{"affected":[{"ecosystem_specific":{"binaries":[{"go1.20":"1.20.4-150000.1.11.1","go1.20-doc":"1.20.4-150000.1.11.1","go1.20-race":"1.20.4-150000.1.11.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Real Time 15 SP3","name":"go1.20","purl":"pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.20.4-150000.1.11.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for go1.20 fixes the following issues:\n\nUpdate to 1.20.4 (bnc#1206346):\n- CVE-2023-24539: Fixed an improper sanitization of CSS values (boo#1211029).\n- CVE-2023-24540: Fixed an improper handling of JavaScript whitespace (boo#1211030).\n- CVE-2023-29400: Fixed an improper handling of empty HTML attributes (boo#1211031).\n- runtime: automatically bump RLIMIT_NOFILE on Unix.\n- crypto/subtle: xor fails when run with race+purego.\n- cmd/compile: encoding/binary.PutUint16 sometimes doesn't write.\n- cmd/compile: internal compiler error: cannot call SetType(go.shape.int) on v (type int).\n- cmd/compile: miscompilation in star-tex.org/x/cmd/star-tex.\n- net/http: FileServer no longer serves content for POST.\n- crypto/tls: TLSv1.3 connection fails with invalid PSK binder.\n- cmd/compile: incorrect inline function variable.\n- cmd/compile: Unified IR exports table is binary unstable in presence of generics.\n- go/internal/gcimporter: lookupGorootExport should use the go command from build.Default.GOROOT.\n\nNon-security fixes:\n\n- Reverted go1.x Suggests go1.x-race (boo#1210963).\n- Re-enabled binary stripping and debuginfo (boo#1210938).\n","id":"SUSE-SU-2023:2105-2","modified":"2023-05-08T14:30:55Z","published":"2023-05-08T14:30:55Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20232105-2/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1206346"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210127"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210128"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210129"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210130"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210938"},{"type":"REPORT","url":"https://bugzilla.suse.com/1210963"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211029"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211030"},{"type":"REPORT","url":"https://bugzilla.suse.com/1211031"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24534"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24536"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24537"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24538"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24539"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-24540"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-29400"}],"related":["CVE-2023-24534","CVE-2023-24536","CVE-2023-24537","CVE-2023-24538","CVE-2023-24539","CVE-2023-24540","CVE-2023-29400"],"summary":"Security update for go1.20","upstream":["CVE-2023-24534","CVE-2023-24536","CVE-2023-24537","CVE-2023-24538","CVE-2023-24539","CVE-2023-24540","CVE-2023-29400"]}