SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.18-openssl (SUSE-SU-2023:2312-1)

high Nessus Plugin ID 176517

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2312-1 advisory.

- Add subpackage go1.x-libstd compiled shared object libstd.so (jsc#PED-1962)
* Main go1.x package included libstd.so in previous versions
* Split libstd.so into subpackage that can be installed standalone
* Continues the slimming down of main go1.x package by 40 Mb
* Experimental and not recommended for general use, Go currently has no ABI
* Upstream Go has not committed to support buildmode=shared long-term
* Do not use in packaging, build static single binaries (the default)
* Upstream Go go1.x binary releases do not include libstd.so
* go1.x Suggests go1.x-libstd so not installed by default Recommends
* go1.x-libstd does not Require: go1.x so can install standalone
* Provides go-libstd unversioned package name
* Fix build step -buildmode=shared std to omit -linkshared
- Packaging improvements:
* go1.x Suggests go1.x-doc so not installed by default Recommends
* Use Group: Development/Languages/Go instead of Other

- Improvements to go1.x packaging spec:
* On Tumbleweed bootstrap with current default gcc13 and gccgo118
* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap using go1.x package (%bcond_without gccgo). This is no longer needed on current SLE-12:Update and removing will consolidate the build configurations used.
* Change source URLs to go.dev as per Go upstream
* On x86_64 export GOAMD64=v1 as per the current baseline.
At this time forgo GOAMD64=v3 option for x86_64_v3 support.
* On x86_64 %define go_amd64=v1 as current instruction baseline

- Update to version 1.18.10.1 cut from the go1.18-openssl-fips branch at the revision tagged go1.18.10-1-openssl-fips.
* Merge branch dev.boringcrypto.go1.18 into go1.18-openssl-fips
* Merge go1.18.10 into dev.boringcrypto.go1.18

- go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the linker, and the crypto/x509, net/http, and syscall packages.
Refs bsc#1193742 go1.18 release tracking
* go#57705 misc/cgo: backport needed for dlltool fix
* go#57426 crypto/x509: Verify on macOS does not return typed errors
* go#57344 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its 'old' argument.
* go#57338 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
* go#57213 os: TestLstat failure on Linux Aarch64
* go#57211 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
* go#57057 cmd/go: remove test dependency on gopkg.in service
* go#57054 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
* go#57044 cgo: malformed DWARF TagVariable entry
* go#57028 cmd/cgo: Wrong types in compiler errors with clang 14
* go#56833 cmd/link/internal/ppc64: too-far trampoline is reused
* go#56711 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
* go#56323 net/http: bad handling of HEAD requests with a body

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go1.18-openssl, go1.18-openssl-doc and / or go1.18-openssl-race packages.

See Also

https://bugzilla.suse.com/1183043

https://bugzilla.suse.com/1193742

https://bugzilla.suse.com/1198423

https://bugzilla.suse.com/1198424

https://bugzilla.suse.com/1198427

https://bugzilla.suse.com/1199413

https://bugzilla.suse.com/1200134

https://bugzilla.suse.com/1200135

https://bugzilla.suse.com/1200136

https://bugzilla.suse.com/1200137

https://bugzilla.suse.com/1201434

https://bugzilla.suse.com/1201436

https://bugzilla.suse.com/1201437

https://bugzilla.suse.com/1201440

https://bugzilla.suse.com/1201443

https://bugzilla.suse.com/1201444

https://bugzilla.suse.com/1201445

https://bugzilla.suse.com/1201447

https://bugzilla.suse.com/1201448

https://bugzilla.suse.com/1202035

https://bugzilla.suse.com/1203185

https://bugzilla.suse.com/1204023

https://bugzilla.suse.com/1204024

https://bugzilla.suse.com/1204025

https://bugzilla.suse.com/1204941

https://bugzilla.suse.com/1206134

https://bugzilla.suse.com/1206135

https://bugzilla.suse.com/1208270

https://bugzilla.suse.com/1208271

https://bugzilla.suse.com/1208272

https://bugzilla.suse.com/1208491

https://www.suse.com/security/cve/CVE-2022-1705

https://www.suse.com/security/cve/CVE-2022-1962

https://www.suse.com/security/cve/CVE-2022-24675

https://www.suse.com/security/cve/CVE-2022-27536

https://www.suse.com/security/cve/CVE-2022-27664

https://www.suse.com/security/cve/CVE-2022-28131

https://www.suse.com/security/cve/CVE-2022-28327

https://www.suse.com/security/cve/CVE-2022-2879

https://www.suse.com/security/cve/CVE-2022-2880

https://www.suse.com/security/cve/CVE-2022-29526

https://www.suse.com/security/cve/CVE-2022-29804

https://www.suse.com/security/cve/CVE-2022-30580

https://www.suse.com/security/cve/CVE-2022-30629

https://www.suse.com/security/cve/CVE-2022-30630

https://www.suse.com/security/cve/CVE-2022-30631

https://www.suse.com/security/cve/CVE-2022-30632

https://www.suse.com/security/cve/CVE-2022-30633

https://www.suse.com/security/cve/CVE-2022-30634

https://www.suse.com/security/cve/CVE-2022-30635

https://www.suse.com/security/cve/CVE-2022-32148

https://www.suse.com/security/cve/CVE-2022-32189

https://www.suse.com/security/cve/CVE-2022-41715

https://www.suse.com/security/cve/CVE-2022-41716

https://www.suse.com/security/cve/CVE-2022-41717

https://www.suse.com/security/cve/CVE-2022-41720

https://www.suse.com/security/cve/CVE-2022-41723

https://www.suse.com/security/cve/CVE-2022-41724

https://www.suse.com/security/cve/CVE-2022-41725

http://www.nessus.org/u?71268e09

Plugin Details

Severity: High

ID: 176517

File Name: suse_SU-2023-2312-1.nasl

Version: 1.3

Type: Local

Agent: unix

Published: 5/31/2023

Updated: 6/25/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-29526

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-30580

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:go1.18-openssl, p-cpe:/a:novell:suse_linux:go1.18-openssl-doc, p-cpe:/a:novell:suse_linux:go1.18-openssl-race

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/30/2023

Vulnerability Publication Date: 4/12/2022

Reference Information

CVE: CVE-2022-1705, CVE-2022-1962, CVE-2022-24675, CVE-2022-27536, CVE-2022-27664, CVE-2022-28131, CVE-2022-28327, CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30634, CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725

SuSE: SUSE-SU-2023:2312-1