{"affected":[{"ecosystem_specific":{"binaries":[{"go1.23-openssl":"1.23.12-150600.13.9.1","go1.23-openssl-doc":"1.23.12-150600.13.9.1","go1.23-openssl-race":"1.23.12-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP6","name":"go1.23-openssl","purl":"pkg:rpm/suse/go1.23-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.23.12-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.23-openssl":"1.23.12-150600.13.9.1","go1.23-openssl-doc":"1.23.12-150600.13.9.1","go1.23-openssl-race":"1.23.12-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP7","name":"go1.23-openssl","purl":"pkg:rpm/suse/go1.23-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.23.12-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.23-openssl":"1.23.12-150600.13.9.1","go1.23-openssl-doc":"1.23.12-150600.13.9.1","go1.23-openssl-race":"1.23.12-150600.13.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"go1.23-openssl","purl":"pkg:rpm/opensuse/go1.23-openssl&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.23.12-150600.13.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\nThis update for go1.23-openssl fixes the following issues:\n\nUpdate to version 1.23.12 cut from the go1.23-fips-release branch at\nthe revision tagged go1.23.12-1-openssl-fips. ( jsc#SLE-18320)\n\n * Rebase to 1.23.12\n * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil\n salt to be passed as a hash length buffer of zeros.\n\nPackaging improvements:\n\n * Update go_bootstrap_version to go1.21 from go1.20 to shorten\n the bootstrap chain. go1.21 can optionally be bootstrapped with\n gccgo and serve as the inital version of go1.x.\n * Refs boo#1247816 bootstrap go1.21 with gccgo\n\ngo1.23.12 (released 2025-08-06) includes security fixes to the\ndatabase/sql and os/exec packages, as well as bug fixes to the\nruntime.\n\nCVE-2025-47906 CVE-2025-47907:\n * go#74803 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations\n * go#74832 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan\n\n * go#74415 runtime: use-after-free of allpSnapshot in findRunnable\n * go#74693 runtime: segfaults in runtime.(*unwinder).next\n * go#74721 cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on release-branch.go1.23\n * go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66\n\ngo1.23.11 (released 2025-07-08) includes security fixes to the go\ncommand, as well as bug fixes to the compiler, the linker, and\nthe runtime.\n\nCVE-2025-4674:\n * go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module\n\n * go#73907 runtime: bad frame pointer during panic during duffcopy\n * go#74289 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning\n * go#74293 internal/trace: stress tests triggering suspected deadlock in tracer\n * go#74362 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile\n * go#74402 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN\n\ngo1.23.10 (released 2025-06-05) includes security fixes to the\nnet/http and os packages, as well as bug fixes to the linker. (boo#1229122 go1.23 release tracking)\n\nCVE-2025-0913 CVE-2025-4673:\n * go#73719 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows\n * go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect\n\n * go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG\n * go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen\n\ngo1.23.9 (released 2025-05-06) includes fixes to the runtime and\nthe linker. (boo#1229122 go1.23 release tracking)\n\n * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable\n * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64\n\ngo1.23.8 (released 2025-04-01) includes security fixes to the\nnet/http package, as well as bug fixes to the runtime and the go\ncommand.\n\n CVE-2025-22871:\n * go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding\n\n * go#72114 runtime: process hangs for mips hardware\n * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns\n * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22\n\ngo1.23.7 (released 2025-03-04) includes security fixes to the\nnet/http package, as well as bug fixes to cgo, the compiler, and\nthe reflect, runtime, and syscall packages.\n\n CVE-2025-22870:\n * go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs\n\n * go#71727 runtime: usleep computes wrong tv_nsec on s390x\n * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error\n * go#71848 os: spurious SIGCHILD on running child process\n * go#71875 reflect: Value.Seq panicking on functional iterator methods\n * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types\n * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement\n\ngo1.23.6 (released 2025-02-04) includes security fixes to the\ncrypto/elliptic package, as well as bug fixes to the compiler and\nthe go command.\n\n CVE-2025-22866\n * go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le\n\n * go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1\n * go#71230 cmd/compile: broken write barrier\n\ngo1.23.5 (released 2025-01-16) includes security fixes to the\ncrypto/x509 and net/http packages, as well as bug fixes to the\ncompiler, the runtime, and the net package.\n\n CVE-2024-45341 CVE-2024-45336:\n * go#71208 go#71156 boo#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints\n * go#71211 go#70530 boo#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect\n\n * go#69988 runtime: severe performance drop for cgo calls in go1.22.5\n * go#70517 cmd/compile/internal/importer: flip enable alias to true\n * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input\n * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures\n * go#71147 internal/trace: TestTraceCPUProfile/Stress failures\n\ngo1.23.4 (released 2024-12-03) includes fixes to the compiler,\nthe runtime, the trace command, and the syscall package.\n\n * go#70644 crypto/rsa: new key generation prohibitively slow under race detector\n * go#70645 proposal: go/types: add Scope.Node convenience getter\n * go#70646 x/tools/gopls: unimported completion corrupts import decl (client=BBEdit)\n * go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures\n * go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures\n * go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures\n * go#70651 x/tools/go/gcexportdata: simplify implementation assuming go >= 1.21\n * go#70654 cmd/go: Incorrect output from go list\n * go#70655 x/build/cmd/relui: add workflows for some remaining manual recurring Go major release cycle tasks\n * go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes\n * go#70658 x/net/http2: stuck extended CONNECT requests\n * go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-mips\n * go#70660 crypto/ecdsa: TestRFC6979 failures on s390x\n * go#70664 x/mobile: target maccatalyst cannot find OpenGLES header\n * go#70665 x/tools/gopls: refactor.extract.variable fails at package level\n * go#70666 x/tools/gopls: panic in GetIfaceStubInfo\n * go#70667 proposal: crypto/x509: support extracting X25519 public keys from certificates\n * go#70668 proposal: x/mobile: better support for unrecovered panics\n * go#70669 cmd/go: local failure in TestScript/build_trimpath_cgo\n * go#70670 cmd/link: unused functions aren't getting deadcoded from the binary\n * go#70674 x/pkgsite: package removal request for https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate\n * go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on plan9\n * go#70677 all: remote file server I/O flakiness with 'Bad fid' errors on plan9\n * go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD is closed\n * go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link\n\nUpdate to version 1.23.2.3 cut from the go1.23-fips-release\nbranch at the revision tagged go1.23.2-3-openssl-fips. ( jsc#SLE-18320)\n\n* Add negative tests for openssl (#243)\n\ngo1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages.\n\n * go#69258 runtime: corrupted GoroutineProfile stack traces\n * go#69259 runtime: multi-arch build via qemu fails to exec go binary\n * go#69640 os: os.checkPidfd() crashes with SIGSYS\n * go#69746 runtime: TestGdbAutotmpTypes failures\n * go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit\n * go#69865 runtime: MutexProfile missing root frames in go1.23\n * go#69882 time,runtime: too many concurrent timer firings for short time.Ticker\n * go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer\n * go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15\n * go#70001 net/http/pprof: coroutines + pprof makes the program panic\n * go#70020 net/http: short writes with FileServer on macos\n","id":"SUSE-SU-2025:03159-1","modified":"2025-09-11T03:05:02Z","published":"2025-09-11T03:05:02Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202503159-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1229122"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236045"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236046"},{"type":"REPORT","url":"https://bugzilla.suse.com/1236801"},{"type":"REPORT","url":"https://bugzilla.suse.com/1238572"},{"type":"REPORT","url":"https://bugzilla.suse.com/1240550"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244156"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244157"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246118"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247719"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247720"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247816"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45336"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45341"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-0913"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22866"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22870"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22871"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-4673"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-4674"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47906"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47907"}],"related":["CVE-2024-45336","CVE-2024-45341","CVE-2025-0913","CVE-2025-22866","CVE-2025-22870","CVE-2025-22871","CVE-2025-4673","CVE-2025-4674","CVE-2025-47906","CVE-2025-47907"],"summary":"Security update for go1.23-openssl","upstream":["CVE-2024-45336","CVE-2024-45341","CVE-2025-0913","CVE-2025-22866","CVE-2025-22870","CVE-2025-22871","CVE-2025-4673","CVE-2025-4674","CVE-2025-47906","CVE-2025-47907"]}