SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.22-openssl (SUSE-SU-2024:3938-1)

critical Nessus Plugin ID 210583

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3938-1 advisory.

This update ships go1.22-openssl 1.22.7.1 (jsc#SLE-18320)

- Update to version 1.22.7.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.7-1-openssl-fips.

* Update to Go 1.22.7 (#229)

- go1.22.7 (released 2024-09-05) includes security fixes to the encoding/gob, go/build/constraint, and go/parser packages, as well as bug fixes to the fix command and the runtime.

CVE-2024-34155 CVE-2024-34156 CVE-2024-34158:
- go#69142 go#69138 bsc#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155)
- go#69144 go#69139 bsc#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156)
- go#69148 go#69141 bsc#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse (CVE-2024-34158)
- go#68811 os: TestChtimes failures
- go#68825 cmd/fix: fails to run on modules whose go directive value is in '1.n.m' format introduced in Go 1.21.0
- go#68972 cmd/cgo: aix c-archive corrupting stack

- go1.22.6 (released 2024-08-06) includes fixes to the go command, the compiler, the linker, the trace command, the covdata command, and the bytes, go/types, and os/exec packages.

* go#68594 cmd/compile: internal compiler error with zero-size types
* go#68546 cmd/trace/v2: pprof profiles always empty
* go#68492 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68475 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68370 go/types: assertion failure in recent range statement checking logic
* go#68331 os/exec: modifications to Path ignored when *Cmd is created using Command with an absolute path on Windows
* go#68230 cmd/compile: inconsistent integer arithmetic result on Go 1.22+arm64 with/without -race
* go#68222 cmd/go: list with -export and -covermode=atomic fails to build
* go#68198 cmd/link: issues with Xcode 16 beta

- Update to version 1.22.5.3 cut from the go1.22-fips-release branch at the revision tagged go1.22.5-3-openssl-fips.

* Only load openssl if fips == '1' Avoid loading openssl whenever GOLANG_FIPS is not 1.
Previously only an unset variable would cause the library load to be skipped, but users may also expect to be able to set eg.
GOLANG_FIPS=0 in environments without openssl.

- Update to version 1.22.5.2 cut from the go1.22-fips-release branch at the revision tagged go1.22.5-2-openssl-fips.

* Only load OpenSSL when in FIPS mode

- Update to version 1.22.5.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.5-1-openssl-fips.

* Update to go1.22.5

- go1.22.5 (released 2024-07-02) includes security fixes to the net/http package, as well as bug fixes to the compiler, cgo, the go command, the linker, the runtime, and the crypto/tls, go/types, net, net/http, and os/exec packages.

CVE-2024-24791:
* go#68200 go#67555 bsc#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#65983 cmd/compile: hash of unhashable type
* go#65994 crypto/tls: segfault when calling tlsrsakex.IncNonDefault()
* go#66598 os/exec: calling Cmd.Start after setting Cmd.Path manually to absolute path without '.exe' no longer implicitly adds '.exe' in Go 1.22
* go#67298 runtime: 'fatal: morestack on g0' on amd64 after upgrade to Go 1.21, stale bounds
* go#67715 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67798 cmd/compile: internal compiler error: unexpected type: <nil> (<nil>) in for-range
* go#67820 cmd/compile: package-level variable initialization with constant dependencies doesn't match order specified in Go spec
* go#67850 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67934 net: go DNS resolver fails to connect to local DNS server
* go#67945 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68052 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
* go#68122 cmd/link: runtime.mach_vm_region_trampoline: unsupported dynamic relocation for symbol libc_mach_task_self_ (type=29 (R_GOTPCREL) stype=46 (SDYNIMPORT))

- Update to version 1.22.4.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.4-1-openssl-fips.

* Update to go1.22.4

- go1.22.4 (released 2024-06-04) includes security fixes to the archive/zip and net/netip packages, as well as bug fixes to the compiler, the go command, the linker, the runtime, and the os package.

CVE-2024-24789 CVE-2024-24790:
* go#67554 go#66869 bsc#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67682 go#67680 bsc#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#67188 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67212 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67236 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67258 runtime: unexpected fault address 0
* go#67311 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67314 cmd/go,cmd/link: TestScript/build_issue48319 and TestScript/build_plugin_reproducible failing on LUCI gotip-darwin-amd64-longtest builder due to non-reproducible LC_UUID
* go#67352 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67460 cmd/compile: internal compiler error: panic with range over integer value
* go#67527 cmd/link: panic: machorelocsect: size mismatch
* go#67650 runtime: SIGSEGV after performing clone(CLONE_PARENT) via C constructor prior to runtime start
* go#67696 os: RemoveAll susceptible to symlink race

- Update to version 1.22.3.3 cut from the go1.22-fips-release branch at the revision tagged go1.22.3-3-openssl-fips.

* config: update openssl backend (#201)

- Update to version 1.22.3.2 cut from the go1.22-fips-release branch at the revision tagged go1.22.3-2-openssl-fips.

* patches: restore signature of HashSign/HashVerify (#199)

- Update to version 1.22.3.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.3-1-openssl-fips.

* Update to go1.22.3
* fix: rename patch file
* Backport change https://go-review.googlesource.com/c/go/+/554615 to Go1.22 (#193) runtime: crash asap and extend total sleep time for slow machine in test Running with few threads usually does not need 500ms to crash, so let it crash as soon as possible. While the test may caused more time on slow machine, try to expand the sleep time in test.
* cmd/go: re-enable CGO for Go toolchain commands (#190)
* crypto/ecdsa: Restore HashSign and HashVerify (#189)

- go1.22.3 (released 2024-05-07) includes security fixes to the go command and the net package, as well as bug fixes to the compiler, the runtime, and the net/http package.

CVE-2024-24787 CVE-2024-24788:
* go#67122 go#67119 bsc#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
* go#67040 go#66754 bsc#1224018 security: fix CVE-2024-24788 net: high cpu usage in extractExtendedRCode
* go#67018 cmd/compile: Go 1.22.x failed to be bootstrapped from 386 to ppc64le
* go#67017 cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE
* go#66886 runtime: deterministic fallback hashes across process boundary
* go#66698 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/[email protected]

- Update to version 1.22.2.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.2-1-openssl-fips.

* Update to go1.22.2

- go1.22.2 (released 2024-04-03) includes a security fix to the net/http package, as well as bug fixes to the compiler, the go command, the linker, and the encoding/gob, go/types, net/http, and runtime/trace packages.

CVE-2023-45288:
* go#66298 go#65051 bsc#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#65858 cmd/compile: unreachable panic with GODEBUG=gotypesalias=1
* go#66060 cmd/link: RISC-V external link, failed to find text symbol for HI20 relocation
* go#66076 cmd/compile: out-of-bounds panic with uint32 conversion and modulus operation in Go 1.22.0 on arm64
* go#66134 cmd/compile: go test . results in CLOSURE ... <unknown line number>: internal compiler error:
assertion failed
* go#66137 cmd/go: go 1.22.0: go test throws errors when processing folders not listed in coverpkg argument
* go#66178 cmd/compile: ICE: panic: interface conversion: ir.Node is *ir.ConvExpr, not *ir.IndexExpr
* go#66201 runtime/trace: v2 traces contain an incorrect timestamp scaling factor on Windows
* go#66255 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66256 cmd/go: git shallow fetches broken at CL 556358
* go#66273 crypto/x509: Certificate no longer encodable using encoding/gob in Go1.22
* go#66412 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le

- Update to version 1.22.1.2 cut from the go1.22-fips-release branch at the revision tagged go1.22.1-2-openssl-fips.

* config: Update openssl v2 module (#178)

- Remove subpackage go1.x-openssl-libstd for compiled shared object libstd.so.

* Continue to build experimental libstd only on go1.x Tumbleweed.
* Removal fixes build errors on go1.x-openssl Factory and ALP.
* Use of libstd.so is experimental and not recommended for general use, Go currently has no ABI.
* Feature go build -buildmode=shared is deprecated by upstream, but not yet removed.

- Initial package go1.22-openssl version 1.22.1.1 cut from the go1.22-fips-release branch at the revision tagged go1.22.1-1-openssl-fips.

* Go upstream merged branch dev.boringcrypto in go1.19+.
* In go1.x enable BoringCrypto via GOEXPERIMENT=boringcrypto.
* In go1.x-openssl enable FIPS mode (or boring mode as the package is named) either via an environment variable GOLANG_FIPS=1 or by virtue of booting the host in FIPS mode.
* When the operating system is operating in FIPS mode, Go applications which import crypto/tls/fipsonly limit operations to the FIPS ciphersuite.
* go1.x-openssl is delivered as two large patches to go1.x applying necessary modifications from the golang-fips/go GitHub project for the Go crypto library to use OpenSSL as the external cryptographic library in a FIPS compliant way.
* go1.x-openssl modifies the crypto/* packages to use OpenSSL for cryptographic operations.
* go1.x-openssl uses dlopen() to call into OpenSSL.
* SUSE RPM packaging introduces a fourth version digit go1.x.y.z corresponding to the golang-fips/go patchset tagged revision.
* Patchset improvements can be updated independently of upstream Go maintenance releases.

- go1.22.1 (released 2024-03-05) includes security fixes to the crypto/x509, html/template, net/http, net/http/cookiejar, and net/mail packages, as well as bug fixes to the compiler, the go command, the runtime, the trace command, and the go/types and net/http packages.

CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785:
* go#65831 go#65390 bsc#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65849 go#65083 bsc#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65850 go#65383 bsc#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65859 go#65065 bsc#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65969 go#65697 bsc#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65352 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65471 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65474 internal/testenv: support LUCI mobile builders in testenv tests
* go#65577 cmd/trace/v2: goroutine analysis page doesn't identify goroutines consistently
* go#65618 cmd/compile: Go 1.22 build fails with 1.21 PGO profile on internal/saferio change
* go#65619 cmd/compile: Go 1.22 changes support for modules that declare go 1.0
* go#65641 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65644 runtime: crash in race detector when execution tracer reads from CPU profile buffer
* go#65728 go/types: nil pointer dereference in Alias.Underlying()
* go#65759 net/http: context cancellation can leave HTTP client with deadlocked HTTP/1.1 connections in Go1.22
* go#65760 runtime: Go 1.22.0 fails to build from source on armv7 Alpine Linux
* go#65818 runtime: go1.22.0 test with -race will SIGSEGV or SIGBUS or Bad Pointer
* go#65852 cmd/go: 'missing ziphash' error with go.work
* go#65883 runtime: scheduler sometimes starves a runnable goroutine on wasm platforms

* bsc#1219988 ensure VERSION file is present in GOROOT as required by go tool dist and go tool distpack

- go1.22 (released 2024-02-06) is a major release of Go.
go1.22.x minor releases will be provided through February 2024.
https://github.com/golang/go/wiki/Go-Release-Cycle go1.22 arrives six months after go1.21. Most of its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before.

* Language change: go1.22 makes two changes to for loops.
Previously, the variables declared by a for loop were created once and updated by each iteration. In go1.22, each iteration of the loop creates new variables, to avoid accidental sharing bugs. The transition support tooling described in the proposal continues to work in the same way it did in Go 1.21.
* Language change: For loops may now range over integers
* Language change: go1.22 includes a preview of a language change we are considering for a future version of Go:
range-over-function iterators. Building with GOEXPERIMENT=rangefunc enables this feature.
* go command: Commands in workspaces can now use a vendor directory containing the dependencies of the workspace. The directory is created by go work vendor, and used by build commands when the -mod flag is set to vendor, which is the default when a workspace vendor directory is present. Note that the vendor directory's contents for a workspace are different from those of a single module: if the directory at the root of a workspace also contains one of the modules in the workspace, its vendor directory can contain the dependencies of either the workspace or of the module, but not both.
* go get is no longer supported outside of a module in the legacy GOPATH mode (that is, with GO111MODULE=off). Other build commands, such as go build and go test, will continue to work indefinitely for legacy GOPATH programs.
* go mod init no longer attempts to import module requirements from configuration files for other vendoring tools (such as Gopkg.lock).
* go test -cover now prints coverage summaries for covered packages that do not have their own test files. Prior to Go 1.22 a go test -cover run for such a package would report: ? mymod/mypack [no test files] and now with go1.22, functions in the package are treated as uncovered: mymod/mypack coverage:
0.0% of statements Note that if a package contains no executable code at all, we can't report a meaningful coverage percentage; for such packages the go tool will continue to report that there are no test files.
* trace: The trace tool's web UI has been gently refreshed as part of the work to support the new tracer, resolving several issues and improving the readability of various sub-pages. The web UI now supports exploring traces in a thread-oriented view. The trace viewer also now displays the full duration of all system calls. These improvements only apply for viewing traces produced by programs built with go1.22 or newer. A future release will bring some of these improvements to traces produced by older version of Go.
* vet: References to loop variables The behavior of the vet tool has changed to match the new semantics (see above) of loop variables in go1.22. When analyzing a file that requires go1.22 or newer (due to its go.mod file or a per-file build constraint), vetcode> no longer reports references to loop variables from within a function literal that might outlive the iteration of the loop. In Go 1.22, loop variables are created anew for each iteration, so such references are no longer at risk of using a variable after it has been updated by the loop.
* vet: New warnings for missing values after append The vet tool now reports calls to append that pass no values to be appended to the slice, such as slice = append(slice). Such a statement has no effect, and experience has shown that is nearly always a mistake.
* vet: New warnings for deferring time.Since The vet tool now reports a non-deferred call to time.Since(t) within a defer statement. This is equivalent to calling time.Now().Sub(t) before the defer statement, not when the deferred function is called. In nearly all cases, the correct code requires deferring the time.Since call.
* vet: New warnings for mismatched key-value pairs in log/slog calls The vet tool now reports invalid arguments in calls to functions and methods in the structured logging package, log/slog, that accept alternating key/value pairs. It reports calls where an argument in a key position is neither a string nor a slog.Attr, and where a final key is missing its value.
* runtime: The runtime now keeps type-based garbage collection metadata nearer to each heap object, improving the CPU performance (latency or throughput) of Go programs by 1-3%. This change also reduces the memory overhead of the majority Go programs by approximately 1% by deduplicating redundant metadata. Some programs may see a smaller improvement because this change adjusts the size class boundaries of the memory allocator, so some objects may be moved up a size class.
A consequence of this change is that some objects' addresses that were previously always aligned to a 16 byte (or higher) boundary will now only be aligned to an 8 byte boundary. Some programs that use assembly instructions that require memory addresses to be more than 8-byte aligned and rely on the memory allocator's previous alignment behavior may break, but we expect such programs to be rare. Such programs may be built with GOEXPERIMENT=noallocheaders to revert to the old metadata layout and restore the previous alignment behavior, but package owners should update their assembly code to avoid the alignment assumption, as this workaround will be removed in a future release.
* runtime: On the windows/amd64 port, programs linking or loading Go libraries built with -buildmode=c-archive or
-buildmode=c-shared can now use the SetUnhandledExceptionFilter Win32 function to catch exceptions not handled by the Go runtime. Note that this was already supported on the windows/386 port.
* compiler: Profile-guided Optimization (PGO) builds can now devirtualize a higher proportion of calls than previously possible. Most programs from a representative set of Go programs now see between 2 and 14% improvement from enabling PGO.
* compiler: The compiler now interleaves devirtualization and inlining, so interface method calls are better optimized.
* compiler: go1.22 also includes a preview of an enhanced implementation of the compiler's inlining phase that uses heuristics to boost inlinability at call sites deemed 'important' (for example, in loops) and discourage inlining at call sites deemed 'unimportant' (for example, on panic paths). Building with GOEXPERIMENT=newinliner enables the new call-site heuristics; see issue #61502 for more info and to provide feedback.
* linker: The linker's -s and -w flags are now behave more consistently across all platforms. The -w flag suppresses DWARF debug information generation. The -s flag suppresses symbol table generation. The -s flag also implies the -w flag, which can be negated with -w=0. That is, -s -w=0 will generate a binary with DWARF debug information generation but without the symbol table.
* linker: On ELF platforms, the -B linker flag now accepts a special form: with -B gobuildid, the linker will generate a GNU build ID (the ELF NT_GNU_BUILD_ID note) derived from the Go build ID.
* linker: On Windows, when building with -linkmode=internal, the linker now preserves SEH information from C object files by copying the .pdata and .xdata sections into the final binary. This helps with debugging and profiling binaries using native tools, such as WinDbg. Note that until now, C functions' SEH exception handlers were not being honored, so this change may cause some programs to behave differently.
-linkmode=external is not affected by this change, as external linkers already preserve SEH information.
* bootstrap: As mentioned in the Go 1.20 release notes, go1.22 now requires the final point release of Go 1.20 or later for bootstrap. We expect that Go 1.24 will require the final point release of go1.22 or later for bootstrap.
* core library: New math/rand/v2 package: go1.22 includes the first v2 package in the standard library, math/rand/v2. The changes compared to math/rand are detailed in proposal go#61716. The most important changes are:
- The Read method, deprecated in math/rand, was not carried forward for math/rand/v2. (It remains available in math/rand.) The vast majority of calls to Read should use crypto/rands Read instead. Otherwise a custom Read can be constructed using the Uint64 method.
- The global generator accessed by top-level functions is unconditionally randomly seeded. Because the API guarantees no fixed sequence of results, optimizations like per-thread random generator states are now possible.
- The Source interface now has a single Uint64 method; there is no Source64 interface.
- Many methods now use faster algorithms that were not possible to adopt in math/rand because they changed the output streams.
- The Intn, Int31, Int31n, Int63, and Int64n top-level functions and methods from math/rand are spelled more idiomatically in math/rand/v2: IntN, Int32, Int32N, Int64, and Int64N. There are also new top-level functions and methods Uint32, Uint32N, Uint64, Uint64N, Uint, and UintN.
- The new generic function N is like Int64N or Uint64N but works for any integer type. For example a random duration from 0 up to 5 minutes is rand.N(5*time.Minute).
- The Mitchell & Reeds LFSR generator provided by math/rands Source has been replaced by two more modern pseudo-random generator sources: ChaCha8 PCG. ChaCha8 is a new, cryptographically strong random number generator roughly similar to PCG in efficiency. ChaCha8 is the algorithm used for the top-level functions in math/rand/v2. As of go1.22, math/rand's top-level functions (when not explicitly seeded) and the Go runtime also use ChaCha8 for randomness.
- We plan to include an API migration tool in a future release, likely Go 1.23.
* core library: New go/version package: The new go/version package implements functions for validating and comparing Go version strings.
* core library: Enhanced routing patterns: HTTP routing in the standard library is now more expressive. The patterns used by net/http.ServeMux have been enhanced to accept methods and wildcards. This change breaks backwards compatibility in small ways, some obviouspatterns with '{' and '}' behave differently and some less sotreatment of escaped paths has been improved. The change is controlled by a GODEBUG field named httpmuxgo121. Set httpmuxgo121=1 to restore the old behavior.
* Minor changes to the library As always, there are various minor changes and updates to the library, made with the Go 1 promise of compatibility in mind. There are also various performance improvements, not enumerated here.
* archive/tar: The new method Writer.AddFS adds all of the files from an fs.FS to the archive.
* archive/zip: The new method Writer.AddFS adds all of the files from an fs.FS to the archive.
* bufio: When a SplitFunc returns ErrFinalToken with a nil token, Scanner will now stop immediately. Previously, it would report a final empty token before stopping, which was usually not desired. Callers that do want to report a final empty token can do so by returning []byte{} rather than nil.
* cmp: The new function Or returns the first in a sequence of values that is not the zero value.
* crypto/tls: ConnectionState.ExportKeyingMaterial will now return an error unless TLS 1.3 is in use, or the extended_master_secret extension is supported by both the server and client. crypto/tls has supported this extension since Go 1.20. This can be disabled with the tlsunsafeekm=1 GODEBUG setting.
* crypto/tls: By default, the minimum version offered by crypto/tls servers is now TLS 1.2 if not specified with config.MinimumVersion, matching the behavior of crypto/tls client ...

Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go1.22-openssl, go1.22-openssl-doc and / or go1.22-openssl-race packages.

See Also

https://bugzilla.suse.com/1218424

https://bugzilla.suse.com/1219988

https://bugzilla.suse.com/1220999

https://bugzilla.suse.com/1221000

https://bugzilla.suse.com/1221001

https://bugzilla.suse.com/1221002

https://bugzilla.suse.com/1221003

https://bugzilla.suse.com/1221400

https://bugzilla.suse.com/1224017

https://bugzilla.suse.com/1224018

https://bugzilla.suse.com/1225973

https://bugzilla.suse.com/1225974

https://bugzilla.suse.com/1227314

https://bugzilla.suse.com/1230252

https://bugzilla.suse.com/1230253

https://bugzilla.suse.com/1230254

https://www.suse.com/security/cve/CVE-2023-45288

https://www.suse.com/security/cve/CVE-2023-45289

https://www.suse.com/security/cve/CVE-2023-45290

https://www.suse.com/security/cve/CVE-2024-24783

https://www.suse.com/security/cve/CVE-2024-24784

https://www.suse.com/security/cve/CVE-2024-24785

https://www.suse.com/security/cve/CVE-2024-24787

https://www.suse.com/security/cve/CVE-2024-24788

https://www.suse.com/security/cve/CVE-2024-24789

https://www.suse.com/security/cve/CVE-2024-24790

https://www.suse.com/security/cve/CVE-2024-24791

https://www.suse.com/security/cve/CVE-2024-34155

https://www.suse.com/security/cve/CVE-2024-34156

https://www.suse.com/security/cve/CVE-2024-34158

http://www.nessus.org/u?d0961ae5

Plugin Details

Severity: Critical

ID: 210583

File Name: suse_SU-2024-3938-1.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 11/8/2024

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.39

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-24790

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:go1.22-openssl, p-cpe:/a:novell:suse_linux:go1.22-openssl-doc, p-cpe:/a:novell:suse_linux:go1.22-openssl-race, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/7/2024

Vulnerability Publication Date: 2/29/2024

Reference Information

CVE: CVE-2023-45288, CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785, CVE-2024-24787, CVE-2024-24788, CVE-2024-24789, CVE-2024-24790, CVE-2024-24791, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158

SuSE: SUSE-SU-2024:3938-1