Описание
Security update for go1.23-openssl
This update for go1.23-openssl fixes the following issues:
Updated to go1.23.12 (released 2025-08-06) (bsc#1229122):
- CVE-2025-4674: Fixed unexpected command execution in untrusted VCS repositories in cmd/go (bsc#1246118)
- CVE-2025-47906: Fixed incorrect expansion of '', '.' and '..' in some PATH configurations in LookPath in osc/exec (bsc#1247719)
- CVE-2025-47907: Fixed incorrect results returned from Rows.Scan in database/sql (bsc#1247720)
Updated to version 1.23.12 cut from the go1.23-fips-release branch at the revision tagged go1.23.12-1-openssl-fips (jsc#SLE-18320)
- Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros.
Other fixes:
- runtime: use-after-free of allpSnapshot in findRunnable
- runtime: segfaults in runtime.(*unwinder).next
- cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on release-branch.go1.23
- cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66
- runtime: bad frame pointer during panic during duffcopy
- runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
- internal/trace: stress tests triggering suspected deadlock in tracer
- runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile
- cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
Список пакетов
SUSE Enterprise Storage 7.1
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server 15 SP3-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server 15 SP4-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server 15 SP5-LTSS
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5
go1.23-openssl-1.23.12-150000.1.18.1
go1.23-openssl-doc-1.23.12-150000.1.18.1
go1.23-openssl-race-1.23.12-150000.1.18.1
Ссылки
- Link for SUSE-SU-2025:02812-1
- E-Mail link for SUSE-SU-2025:02812-1
- SUSE Security Ratings
- SUSE Bug 1229122
- SUSE Bug 1246118
- SUSE Bug 1247719
- SUSE Bug 1247720
- SUSE Bug 1247816
- SUSE CVE CVE-2025-4674 page
- SUSE CVE CVE-2025-47906 page
- SUSE CVE CVE-2025-47907 page
Описание
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected.
Затронутые продукты
SUSE Enterprise Storage 7.1:go1.23-openssl-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-doc-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:go1.23-openssl-1.23.12-150000.1.18.1
Ссылки
- CVE-2025-4674
- SUSE Bug 1246118
Описание
unknown
Затронутые продукты
SUSE Enterprise Storage 7.1:go1.23-openssl-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-doc-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:go1.23-openssl-1.23.12-150000.1.18.1
Ссылки
- CVE-2025-47906
- SUSE Bug 1247719
Описание
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
Затронутые продукты
SUSE Enterprise Storage 7.1:go1.23-openssl-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-doc-1.23.12-150000.1.18.1
SUSE Enterprise Storage 7.1:go1.23-openssl-race-1.23.12-150000.1.18.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:go1.23-openssl-1.23.12-150000.1.18.1
Ссылки
- CVE-2025-47907
- SUSE Bug 1247720