Security update for go1.24 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:01551-1 Final 1 1 2025-05-29T09:29:35Z current 2025-05-29T09:29:35Z 2025-05-29T09:29:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.24 This update for go1.24 fixes the following issues: Update to go1.24.3 (bsc#1236217): Security fixes: - CVE-2025-22873: Fixed os.Root permits access to parent directory (bsc#1242715) Changelog: * go#73556 go#73555 security: fix CVE-2025-22873 os: Root permits access to parent directory * go#73082 os: Root.Open panics when opening a symlink referencing the root * go#73092 cmd/link: linkname directive on userspace variable can override runtime variable * go#73118 crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions * go#73144 runtime: segmentation fault from vgetrandomPutState and runtime.growslice w/ runtime.OSLockThread * go#73192 runtime: -race data race map traceback report incorrect functions * go#73281 cmd/compile: program compiles to wasm but is invalid: go:wasmexport: integer too large * go#73379 runtime, x/sys/unix: Connectx is broken on darwin/amd64 * go#73440 cmd/compile: infinite loop in the inliner * go#73500 cmd/go: +dirty in version stamping doesn't combine well with +incompatible The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/golang:latest-2025-1551,SUSE-2025-1551,SUSE-SLE-Module-Development-Tools-15-SP7-2025-1551 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202501551-1/ Link for SUSE-SU-2025:01551-1 https://lists.suse.com/pipermail/sle-updates/2025-May/039398.html E-Mail link for SUSE-SU-2025:01551-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236217 SUSE Bug 1236217 https://bugzilla.suse.com/1242715 SUSE Bug 1242715 https://www.suse.com/security/cve/CVE-2025-22873/ SUSE CVE CVE-2025-22873 page Container bci/golang:latest SUSE Linux Enterprise Module for Development Tools 15 SP7 go1.24-1.24.3-150000.1.23.1 go1.24-doc-1.24.3-150000.1.23.1 go1.24-race-1.24.3-150000.1.23.1 go1.24-1.24.3-150000.1.23.1 as a component of Container bci/golang:latest go1.24-doc-1.24.3-150000.1.23.1 as a component of Container bci/golang:latest go1.24-race-1.24.3-150000.1.23.1 as a component of Container bci/golang:latest go1.24-1.24.3-150000.1.23.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 go1.24-doc-1.24.3-150000.1.23.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 go1.24-race-1.24.3-150000.1.23.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP7 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2025-22873 Container bci/golang:latest:go1.24-1.24.3-150000.1.23.1 Container bci/golang:latest:go1.24-doc-1.24.3-150000.1.23.1 Container bci/golang:latest:go1.24-race-1.24.3-150000.1.23.1 SUSE Linux Enterprise Module for Development Tools 15 SP7:go1.24-1.24.3-150000.1.23.1 SUSE Linux Enterprise Module for Development Tools 15 SP7:go1.24-doc-1.24.3-150000.1.23.1 SUSE Linux Enterprise Module for Development Tools 15 SP7:go1.24-race-1.24.3-150000.1.23.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202501551-1/ https://www.suse.com/security/cve/CVE-2025-22873.html CVE-2025-22873 https://bugzilla.suse.com/1242715 SUSE Bug 1242715