openSUSE Security Update: Security update for go ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:1894-1 Rating: moderate References: #989630 Cross-References: CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for go fixes the following issues: - CVE-2015-5739: "Content Length" treated as valid header - CVE-2015-5740: Double content-length headers does not return 400 error - CVE-2015-5741: Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections Go was updated to 1.4.3 with the following additional changes: - build: remove -Werror from cmd/dist - runtime: panic when accessing an empty struct value appended to an uninitialized slice - runtime: garbage collector found invalid heap pointer iterating over map Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2016-907=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): go-1.4.3-15.1 go-debuginfo-1.4.3-15.1 go-debugsource-1.4.3-15.1 go-doc-1.4.3-15.1 References: https://www.suse.com/security/cve/CVE-2015-5739.html https://www.suse.com/security/cve/CVE-2015-5740.html https://www.suse.com/security/cve/CVE-2015-5741.html https://bugzilla.suse.com/989630