SUSE-SU-2025:0431-1

Опубликовано: 11 фев. 2025

Источник: suse-cvrf

Описание

Security update for go1.24

This update for go1.24 fixes the following issues:

CVE-2025-22866: Fixed timing sidechannel for P-256 on ppc64le (bsc#1236801).
CVE-2025-22867: Fixed arbitrary code execution during build on darwin (bsc#1236839).

Other fixes:

go1.2r42 release tracking (bsc#1236217)

Список пакетов

SUSE Linux Enterprise Module for Development Tools 15 SP6

go1.24-1.24rc3-150000.1.6.1

go1.24-doc-1.24rc3-150000.1.6.1

go1.24-race-1.24rc3-150000.1.6.1

openSUSE Leap 15.6

go1.24-1.24rc3-150000.1.6.1

go1.24-doc-1.24rc3-150000.1.6.1

go1.24-race-1.24rc3-150000.1.6.1

Ссылки

https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/
Link for SUSE-SU-2025:0431-1
https://lists.suse.com/pipermail/sle-security-updates/2025-February/020314.html
E-Mail link for SUSE-SU-2025:0431-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1236217
SUSE Bug 1236217
https://bugzilla.suse.com/1236801
SUSE Bug 1236801
https://bugzilla.suse.com/1236839
SUSE Bug 1236839
https://www.suse.com/security/cve/CVE-2025-22866/
SUSE CVE CVE-2025-22866 page
https://www.suse.com/security/cve/CVE-2025-22867/
SUSE CVE CVE-2025-22867 page

Описание

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

Затронутые продукты

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-1.24rc3-150000.1.6.1

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-doc-1.24rc3-150000.1.6.1

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-race-1.24rc3-150000.1.6.1

openSUSE Leap 15.6:go1.24-1.24rc3-150000.1.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22866.html
CVE-2025-22866
https://bugzilla.suse.com/1236801
SUSE Bug 1236801

Описание

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

Затронутые продукты

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-1.24rc3-150000.1.6.1

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-doc-1.24rc3-150000.1.6.1

SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-race-1.24rc3-150000.1.6.1

openSUSE Leap 15.6:go1.24-1.24rc3-150000.1.6.1

Ссылки

https://www.suse.com/security/cve/CVE-2025-22867.html
CVE-2025-22867
https://bugzilla.suse.com/1236839
SUSE Bug 1236839

SUSE-SU-2025:0431-1

Описание

Список пакетов

SUSE Linux Enterprise Module for Development Tools 15 SP6

openSUSE Leap 15.6

Ссылки

Уязвимость: CVE-2025-22866

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2025-22867

Описание

Затронутые продукты

Ссылки