Overview

File _patchinfo of Package patchinfo.41060

<patchinfo incident="41060">
  <issue tracker="bnc" id="1251253">VUL-0: CVE-2025-61725: go1.24,go1.25: net/mail: excessive CPU consumption in ParseAddress</issue>
  <issue tracker="bnc" id="1251262">VUL-0: CVE-2025-61724: go1.24,go1.25: net/textproto: excessive CPU consumption in Reader.ReadResponse</issue>
  <issue tracker="bnc" id="1251260">VUL-0: CVE-2025-58188: go1.24,go1.25: crypto/x509: panic when validating certificates with DSA public keys</issue>
  <issue tracker="bnc" id="1251258">VUL-0: CVE-2025-58185: go1.24,go1.25: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion</issue>
  <issue tracker="bnc" id="1251256">VUL-0: CVE-2025-61723: go1.24,go1.25: encoding/pem: quadratic complexity when parsing some invalid inputs</issue>
  <issue tracker="bnc" id="1251261">VUL-0: CVE-2025-58183: go1.24,go1.25: archive/tar: unbounded allocation when parsing GNU sparse map</issue>
  <issue tracker="bnc" id="1251257">VUL-0: CVE-2025-47912: go1.24,go1.25: net/url: insufficient validation of bracketed IPv6 hostnames</issue>
  <issue tracker="bnc" id="1251254">VUL-0: CVE-2025-58187: go1.24,go1.25: crypto/x509: quadratic complexity when checking name constraints</issue>
  <issue tracker="bnc" id="1251259">VUL-0: CVE-2025-58186: go1.24,go1.25: net/http: lack of limit when parsing cookies can cause memory exhaustion</issue>
  <issue tracker="bnc" id="1251255">VUL-0: CVE-2025-58189: go1.24,go1.25: crypto/tls: ALPN negotiation errors can contain arbitrary text</issue>
  <issue tracker="bnc" id="1236217">go1.24 release tracking</issue>
  <issue tracker="cve" id="2025-58185"/>
  <issue tracker="cve" id="2025-58187"/>
  <issue tracker="cve" id="2025-61725"/>
  <issue tracker="cve" id="2025-47912"/>
  <issue tracker="cve" id="2025-61724"/>
  <issue tracker="cve" id="2025-58188"/>
  <issue tracker="cve" id="2025-58186"/>
  <issue tracker="cve" id="2025-58183"/>
  <issue tracker="cve" id="2025-58189"/>
  <issue tracker="cve" id="2025-61723"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.24</summary>
  <description>This update for go1.24 fixes the following issues:

go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509
package. (boo#1236217)

* crypto/x509: TLS validation fails for FQDNs with trailing dot


go1.24.8 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the linker, and
the debug/pe, net/http, os, and sync/atomic packages.
(bsc#1236217)

  CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

* bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
* bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
* bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
* bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
* bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
* bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
* bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
* bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
* bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
* bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

* go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
* go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
* go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75538 net/http: internal error: connCount underflow
* go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places