This update for go1.25-openssl fixes the following issues:
Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):
Security fixes:
- CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).
- CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations (bsc#1247719).
- CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
- CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).
- CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
- CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation...