Security update for govulncheck-vulndb SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0354-1 Final 1 1 2026-01-30T18:33:35Z current 2026-01-30T18:33:35Z 2026-01-30T18:33:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for govulncheck-vulndb This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20260128T190828 2026-01-28T19:08:28Z (jsc#PED-11136): Go CVE Numbering Authority IDs added or updated with aliases: * GO-2026-4338 CVE-2025-68119 CVE-2025-68119 * GO-2026-4339 CVE-2025-61731 CVE-2025-61731 * GO-2026-4340 CVE-2025-61730 CVE-2025-61730 * GO-2026-4341 CVE-2025-61726 CVE-2025-61726 * GO-2026-4342 CVE-2025-61728 CVE-2025-61728 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-354,openSUSE-SLE-15.6-2026-354 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ Link for SUSE-SU-2026:0354-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024002.html E-Mail link for SUSE-SU-2026:0354-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-61726/ SUSE CVE CVE-2025-61726 page https://www.suse.com/security/cve/CVE-2025-61728/ SUSE CVE CVE-2025-61728 page https://www.suse.com/security/cve/CVE-2025-61730/ SUSE CVE CVE-2025-61730 page https://www.suse.com/security/cve/CVE-2025-61731/ SUSE CVE CVE-2025-61731 page https://www.suse.com/security/cve/CVE-2025-68119/ SUSE CVE CVE-2025-68119 page openSUSE Leap 15.6 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. CVE-2025-61726 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ https://www.suse.com/security/cve/CVE-2025-61726.html CVE-2025-61726 https://bugzilla.suse.com/1256817 SUSE Bug 1256817 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. CVE-2025-61728 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ https://www.suse.com/security/cve/CVE-2025-61728.html CVE-2025-61728 https://bugzilla.suse.com/1256816 SUSE Bug 1256816 During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. CVE-2025-61730 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ https://www.suse.com/security/cve/CVE-2025-61730.html CVE-2025-61730 https://bugzilla.suse.com/1256821 SUSE Bug 1256821 Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. CVE-2025-61731 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ https://www.suse.com/security/cve/CVE-2025-61731.html CVE-2025-61731 https://bugzilla.suse.com/1256819 SUSE Bug 1256819 Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. CVE-2025-68119 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260354-1/ https://www.suse.com/security/cve/CVE-2025-68119.html CVE-2025-68119 https://bugzilla.suse.com/1256820 SUSE Bug 1256820