SUSE-SU-2025:03547-1

Описание

This update for go1.25 fixes the following issues:

go1.25.2 (released 2025-10-07) includes security fixes to the archive/tar, crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail, net/textproto, and net/url packages, as well as bug fixes to the compiler, the runtime, and the context, debug/pe, net/http, os, and sync/atomic packages. (bsc#1244485)

CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

• bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information

• bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress

• bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys

• bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion

• bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion

• bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs

• bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map

• bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames

• bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints

• bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

• go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt

• go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path

• go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root

• go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21

• go#75255 cmd/compile: export to DWARF types only referenced through interfaces

• go#75347 testing/synctest: test timeout with no runnable goroutines

• go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9

• go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail

• go#75537 context: Err can return non-nil before Done channel is closed

• go#75539 net/http: internal error: connCount underflow

• go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn

• go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value

• go#75669 runtime: debug.decoratemappings don't work as expected