Security update for google-osconfig-agent SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0601-1 Final 1 1 2023-03-02T13:53:06Z current 2023-03-02T13:53:06Z 2023-03-02T13:53:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for google-osconfig-agent This update for google-osconfig-agent fixes the following issues: Updated to version 20230222.00 (bsc#1202100, bsc#1202101) and bumped go API version to 1.18 to address the following (bsc#1208723): - CVE-2021-38297: Fixed data overwrite when passing large arguments to GOARCH=wasm GOOS=js (bsc#1191468). - CVE-2022-23806: Fixed Curve.IsOnCurve to incorrectly return true (bsc#1195838). Bugfixes: - Fixed missing install command in %post section to create state file (bsc#1202826). - Avoid bashim in post install scripts (bsc#1195391). - Don't restart daemon on package upgrade, create a state file instead (bsc#1194319). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-GCE-BYOS-2023-601,Image SLES12-SP5-GCE-On-Demand-2023-601,Image SLES12-SP5-GCE-SAP-BYOS-2023-601,Image SLES12-SP5-GCE-SAP-On-Demand-2023-601,SUSE-2023-601,SUSE-SLE-Module-Public-Cloud-12-2023-601 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230601-1/ Link for SUSE-SU-2023:0601-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/013963.html E-Mail link for SUSE-SU-2023:0601-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1191468 SUSE Bug 1191468 https://bugzilla.suse.com/1194319 SUSE Bug 1194319 https://bugzilla.suse.com/1195391 SUSE Bug 1195391 https://bugzilla.suse.com/1195838 SUSE Bug 1195838 https://bugzilla.suse.com/1202100 SUSE Bug 1202100 https://bugzilla.suse.com/1202101 SUSE Bug 1202101 https://bugzilla.suse.com/1202826 SUSE Bug 1202826 https://bugzilla.suse.com/1208723 SUSE Bug 1208723 https://www.suse.com/security/cve/CVE-2021-38297/ SUSE CVE CVE-2021-38297 page https://www.suse.com/security/cve/CVE-2022-23806/ SUSE CVE CVE-2022-23806 page Image SLES12-SP5-GCE-BYOS Image SLES12-SP5-GCE-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand SUSE Linux Enterprise Module for Public Cloud 12 google-osconfig-agent-20230222.00-1.20.1 google-osconfig-agent-20230222.00-1.20.1 as a component of Image SLES12-SP5-GCE-BYOS google-osconfig-agent-20230222.00-1.20.1 as a component of Image SLES12-SP5-GCE-On-Demand google-osconfig-agent-20230222.00-1.20.1 as a component of Image SLES12-SP5-GCE-SAP-BYOS google-osconfig-agent-20230222.00-1.20.1 as a component of Image SLES12-SP5-GCE-SAP-On-Demand google-osconfig-agent-20230222.00-1.20.1 as a component of SUSE Linux Enterprise Module for Public Cloud 12 Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. CVE-2021-38297 Image SLES12-SP5-GCE-BYOS:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-On-Demand:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-SAP-BYOS:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-SAP-On-Demand:google-osconfig-agent-20230222.00-1.20.1 SUSE Linux Enterprise Module for Public Cloud 12:google-osconfig-agent-20230222.00-1.20.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230601-1/ https://www.suse.com/security/cve/CVE-2021-38297.html CVE-2021-38297 https://bugzilla.suse.com/1191468 SUSE Bug 1191468 https://bugzilla.suse.com/1206559 SUSE Bug 1206559 https://bugzilla.suse.com/1208723 SUSE Bug 1208723 Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. CVE-2022-23806 Image SLES12-SP5-GCE-BYOS:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-On-Demand:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-SAP-BYOS:google-osconfig-agent-20230222.00-1.20.1 Image SLES12-SP5-GCE-SAP-On-Demand:google-osconfig-agent-20230222.00-1.20.1 SUSE Linux Enterprise Module for Public Cloud 12:google-osconfig-agent-20230222.00-1.20.1 important 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230601-1/ https://www.suse.com/security/cve/CVE-2022-23806.html CVE-2022-23806 https://bugzilla.suse.com/1195838 SUSE Bug 1195838 https://bugzilla.suse.com/1206559 SUSE Bug 1206559 https://bugzilla.suse.com/1208723 SUSE Bug 1208723