Security update for go1.14 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0222-1 Final 1 1 2021-01-26T14:05:32Z current 2021-01-26T14:05:32Z 2021-01-26T14:05:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.14 This update for go1.14 fixes the following issues: Go was updated to version 1.14.14 (bsc#1164903). Security issues fixed: - CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic (bsc#1181145). - CVE-2021-3115: Fixed a potential arbitrary code execution in the build process (bsc#1181146). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-222,SUSE-SLE-Module-Development-Tools-15-SP2-2021-222,SUSE-SLE-Module-Development-Tools-15-SP3-2021-222,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-222,SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-222,SUSE-SLE-Product-SLES-15-SP1-BCL-2021-222,SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-222,SUSE-SLE-Product-SLES_SAP-15-SP1-2021-222,SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-222,SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-222,SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-222,SUSE-Storage-6-2021-222 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210222-1/ Link for SUSE-SU-2021:0222-1 https://lists.suse.com/pipermail/sle-security-updates/2021-January/008248.html E-Mail link for SUSE-SU-2021:0222-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1164903 SUSE Bug 1164903 https://bugzilla.suse.com/1181145 SUSE Bug 1181145 https://bugzilla.suse.com/1181146 SUSE Bug 1181146 https://www.suse.com/security/cve/CVE-2021-3114/ SUSE CVE CVE-2021-3114 page https://www.suse.com/security/cve/CVE-2021-3115/ SUSE CVE CVE-2021-3115 page SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Server 15 SP1-BCL SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0 go1.14-1.14.14-1.32.1 go1.14-doc-1.14.14-1.32.1 go1.14-race-1.14.14-1.32.1 go1.14-1.14.14-1.32.1 as a component of SUSE Enterprise Storage 6 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Enterprise Storage 6 go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server 15 SP1-BCL go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server 15 SP1-BCL go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS go1.14-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 go1.14-1.14.14-1.32.1 as a component of SUSE Manager Proxy 4.0 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Manager Proxy 4.0 go1.14-1.14.14-1.32.1 as a component of SUSE Manager Retail Branch Server 4.0 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Manager Retail Branch Server 4.0 go1.14-1.14.14-1.32.1 as a component of SUSE Manager Server 4.0 go1.14-doc-1.14.14-1.32.1 as a component of SUSE Manager Server 4.0 In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVE-2021-3114 SUSE Enterprise Storage 6:go1.14-1.14.14-1.32.1 SUSE Enterprise Storage 6:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-BCL:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-BCL:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-LTSS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-LTSS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:go1.14-doc-1.14.14-1.32.1 SUSE Manager Proxy 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Proxy 4.0:go1.14-doc-1.14.14-1.32.1 SUSE Manager Retail Branch Server 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Retail Branch Server 4.0:go1.14-doc-1.14.14-1.32.1 SUSE Manager Server 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Server 4.0:go1.14-doc-1.14.14-1.32.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210222-1/ https://www.suse.com/security/cve/CVE-2021-3114.html CVE-2021-3114 https://bugzilla.suse.com/1181145 SUSE Bug 1181145 Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). CVE-2021-3115 SUSE Enterprise Storage 6:go1.14-1.14.14-1.32.1 SUSE Enterprise Storage 6:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-BCL:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-BCL:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-LTSS:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server 15 SP1-LTSS:go1.14-doc-1.14.14-1.32.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:go1.14-1.14.14-1.32.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:go1.14-doc-1.14.14-1.32.1 SUSE Manager Proxy 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Proxy 4.0:go1.14-doc-1.14.14-1.32.1 SUSE Manager Retail Branch Server 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Retail Branch Server 4.0:go1.14-doc-1.14.14-1.32.1 SUSE Manager Server 4.0:go1.14-1.14.14-1.32.1 SUSE Manager Server 4.0:go1.14-doc-1.14.14-1.32.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210222-1/ https://www.suse.com/security/cve/CVE-2021-3115.html CVE-2021-3115 https://bugzilla.suse.com/1181146 SUSE Bug 1181146