SUSE-SU-2025:21193-1

Details

This update for go1.24 fixes the following issues:

Update to go1.24.11.

Security issues fixed:

CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).

Other issues fixed and changes:

Version 1.24.11:
- go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores
Version 1.24.10:
- go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
- go#75951 encoding/pem: regression when decoding blocks with leading garbage
- go#76028 pem/encoding: malformed line endings can cause panics
Version 1.24.9:
- go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot
Version 1.24.8:
- go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root
- go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
- go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
- go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
- go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
- go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail
- go#75538 net/http: internal error: connCount underflow
- go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
- go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value
Version 1.24.7:
- go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
- go#74821 cmd/go: "get toolchain@latest" should ignore release candidates
- go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
Packaging: migrate from update-alternatives to libalternatives (bsc#1245878).
Package svgpan.js to fix issues with "go tool pprof" (bsc#1249985).
Drop unused gccgo bootstrap code in go1.22+ (bsc#1248082).

Affected Packages

SUSE:Linux Enterprise Server 16.0go1.24

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server 16.0go1.24-doc

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server 16.0go1.24-libstd

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server 16.0go1.24-race

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server for SAP applications 16.0go1.24

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server for SAP applications 16.0go1.24-doc

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server for SAP applications 16.0go1.24-libstd

Fixed in:

1.24.11-160000.1.1

SUSE:Linux Enterprise Server for SAP applications 16.0go1.24-race

Fixed in:

1.24.11-160000.1.1

References

SUSE-SU-2025:21193-1

Details

Affected Packages

References

Upstream

Related

Ecosystems

Timeline