Bugzilla – Bug 1217834
VUL-0: CVE-2023-45285: go1.20,go1.21: cmd/go: go get may unexpectedly fallback to insecure git
Last modified: 2024-05-24 10:31:11 UTC
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.
This is an autogenerated message for OBS integration: This bug (1217834) was mentioned in https://build.opensuse.org/request/show/1131274 Factory / go1.20 https://build.opensuse.org/request/show/1131275 Factory / go1.21
SUSE-SU-2023:4709-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.21-1.21.5-150000.1.18.1 openSUSE Leap 15.5 (src): go1.21-1.21.5-150000.1.18.1 Development Tools Module 15-SP4 (src): go1.21-1.21.5-150000.1.18.1 Development Tools Module 15-SP5 (src): go1.21-1.21.5-150000.1.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4708-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1206346, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.12-150000.1.35.1 openSUSE Leap 15.5 (src): go1.20-1.20.12-150000.1.35.1 Development Tools Module 15-SP4 (src): go1.20-1.20.12-150000.1.35.1 Development Tools Module 15-SP5 (src): go1.20-1.20.12-150000.1.35.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4931-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.5.1-150000.1.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4930-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1206346, 1216943, 1217833, 1217834 CVE References: CVE-2023-39326, CVE-2023-45284, CVE-2023-45285 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.12.1-150000.1.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.