openSUSE-SU-2025:20157-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20157-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2025:20157-1
Upstream
  • CVE-2025-47910
  • CVE-2025-58183
  • CVE-2025-58186
  • CVE-2025-61725
Related
Published
2025-12-12T07:23:58Z
Modified
2026-03-12T02:07:29.758415Z
Summary
Security update for go1.25
Details

This update for go1.25 fixes the following issues:

Update to go1.25.5.

Security issues fixed:

  • CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
  • CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
  • CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
  • CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
  • CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
  • CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
  • CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
  • CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
  • CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
  • CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
  • CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
  • CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
  • CVE-2025-47910: net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).

Other issues fixed and changes:

  • Version 1.25.5:

    • go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
    • go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup

  • Version 1.25.4:

    • go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
    • go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
    • go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
    • go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
    • go#75952 encoding/pem: regression when decoding blocks with leading garbage
    • go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
    • go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
    • go#76029 pem/encoding: malformed line endings can cause panics

  • Version 1.25.3:

    • go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
    • go#75777 spec: Go1.25 spec should be dated closer to actual release date

  • Version 1.25.2:

    • go#75111 os, syscall: volume handles with FILEFLAGOVERLAPPED fail when calling ReadAt
    • go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
    • go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
    • go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
    • go#75255 cmd/compile: export to DWARF types only referenced through interfaces
    • go#75347 testing/synctest: test timeout with no runnable goroutines
    • go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
    • go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
    • go#75537 context: Err can return non-nil before Done channel is closed
    • go#75539 net/http: internal error: connCount underflow
    • go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
    • go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
    • go#75669 runtime: debug.decoratemappings don't work as expected

  • Version 1.25.1:

    • go#74822 cmd/go: "get toolchain@latest" should ignore release candidates
    • go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
    • go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
    • go#75021 testing/synctest: bubble not terminating
    • go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles

  • Packaging: migrate from update-alternatives to libalternatives (bsc#1245878).

  • Fix runtime condition for gcc/gcc7 dependency.
  • Use at least gcc 7 for all architectures (bsc#1254227).
  • Package svgpan.js to fix issues with "go tool pprof" (boo#1249985).
  • Drop unused gccgo bootstrap code in go1.22+ (bsc#1248082).
References

Affected packages

openSUSE:Leap 16.0 / go1.25

Package

Name
go1.25
Purl
pkg:rpm/opensuse/go1.25&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.5-160000.1.1

Ecosystem specific 

{
    "binaries": [
        {
            "go1.25": "1.25.5-160000.1.1",
            "go1.25-doc": "1.25.5-160000.1.1",
            "go1.25-libstd": "1.25.5-160000.1.1",
            "go1.25-race": "1.25.5-160000.1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:20157-1.json"