go1.24-1.24.8-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16670 Final 1 1 2025-10-08T00:00:00Z current 2025-10-08T00:00:00Z 2025-10-08T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z go1.24-1.24.8-1.1 on GA media These are all security issues fixed in the go1.24-1.24.8-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16670 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-47912/ SUSE CVE CVE-2025-47912 page https://www.suse.com/security/cve/CVE-2025-58183/ SUSE CVE CVE-2025-58183 page https://www.suse.com/security/cve/CVE-2025-58185/ SUSE CVE CVE-2025-58185 page https://www.suse.com/security/cve/CVE-2025-58186/ SUSE CVE CVE-2025-58186 page https://www.suse.com/security/cve/CVE-2025-58187/ SUSE CVE CVE-2025-58187 page https://www.suse.com/security/cve/CVE-2025-58188/ SUSE CVE CVE-2025-58188 page https://www.suse.com/security/cve/CVE-2025-58189/ SUSE CVE CVE-2025-58189 page https://www.suse.com/security/cve/CVE-2025-61723/ SUSE CVE CVE-2025-61723 page https://www.suse.com/security/cve/CVE-2025-61724/ SUSE CVE CVE-2025-61724 page https://www.suse.com/security/cve/CVE-2025-61725/ SUSE CVE CVE-2025-61725 page openSUSE Tumbleweed go1.24-1.24.8-1.1 go1.24-doc-1.24.8-1.1 go1.24-libstd-1.24.8-1.1 go1.24-race-1.24.8-1.1 go1.24-1.24.8-1.1 as a component of openSUSE Tumbleweed go1.24-doc-1.24.8-1.1 as a component of openSUSE Tumbleweed go1.24-libstd-1.24.8-1.1 as a component of openSUSE Tumbleweed go1.24-race-1.24.8-1.1 as a component of openSUSE Tumbleweed The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. CVE-2025-47912 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47912.html CVE-2025-47912 https://bugzilla.suse.com/1251257 SUSE Bug 1251257 tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. CVE-2025-58183 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58183.html CVE-2025-58183 https://bugzilla.suse.com/1251261 SUSE Bug 1251261 Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. CVE-2025-58185 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58185.html CVE-2025-58185 https://bugzilla.suse.com/1251258 SUSE Bug 1251258 Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. CVE-2025-58186 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58186.html CVE-2025-58186 https://bugzilla.suse.com/1251259 SUSE Bug 1251259 Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. CVE-2025-58187 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58187.html CVE-2025-58187 https://bugzilla.suse.com/1251254 SUSE Bug 1251254 Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. CVE-2025-58188 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58188.html CVE-2025-58188 https://bugzilla.suse.com/1251260 SUSE Bug 1251260 When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. CVE-2025-58189 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58189.html CVE-2025-58189 https://bugzilla.suse.com/1251255 SUSE Bug 1251255 The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. CVE-2025-61723 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61723.html CVE-2025-61723 https://bugzilla.suse.com/1251256 SUSE Bug 1251256 The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. CVE-2025-61724 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61724.html CVE-2025-61724 https://bugzilla.suse.com/1251262 SUSE Bug 1251262 The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. CVE-2025-61725 openSUSE Tumbleweed:go1.24-1.24.8-1.1 openSUSE Tumbleweed:go1.24-doc-1.24.8-1.1 openSUSE Tumbleweed:go1.24-libstd-1.24.8-1.1 openSUSE Tumbleweed:go1.24-race-1.24.8-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61725.html CVE-2025-61725 https://bugzilla.suse.com/1251253 SUSE Bug 1251253