilla.suse.com/1181146 SUSE Bug 1181146