File _patchinfo of Package patchinfo.42360
<patchinfo incident="42360"> <issue tracker="jsc" id="SLE-18320"/> <issue tracker="bnc" id="1251259">VUL-0: CVE-2025-58186: go1.24,go1.25: net/http: lack of limit when parsing cookies can cause memory exhaustion</issue> <issue tracker="bnc" id="1236217">go1.24 release tracking</issue> <issue tracker="bnc" id="1256818">VUL-0: CVE-2025-68121: go1.24,go1.25: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain</issue> <issue tracker="bnc" id="1254430">VUL-0: CVE-2025-61727: go1.24,go1.25: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs</issue> <issue tracker="bnc" id="1251253">VUL-0: CVE-2025-61725: go1.24,go1.25: net/mail: excessive CPU consumption in ParseAddress</issue> <issue tracker="bnc" id="1248082">go1.22,go1.23, go1.24, go1.25: go1.x toolchain packages drop unused gccgo bootstrap code now used only by go1.21</issue> <issue tracker="bnc" id="1245878">update-alternatives migration: go</issue> <issue tracker="bnc" id="1251254">VUL-0: CVE-2025-58187: go1.24,go1.25: crypto/x509: quadratic complexity when checking name constraints</issue> <issue tracker="bnc" id="1251262">VUL-0: CVE-2025-61724: go1.24,go1.25: net/textproto: excessive CPU consumption in Reader.ReadResponse</issue> <issue tracker="bnc" id="1247816">go1.21,go1.22,go1.23: go1.x toolchain packages shorten bootstrap chain to go1.21 bootstrapped with gccgo</issue> <issue tracker="bnc" id="1256821">VUL-0: CVE-2025-61730: go1.24,go1.25: crypto/tls: handshake messages may be processed at the incorrect encryption level</issue> <issue tracker="bnc" id="1256817">VUL-0: CVE-2025-61726: go1.24,go1.25: net/http: memory exhaustion in Request.ParseForm</issue> <issue tracker="bnc" id="1256816">VUL-0: CVE-2025-61728: go1.24,go1.25: archive/zip: denial of service when parsing arbitrary ZIP archives</issue> <issue tracker="bnc" id="1251258">VUL-0: CVE-2025-58185: go1.24,go1.25: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion</issue> <issue tracker="bnc" id="1256820">VUL-0: CVE-2025-68119: go1.24,go1.25: cmd/go: unexpected code execution when invoking toolchain</issue> <issue tracker="bnc" id="1251260">VUL-0: CVE-2025-58188: go1.24,go1.25: crypto/x509: panic when validating certificates with DSA public keys</issue> <issue tracker="bnc" id="1251256">VUL-0: CVE-2025-61723: go1.24,go1.25: encoding/pem: quadratic complexity when parsing some invalid inputs</issue> <issue tracker="bnc" id="1256819">VUL-0: CVE-2025-61731: go1.24,go1.25: cmd/go: bypass of flag sanitization can lead to arbitrary code execution</issue> <issue tracker="bnc" id="1249985">go1.25: go tool pprof fails to run because of packaging bug</issue> <issue tracker="bnc" id="1251255">VUL-0: CVE-2025-58189: go1.24,go1.25: crypto/tls: ALPN negotiation errors can contain arbitrary text</issue> <issue tracker="bnc" id="1251261">VUL-0: CVE-2025-58183: go1.24,go1.25: archive/tar: unbounded allocation when parsing GNU sparse map</issue> <issue tracker="bnc" id="1251257">VUL-0: CVE-2025-47912: go1.24,go1.25: net/url: insufficient validation of bracketed IPv6 hostnames</issue> <issue tracker="bnc" id="1254431">VUL-0: CVE-2025-61729: go1.24,go1.25: crypto/x509: excessive resource consumption in printing error string for host certificate validation</issue> <issue tracker="cve" id="2025-61729"/> <issue tracker="cve" id="2025-61728"/> <issue tracker="cve" id="2025-58188"/> <issue tracker="cve" id="2025-58189"/> <issue tracker="cve" id="2025-58185"/> <issue tracker="cve" id="2025-58186"/> <issue tracker="cve" id="2025-58183"/> <issue tracker="cve" id="2025-47912"/> <issue tracker="cve" id="2025-61727"/> <issue tracker="cve" id="2025-58187"/> <issue tracker="cve" id="2025-68121"/> <issue tracker="cve" id="2025-61724"/> <issue tracker="cve" id="2025-61725"/> <issue tracker="cve" id="2025-61731"/> <issue tracker="cve" id="2025-68119"/> <issue tracker="cve" id="2025-61726"/> <issue tracker="cve" id="2025-61723"/> <issue tracker="cve" id="2025-61730"/> <packager>jfkw</packager> <rating>important</rating> <category>security</category> <summary>Security update for go1.24-openssl</summary> <description>This update for go1.24-openssl fixes the following issues: Update to version 1.24.12 (released 2026-01-15) (jsc#SLE-18320, bsc#1236217): Security fixes: - CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257). - CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261). - CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258). - CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259). - CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254). - CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260). - CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255). - CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256). - CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262). - CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253). - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817). - CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430). - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816). - CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431). - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821). - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819). - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820). - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818). Other fixes: * go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets * go#74821 cmd/go: "get toolchain@latest" should ignore release candidates * go#75007 os/exec: TestLookPath fails on plan9 after CL 685755 * go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root * go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21 * go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol * go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9 * go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9 * go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail * go#75538 net/http: internal error: connCount underflow * go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn * go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value * go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets * go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot * go#75951 encoding/pem: regression when decoding blocks with leading garbage * go#76028 pem/encoding: malformed line endings can cause panics * go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386 * go#76796 runtime: race detector crash on ppc64le * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling &lt;function&gt;: runtime error: index out of range </description> </patchinfo>
