File _patchinfo of Package patchinfo.42362
<patchinfo incident="42362">
<issue tracker="jsc" id="SLE-18320"/>
<issue tracker="bnc" id="1254431">VUL-0: CVE-2025-61729: go1.24,go1.25: crypto/x509: excessive resource consumption in printing error string for host certificate validation</issue>
<issue tracker="bnc" id="1251254">VUL-0: CVE-2025-58187: go1.24,go1.25: crypto/x509: quadratic complexity when checking name constraints</issue>
<issue tracker="bnc" id="1251253">VUL-0: CVE-2025-61725: go1.24,go1.25: net/mail: excessive CPU consumption in ParseAddress</issue>
<issue tracker="bnc" id="1251256">VUL-0: CVE-2025-61723: go1.24,go1.25: encoding/pem: quadratic complexity when parsing some invalid inputs</issue>
<issue tracker="bnc" id="1256817">VUL-0: CVE-2025-61726: go1.24,go1.25: net/http: memory exhaustion in Request.ParseForm</issue>
<issue tracker="bnc" id="1256821">VUL-0: CVE-2025-61730: go1.24,go1.25: crypto/tls: handshake messages may be processed at the incorrect encryption level</issue>
<issue tracker="bnc" id="1251262">VUL-0: CVE-2025-61724: go1.24,go1.25: net/textproto: excessive CPU consumption in Reader.ReadResponse</issue>
<issue tracker="bnc" id="1256820">VUL-0: CVE-2025-68119: go1.24,go1.25: cmd/go: unexpected code execution when invoking toolchain</issue>
<issue tracker="bnc" id="1251261">VUL-0: CVE-2025-58183: go1.24,go1.25: archive/tar: unbounded allocation when parsing GNU sparse map</issue>
<issue tracker="bnc" id="1251257">VUL-0: CVE-2025-47912: go1.24,go1.25: net/url: insufficient validation of bracketed IPv6 hostnames</issue>
<issue tracker="bnc" id="1251260">VUL-0: CVE-2025-58188: go1.24,go1.25: crypto/x509: panic when validating certificates with DSA public keys</issue>
<issue tracker="bnc" id="1247720">VUL-0: CVE-2025-47907: go1.23,go1.24,go1.25: database/sql: incorrect results returned from Rows.Scan</issue>
<issue tracker="bnc" id="1248082">go1.22,go1.23, go1.24, go1.25: go1.x toolchain packages drop unused gccgo bootstrap code now used only by go1.21</issue>
<issue tracker="bnc" id="1251259">VUL-0: CVE-2025-58186: go1.24,go1.25: net/http: lack of limit when parsing cookies can cause memory exhaustion</issue>
<issue tracker="bnc" id="1247719">VUL-0: CVE-2025-47906: go1.23,go1.24,go1.25: os/exec: LookPath may return unexpected paths</issue>
<issue tracker="bnc" id="1244485">go1.25 release tracking</issue>
<issue tracker="bnc" id="1249985">go1.25: go tool pprof fails to run because of packaging bug</issue>
<issue tracker="bnc" id="1251255">VUL-0: CVE-2025-58189: go1.24,go1.25: crypto/tls: ALPN negotiation errors can contain arbitrary text</issue>
<issue tracker="bnc" id="1256819">VUL-0: CVE-2025-61731: go1.24,go1.25: cmd/go: bypass of flag sanitization can lead to arbitrary code execution</issue>
<issue tracker="bnc" id="1245878">update-alternatives migration: go</issue>
<issue tracker="bnc" id="1254227">go1.25: build error only on SLE-12 SP5 s390x go tool dist: FAILED go_bootstrap install -v std</issue>
<issue tracker="bnc" id="1251258">VUL-0: CVE-2025-58185: go1.24,go1.25: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion</issue>
<issue tracker="bnc" id="1246118">VUL-0: CVE-2025-4674: go1.23,go1.24,go1.25: cmd/go: unexpected command execution in untrusted VCS repositories</issue>
<issue tracker="bnc" id="1249141">VUL-0: CVE-2025-47910: go1.25: net/http: CrossOriginProtection bypass patterns are over-broad</issue>
<issue tracker="bnc" id="1256818">VUL-0: CVE-2025-68121: go1.24,go1.25: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain</issue>
<issue tracker="bnc" id="1254430">VUL-0: CVE-2025-61727: go1.24,go1.25: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs</issue>
<issue tracker="bnc" id="1247816">go1.21,go1.22,go1.23: go1.x toolchain packages shorten bootstrap chain to go1.21 bootstrapped with gccgo</issue>
<issue tracker="bnc" id="1256816">VUL-0: CVE-2025-61728: go1.24,go1.25: archive/zip: denial of service when parsing arbitrary ZIP archives</issue>
<issue tracker="cve" id="2025-68121"/>
<issue tracker="cve" id="2025-4674"/>
<issue tracker="cve" id="2025-61726"/>
<issue tracker="cve" id="2025-47910"/>
<issue tracker="cve" id="2025-61729"/>
<issue tracker="cve" id="2025-58189"/>
<issue tracker="cve" id="2025-61727"/>
<issue tracker="cve" id="2025-68119"/>
<issue tracker="cve" id="2025-58188"/>
<issue tracker="cve" id="2025-61728"/>
<issue tracker="cve" id="2025-47906"/>
<issue tracker="cve" id="2025-58185"/>
<issue tracker="cve" id="2025-58186"/>
<issue tracker="cve" id="2025-58187"/>
<issue tracker="cve" id="2025-47912"/>
<issue tracker="cve" id="2025-61731"/>
<issue tracker="cve" id="2025-61724"/>
<issue tracker="cve" id="2025-61730"/>
<issue tracker="cve" id="2025-61723"/>
<issue tracker="cve" id="2025-61725"/>
<issue tracker="cve" id="2025-58183"/>
<issue tracker="cve" id="2025-47907"/>
<packager>jfkw</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for go1.25-openssl</summary>
<description>This update for go1.25-openssl fixes the following issues:
Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):
Security fixes:
- CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).
- CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations (bsc#1247719).
- CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
- CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).
- CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
- CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
- CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
- CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
- CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
- CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).
Other fixes:
* go#74822 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
* go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
* go#75021 testing/synctest: bubble not terminating
* go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
* go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
* go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
* go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75255 cmd/compile: export to DWARF types only referenced through interfaces
* go#75347 testing/synctest: test timeout with no runnable goroutines
* go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75537 context: Err can return non-nil before Done channel is closed
* go#75539 net/http: internal error: connCount underflow
* go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
* go#75669 runtime: debug.decoratemappings don't work as expected
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75777 spec: Go1.25 spec should be dated closer to actual release date
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25
</description>
</patchinfo>
