Security update for go1.22 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0392-1 Final 1 1 2025-02-10T07:34:18Z current 2025-02-10T07:34:18Z 2025-02-10T07:34:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.22 This update for go1.22 fixes the following issues: - CVE-2025-22866: Fixed timing sidechannel for P-256 on ppc64le (bsc#1236801). Bug fixes: - go1.22 release tracking (bsc#1218424) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-392,SUSE-SLE-Module-Development-Tools-15-SP6-2025-392,openSUSE-SLE-15.6-2025-392 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250392-1/ Link for SUSE-SU-2025:0392-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020294.html E-Mail link for SUSE-SU-2025:0392-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1218424 SUSE Bug 1218424 https://bugzilla.suse.com/1236801 SUSE Bug 1236801 https://www.suse.com/security/cve/CVE-2025-22866/ SUSE CVE CVE-2025-22866 page SUSE Linux Enterprise Module for Development Tools 15 SP6 openSUSE Leap 15.6 go1.22-1.22.12-150000.1.42.1 go1.22-doc-1.22.12-150000.1.42.1 go1.22-race-1.22.12-150000.1.42.1 go1.22-1.22.12-150000.1.42.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.22-doc-1.22.12-150000.1.42.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.22-race-1.22.12-150000.1.42.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.22-1.22.12-150000.1.42.1 as a component of openSUSE Leap 15.6 go1.22-doc-1.22.12-150000.1.42.1 as a component of openSUSE Leap 15.6 go1.22-race-1.22.12-150000.1.42.1 as a component of openSUSE Leap 15.6 Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols. CVE-2025-22866 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.22-1.22.12-150000.1.42.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.22-doc-1.22.12-150000.1.42.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.22-race-1.22.12-150000.1.42.1 openSUSE Leap 15.6:go1.22-1.22.12-150000.1.42.1 openSUSE Leap 15.6:go1.22-doc-1.22.12-150000.1.42.1 openSUSE Leap 15.6:go1.22-race-1.22.12-150000.1.42.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250392-1/ https://www.suse.com/security/cve/CVE-2025-22866.html CVE-2025-22866 https://bugzilla.suse.com/1236801 SUSE Bug 1236801