SUSE-SU-2025:3682-1

Описание

This update for go1.24 fixes the following issues:

go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509 package. (bsc#1236217)

• crypto/x509: TLS validation fails for FQDNs with trailing dot

go1.24.8 (released 2025-10-07) includes security fixes to the archive/tar, crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail, net/textproto, and net/url packages, as well as bug fixes to the compiler, the linker, and the debug/pe, net/http, os, and sync/atomic packages. (bsc#1236217)

CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

• bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
• bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
• bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
• bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
• bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
• bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
• bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
• bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
• bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
• bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse
• os: Root.OpenRoot sets incorrect name, losing prefix of original root
• debug/pe: pe.Open fails on object files produced by llvm-mingw 21
• cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
• net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
• os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
• crypto/internal/fips140/rsa: requires a panic if self-tests fail
• net/http: internal error: connCount underflow
• cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
• sync/atomic: comment for Uintptr.Or incorrectly describes return value