An update that solves three vulnerabilities and has four fixes is now available.
This new package for go1.11 fixes the following issues:
Security issues fixed:
- CVE-2018-16873: Fixed a remote code execution in go get, when executed with the -u flag (bsc#1118897) - CVE-2018-16874: Fixed an arbitrary filesystem write in go get, which could lead to code execution (bsc#1118898) - CVE-2018-16875: Fixed a Denial of Service in the crypto/x509 package during certificate chain validation(bsc#1118899)
Non-security issues fixed:
- Fixed build error with PIE linker flags on ppc64le (bsc#1113978 bsc#1098017) - Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (bsc#1119634)
The following tracked regression fix is included:
- Fix a regression that broke go get for import path patterns containing "..." (bsc#1119706)
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product: