Overview

File _patchinfo of Package patchinfo.42252

<patchinfo incident="42252">
  <issue tracker="bnc" id="1256817">VUL-0: CVE-2025-61726: go1.24,go1.25: net/http: memory exhaustion in Request.ParseForm</issue>
  <issue tracker="bnc" id="1244485">go1.25 release tracking</issue>
  <issue tracker="bnc" id="1256818">VUL-0: CVE-2025-68121: go1.24,go1.25: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain</issue>
  <issue tracker="bnc" id="1256816">VUL-0: CVE-2025-61728: go1.24,go1.25: archive/zip: denial of service when parsing arbitrary ZIP archives</issue>
  <issue tracker="bnc" id="1256821">VUL-0: CVE-2025-61730: go1.24,go1.25: crypto/tls: handshake messages may be processed at the incorrect encryption level</issue>
  <issue tracker="bnc" id="1256819">VUL-0: CVE-2025-61731: go1.24,go1.25: cmd/go: bypass of flag sanitization can lead to arbitrary code execution</issue>
  <issue tracker="bnc" id="1256820">VUL-0: CVE-2025-68119: go1.24,go1.25: cmd/go: unexpected code execution when invoking toolchain</issue>
  <issue tracker="cve" id="2025-68121"/>
  <issue tracker="cve" id="2025-68119"/>
  <issue tracker="cve" id="2025-61726"/>
  <issue tracker="cve" id="2025-61730"/>
  <issue tracker="cve" id="2025-61731"/>
  <issue tracker="cve" id="2025-61728"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.25</summary>
  <description>This update for go1.25 fixes the following issues:

Update to go1.25.6 (released 2026-01-15) (bsc#1244485)

Security fixes:

 - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
 - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
 - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
 - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
 - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
 - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).

Other fixes:

  * go#76392 os: package initialization hangs is Stdin is blocked
  * go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
  * go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
  * go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
  * go#76776 runtime: race detector crash on ppc64le
  * go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling &amp;lt;function&amp;gt;: runtime error: index out of range
  * go#76973 errors: errors.Join behavior changed in 1.25
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places