openSUSE-SU-2026:20496-1

Опубликовано: 16 апр. 2026

Источник: suse-cvrf

Описание

Security update for go1.25

This update for go1.25 fixes the following issues:

Update to go1.25.8 (bsc#1244485):

CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

Changelog:

go#77253 cmd/compile: miscompile of global array initialization
go#77406 os: Go 1.25.x regression on RemoveAll for windows
go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config
go#77531 net/smtp: expiry date of localhostCert for testing is too short

Список пакетов

openSUSE Leap 16.0

go1.25-1.25.8-160000.1.1

go1.25-doc-1.25.8-160000.1.1

go1.25-libstd-1.25.8-160000.1.1

go1.25-race-1.25.8-160000.1.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1244485
SUSE Bug 1244485
https://bugzilla.suse.com/1259264
SUSE Bug 1259264
https://bugzilla.suse.com/1259265
SUSE Bug 1259265
https://bugzilla.suse.com/1259268
SUSE Bug 1259268
https://www.suse.com/security/cve/CVE-2026-25679/
SUSE CVE CVE-2026-25679 page
https://www.suse.com/security/cve/CVE-2026-27139/
SUSE CVE CVE-2026-27139 page
https://www.suse.com/security/cve/CVE-2026-27142/
SUSE CVE CVE-2026-27142 page

Описание

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Затронутые продукты

openSUSE Leap 16.0:go1.25-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-doc-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-libstd-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-race-1.25.8-160000.1.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-25679.html
CVE-2026-25679
https://bugzilla.suse.com/1259264
SUSE Bug 1259264

Описание

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Затронутые продукты

openSUSE Leap 16.0:go1.25-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-doc-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-libstd-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-race-1.25.8-160000.1.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-27139.html
CVE-2026-27139
https://bugzilla.suse.com/1259268
SUSE Bug 1259268

Описание

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Затронутые продукты

openSUSE Leap 16.0:go1.25-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-doc-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-libstd-1.25.8-160000.1.1

openSUSE Leap 16.0:go1.25-race-1.25.8-160000.1.1

Ссылки

https://www.suse.com/security/cve/CVE-2026-27142.html
CVE-2026-27142
https://bugzilla.suse.com/1259265
SUSE Bug 1259265

openSUSE-SU-2026:20496-1

Описание

Список пакетов

openSUSE Leap 16.0

Ссылки

Уязвимость: CVE-2026-25679

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-27139

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2026-27142

Описание

Затронутые продукты

Ссылки