This update for go1.24-openssl fixes the following issues:
Update to version 1.24.12 (released 2026-01-15) (jsc#SLE-18320, bsc#1236217):
Security fixes:
- CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
- CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
- CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
- CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session...