Overview

File _patchinfo of Package patchinfo.43216

<patchinfo incident="43216">
  <!--generated with prepare-update from request 403781-->
  <issue tracker="bnc" id="1244485">go1.25 release tracking</issue>
  <issue tracker="bnc" id="1256818">VUL-0: CVE-2025-68121: go1.24,go1.25: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain</issue>
  <issue tracker="bnc" id="1257692">VUL-0: CVE-2025-61732: go1.24,go1.25: cmd/cgo: discrepancy between Go and C/C++ comment parsing  allows for C code smuggling</issue>
  <issue tracker="bnc" id="1259264">VUL-0: CVE-2026-25679: go1.25,go1.26: net/url: reject IPv6 literal not at start of host</issue>
  <issue tracker="bnc" id="1259265">VUL-0: CVE-2026-27142: go1.25,go1.26: html/template: URLs in meta content attribute actions are not escaped</issue>
  <issue tracker="bnc" id="1259268">VUL-0: CVE-2026-27139: go1.25,go1.26: os: FileInfo can escape from a Root</issue>
  <issue tracker="cve" id="2025-61732"/>
  <issue tracker="cve" id="2025-68121"/>
  <issue tracker="cve" id="2026-25679"/>
  <issue tracker="cve" id="2026-27139"/>
  <issue tracker="cve" id="2026-27142"/>
  <issue tracker="jsc" id="SLE-18320"/>
  <category>security</category>
  <rating>critical</rating>
  <packager>jfkw</packager>
  <summary>Security update for go1.25-openssl</summary>
  <description>This update for go1.25-openssl fixes the following issues:

Update to go 1.25.8 (bsc#1244485, jsc#SLE-18320):

- CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling (bsc#1257692).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does
  not account for the expiration of full certificate chain (bsc#1256818).
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).
  
Changelog:

 * go#77253 cmd/compile: miscompile of global array initialization
 * go#77406 os: Go 1.25.x regression on RemoveAll for windows
 * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
 * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in
   pkg-config
 * go#77531 net/smtp: expiry date of localhostCert for testing is too short
 * go#75844 cmd/compile: OOM killed on linux/arm64
 * go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
 * go#77425 crypto/tls: CL 737700 broke session resumption on macOS
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places