Overview

File _patchinfo of Package patchinfo.41051

<patchinfo incident="41051">
  <issue tracker="bnc" id="1251260">VUL-0: CVE-2025-58188: go1.24,go1.25: crypto/x509: panic when validating certificates with DSA public keys</issue>
  <issue tracker="bnc" id="1251257">VUL-0: CVE-2025-47912: go1.24,go1.25: net/url: insufficient validation of bracketed IPv6 hostnames</issue>
  <issue tracker="bnc" id="1244485">go1.25 release tracking</issue>
  <issue tracker="bnc" id="1251258">VUL-0: CVE-2025-58185: go1.24,go1.25: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion</issue>
  <issue tracker="bnc" id="1251259">VUL-0: CVE-2025-58186: go1.24,go1.25: net/http: lack of limit when parsing cookies can cause memory exhaustion</issue>
  <issue tracker="bnc" id="1251254">VUL-0: CVE-2025-58187: go1.24,go1.25: crypto/x509: quadratic complexity when checking name constraints</issue>
  <issue tracker="bnc" id="1251256">VUL-0: CVE-2025-61723: go1.24,go1.25: encoding/pem: quadratic complexity when parsing some invalid inputs</issue>
  <issue tracker="bnc" id="1251253">VUL-0: CVE-2025-61725: go1.24,go1.25: net/mail: excessive CPU consumption in ParseAddress</issue>
  <issue tracker="bnc" id="1251255">VUL-0: CVE-2025-58189: go1.24,go1.25: crypto/tls: ALPN negotiation errors can contain arbitrary text</issue>
  <issue tracker="bnc" id="1251262">VUL-0: CVE-2025-61724: go1.24,go1.25: net/textproto: excessive CPU consumption in Reader.ReadResponse</issue>
  <issue tracker="bnc" id="1251261">VUL-0: CVE-2025-58183: go1.24,go1.25: archive/tar: unbounded allocation when parsing GNU sparse map</issue>
  <issue tracker="cve" id="2025-58185"/>
  <issue tracker="cve" id="2025-61725"/>
  <issue tracker="cve" id="2025-61723"/>
  <issue tracker="cve" id="2025-47912"/>
  <issue tracker="cve" id="2025-58186"/>
  <issue tracker="cve" id="2025-58188"/>
  <issue tracker="cve" id="2025-58189"/>
  <issue tracker="cve" id="2025-58183"/>
  <issue tracker="cve" id="2025-58187"/>
  <issue tracker="cve" id="2025-61724"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.25</summary>
  <description>This update for go1.25 fixes the following issues:

go1.25.2 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the runtime, and
the context, debug/pe, net/http, os, and sync/atomic packages.  (bsc#1244485)

  CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

  * bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
  * bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
  * bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
  * bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
  * bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
  * bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
  * bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
  * bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
  * bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
  * bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

  * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
  * go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
  * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
  * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
  * go#75255 cmd/compile: export to DWARF types only referenced through interfaces
  * go#75347 testing/synctest: test timeout with no runnable goroutines
  * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
  * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
  * go#75537 context: Err can return non-nil before Done channel is closed
  * go#75539 net/http: internal error: connCount underflow
  * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
  * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
  * go#75669 runtime: debug.decoratemappings don't work as expected
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places