Overview

File _patchinfo of Package patchinfo.40124

<patchinfo incident="40124">
  <issue tracker="jsc" id="SLE-18320"/>
  <issue tracker="bnc" id="1247720">VUL-0: CVE-2025-47907: go1.23,go1.24,go1.25: database/sql: incorrect results returned from Rows.Scan</issue>
  <issue tracker="bnc" id="1247719">VUL-0: CVE-2025-47906: go1.23,go1.24,go1.25: os/exec: LookPath may return unexpected paths</issue>
  <issue tracker="bnc" id="1236217">go1.24 release tracking</issue>
  <issue tracker="bnc" id="1246118">VUL-0: CVE-2025-4674: go1.23,go1.24,go1.25: cmd/go: unexpected command execution in untrusted VCS repositories</issue>
  <issue tracker="cve" id="2025-47907"/>
  <issue tracker="cve" id="2025-4674"/>
  <issue tracker="cve" id="2025-47906"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.24-openssl</summary>
  <description>This update for go1.24-openssl fixes the following issues:

Updated to go1.24.6 (released 2025-08-06) (bsc#1236217):
  - CVE-2025-4674: Fixed unexpected command execution in untrusted VCS repositories in cmd/go (bsc#1246118)
  - CVE-2025-47906: Fixed incorrect expansion of "", "." and ".." in some PATH configurations in LookPath in osc/exec (bsc#1247719)
  - CVE-2025-47907: Fixed incorrect results returned from Rows.Scan in database/sql (bsc#1247720)

Updated to version 1.24.6 cut from the go1.24-fips-release
branch at the revision tagged go1.24.6-1-openssl-fips. (jsc#SLE-18320)
- Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil
  salt to be passed as a hash length buffer of zeros.
  
Other fixes:
  - cmd/compile: regression on ppc64le bit operations
  - cmd/go: crash on unknown GOEXPERIMENT during toolchain selection
  - cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
  - internal/trace: stress tests triggering suspected deadlock in tracer
  - os/user:nolibgcc: TestGroupIdsTestUser failures
  - runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile
  - runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not
  - runtime: bad frame pointer during panic during duffcopy
  - runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
  - runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk
  - runtime: segfaults in runtime.(*unwinder).next
  - runtime: use-after-free of allpSnapshot in findRunnable
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places