SUSE-SU-2025:02837-1

Описание

This update for go1.24-openssl fixes the following issues:

Updated to go1.24.6 (released 2025-08-06) (bsc#1236217):

• CVE-2025-4674: Fixed unexpected command execution in untrusted VCS repositories in cmd/go (bsc#1246118)
• CVE-2025-47906: Fixed incorrect expansion of '', '.' and '..' in some PATH configurations in LookPath in osc/exec (bsc#1247719)
• CVE-2025-47907: Fixed incorrect results returned from Rows.Scan in database/sql (bsc#1247720)

Updated to version 1.24.6 cut from the go1.24-fips-release branch at the revision tagged go1.24.6-1-openssl-fips. (jsc#SLE-18320)

• Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros.

Other fixes:

• cmd/compile: regression on ppc64le bit operations
• cmd/go: crash on unknown GOEXPERIMENT during toolchain selection
• cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
• internal/trace: stress tests triggering suspected deadlock in tracer
• os/user:nolibgcc: TestGroupIdsTestUser failures
• runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile
• runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not
• runtime: bad frame pointer during panic during duffcopy
• runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
• runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk
• runtime: segfaults in runtime.(*unwinder).next
• runtime: use-after-free of allpSnapshot in findRunnable