Explore top 10 tips to secure your open-source projects now. Read More
×
This update for go1.25 fixes the following issues
- Update to version go1.25.12 (bsc#1244485).
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).
- CVE-2026-39822: os: Root escape via symlink plus trailing slash (bsc#1271014).
- CVE-2026-42505: crypto/tls: omit PSK in ECH outer client hello (bsc#1271015).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-1228=1
- openSUSE Leap 16.0:
go1.25-1.25.12-160000.1.1
go1.25-doc-1.25.12-160000.1.1
go1.25-race-1.25.12-160000.1.1
* bsc#1244485
* bsc#1245878
* bsc#1259264
* bsc#1259265
* bsc#1259268
* bsc#1264394
* bsc#1271014
* bsc#1271015
References:
* https://www.suse.com/security/cve/CVE-2026-25679.html
* https://www.suse.com/security/cve/CVE-2026-27139.html
* https://www.suse.com/security/cve/CVE-2026-27142.html
* https://www.suse.com/security/cve/CVE-2026-39822.html
* https://www.suse.com/security/cve/CVE-2026-42505.html
Get the latest Linux and open source security news straight to your inbox.