{"affected":[{"ecosystem_specific":{"binaries":[{"go1.24-openssl":"1.24.6-150600.13.9.1","go1.24-openssl-doc":"1.24.6-150600.13.9.1","go1.24-openssl-race":"1.24.6-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP6","name":"go1.24-openssl","purl":"pkg:rpm/suse/go1.24-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.24.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.24-openssl":"1.24.6-150600.13.9.1","go1.24-openssl-doc":"1.24.6-150600.13.9.1","go1.24-openssl-race":"1.24.6-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP7","name":"go1.24-openssl","purl":"pkg:rpm/suse/go1.24-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.24.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.24-openssl":"1.24.6-150600.13.9.1","go1.24-openssl-doc":"1.24.6-150600.13.9.1","go1.24-openssl-race":"1.24.6-150600.13.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"go1.24-openssl","purl":"pkg:rpm/opensuse/go1.24-openssl&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.24.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\nThis security update of go1.24-openssl fixes the following issues:\n\nUpdate to version 1.24.6 cut from the go1.24-fips-release\nbranch at the revision tagged go1.24.6-1-openssl-fips.\nRefs jsc#SLE-18320\n\n* Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil\n  salt to be passed as a hash length buffer of zeros.\n\ngo1.24.6 (released 2025-08-06) includes security fixes to the\ndatabase/sql and os/exec packages, as well as bug fixes to the\nruntime.  ( boo#1236217 go1.24 release tracking)\n\nCVE-2025-47906 CVE-2025-47907:\n\n* go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations\n* go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan\n\n* go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not\n* go#74416 runtime: use-after-free of allpSnapshot in findRunnable\n* go#74694 runtime: segfaults in runtime.(*unwinder).next\n* go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures\n\ngo1.24.5 (released 2025-07-08) includes security fixes to the go\ncommand, as well as bug fixes to the compiler, the linker, the , and\nthe go command.  ( boo#1236217 go1.24 release tracking)\nj\nCVE-2025-4674:\n\n* go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module\n\n* go#73908 runtime: bad frame pointer during panic during duffcopy\n* go#74098 cmd/compile: regression on ppc64le bit operations\n* go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection\n* go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning\n* go#74294 internal/trace: stress tests triggering suspected deadlock in tracer\n* go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk\n* go#74363 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile\n* go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN\n\ngo1.24.4 (released 2025-06-05) includes security fixes to the\ncrypto/x509, net/http, and os packages, as well as bug fixes to\nthe linker, the go command, and the hash/maphash and os packages.\n( boo#1236217 go1.24 release tracking)\n\nCVE-2025-22874 CVE-2025-0913 CVE-2025-4673\n* go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation\n* go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows\n* go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect\n\n* go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD\n* go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics\n* go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG\n* go#73809 cmd/go: add fips140 module selection mechanism\n* go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen\n","id":"SUSE-SU-2025:03158-1","modified":"2025-09-11T03:04:46Z","published":"2025-09-11T03:04:46Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503158-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236217"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244156"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244157"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244158"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246118"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247719"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247720"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-0913"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22874"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-4673"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-4674"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47906"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47907"}],"related":["CVE-2025-0913","CVE-2025-22874","CVE-2025-4673","CVE-2025-4674","CVE-2025-47906","CVE-2025-47907"],"summary":"Security update for go1.24-openssl","upstream":["CVE-2025-0913","CVE-2025-22874","CVE-2025-4673","CVE-2025-4674","CVE-2025-47906","CVE-2025-47907"]}