Security update for go1.24 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0431-1 Final 1 1 2025-02-11T14:13:46Z current 2025-02-11T14:13:46Z 2025-02-11T14:13:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for go1.24 This update for go1.24 fixes the following issues: - CVE-2025-22866: Fixed timing sidechannel for P-256 on ppc64le (bsc#1236801). - CVE-2025-22867: Fixed arbitrary code execution during build on darwin (bsc#1236839). Other fixes: - go1.2r42 release tracking (bsc#1236217) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-431,SUSE-SLE-Module-Development-Tools-15-SP6-2025-431,openSUSE-SLE-15.6-2025-431 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/ Link for SUSE-SU-2025:0431-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020314.html E-Mail link for SUSE-SU-2025:0431-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1236217 SUSE Bug 1236217 https://bugzilla.suse.com/1236801 SUSE Bug 1236801 https://bugzilla.suse.com/1236839 SUSE Bug 1236839 https://www.suse.com/security/cve/CVE-2025-22866/ SUSE CVE CVE-2025-22866 page https://www.suse.com/security/cve/CVE-2025-22867/ SUSE CVE CVE-2025-22867 page SUSE Linux Enterprise Module for Development Tools 15 SP6 openSUSE Leap 15.6 go1.24-1.24rc3-150000.1.6.1 go1.24-doc-1.24rc3-150000.1.6.1 go1.24-race-1.24rc3-150000.1.6.1 go1.24-1.24rc3-150000.1.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.24-doc-1.24rc3-150000.1.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.24-race-1.24rc3-150000.1.6.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 go1.24-1.24rc3-150000.1.6.1 as a component of openSUSE Leap 15.6 go1.24-doc-1.24rc3-150000.1.6.1 as a component of openSUSE Leap 15.6 go1.24-race-1.24rc3-150000.1.6.1 as a component of openSUSE Leap 15.6 Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols. CVE-2025-22866 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-1.24rc3-150000.1.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-doc-1.24rc3-150000.1.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-race-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-doc-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-race-1.24rc3-150000.1.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/ https://www.suse.com/security/cve/CVE-2025-22866.html CVE-2025-22866 https://bugzilla.suse.com/1236801 SUSE Bug 1236801 On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2. CVE-2025-22867 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-1.24rc3-150000.1.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-doc-1.24rc3-150000.1.6.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:go1.24-race-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-doc-1.24rc3-150000.1.6.1 openSUSE Leap 15.6:go1.24-race-1.24rc3-150000.1.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250431-1/ https://www.suse.com/security/cve/CVE-2025-22867.html CVE-2025-22867 https://bugzilla.suse.com/1236839 SUSE Bug 1236839