{"affected":[{"ecosystem_specific":{"binaries":[{"go1.25-openssl":"1.25.6-150600.13.9.1","go1.25-openssl-doc":"1.25.6-150600.13.9.1","go1.25-openssl-race":"1.25.6-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Development Tools 15 SP7","name":"go1.25-openssl","purl":"pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.25.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.25-openssl":"1.25.6-150600.13.9.1","go1.25-openssl-doc":"1.25.6-150600.13.9.1","go1.25-openssl-race":"1.25.6-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 15 SP6-LTSS","name":"go1.25-openssl","purl":"pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.25.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.25-openssl":"1.25.6-150600.13.9.1","go1.25-openssl-doc":"1.25.6-150600.13.9.1","go1.25-openssl-race":"1.25.6-150600.13.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 15 SP6","name":"go1.25-openssl","purl":"pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.25.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"go1.25-openssl":"1.25.6-150600.13.9.1","go1.25-openssl-doc":"1.25.6-150600.13.9.1","go1.25-openssl-race":"1.25.6-150600.13.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"go1.25-openssl","purl":"pkg:rpm/opensuse/go1.25-openssl&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.25.6-150600.13.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for go1.25-openssl fixes the following issues:\n\nUpdate to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):\n\nSecurity fixes:\n\n - CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).\n - CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations (bsc#1247719).\n - CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).\n - CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).\n - CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).\n - CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).\n - CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).\n - CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).\n - CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).\n - CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).\n - CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).\n - CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).\n - CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).\n - CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).\n - CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).\n - CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).\n - CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).\n - CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).\n - CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).\n - CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).\n - CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).\n - CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).\n\nOther fixes:\n\n  * go#74822 cmd/go: 'get toolchain@latest' should ignore release candidates\n  * go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets\n  * go#75008 os/exec: TestLookPath fails on plan9 after CL 685755\n  * go#75021 testing/synctest: bubble not terminating\n  * go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles\n  * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt\n  * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path\n  * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root\n  * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21\n  * go#75255 cmd/compile: export to DWARF types only referenced through interfaces\n  * go#75347 testing/synctest: test timeout with no runnable goroutines\n  * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9\n  * go#75480 cmd/link: linker panic and relocation errors with complex generics inlining\n  * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail\n  * go#75537 context: Err can return non-nil before Done channel is closed\n  * go#75539 net/http: internal error: connCount underflow\n  * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn\n  * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value\n  * go#75669 runtime: debug.decoratemappings don't work as expected\n  * go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64\n  * go#75777 spec: Go1.25 spec should be dated closer to actual release date\n  * go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS\n  * go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets\n  * go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot\n  * go#75952 encoding/pem: regression when decoding blocks with leading garbage\n  * go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied\n  * go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should\n  * go#76029 pem/encoding: malformed line endings can cause panics\n  * go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25\n  * go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup\n  * go#76392 os: package initialization hangs is Stdin is blocked\n  * go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled\n  * go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes\n  * go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386\n  * go#76776 runtime: race detector crash on ppc64le\n  * go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range\n  * go#76973 errors: errors.Join behavior changed in 1.25\n","id":"SUSE-SU-2026:0298-1","modified":"2026-01-26T16:11:04Z","published":"2026-01-26T16:11:04Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20260298-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244485"},{"type":"REPORT","url":"https://bugzilla.suse.com/1245878"},{"type":"REPORT","url":"https://bugzilla.suse.com/1246118"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247719"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247720"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247816"},{"type":"REPORT","url":"https://bugzilla.suse.com/1248082"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249141"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249985"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251253"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251254"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251255"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251256"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251257"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251258"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251259"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251260"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251261"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251262"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254227"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254430"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254431"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256816"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256817"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256818"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256819"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256820"},{"type":"REPORT","url":"https://bugzilla.suse.com/1256821"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-4674"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47906"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47907"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47910"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47912"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58183"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58185"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58186"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58187"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58188"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58189"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61723"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61724"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61725"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61726"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61727"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61728"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61729"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61730"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61731"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-68119"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-68121"}],"related":["CVE-2025-4674","CVE-2025-47906","CVE-2025-47907","CVE-2025-47910","CVE-2025-47912","CVE-2025-58183","CVE-2025-58185","CVE-2025-58186","CVE-2025-58187","CVE-2025-58188","CVE-2025-58189","CVE-2025-61723","CVE-2025-61724","CVE-2025-61725","CVE-2025-61726","CVE-2025-61727","CVE-2025-61728","CVE-2025-61729","CVE-2025-61730","CVE-2025-61731","CVE-2025-68119","CVE-2025-68121"],"summary":"Security update for go1.25-openssl","upstream":["CVE-2025-4674","CVE-2025-47906","CVE-2025-47907","CVE-2025-47910","CVE-2025-47912","CVE-2025-58183","CVE-2025-58185","CVE-2025-58186","CVE-2025-58187","CVE-2025-58188","CVE-2025-58189","CVE-2025-61723","CVE-2025-61724","CVE-2025-61725","CVE-2025-61726","CVE-2025-61727","CVE-2025-61728","CVE-2025-61729","CVE-2025-61730","CVE-2025-61731","CVE-2025-68119","CVE-2025-68121"]}