Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 77 articles for you...
89
security advisoryfedoraupdateFedora 42 gst-devtools 1.26.11 Update Advisory FEDORA-2026-5e16254ca6
1.26.11. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-5e16254ca6 2026-04-03 17:03:00.363057+00:00 -------------------------------------------------------------------------------- Name : gst-devtools Product : Fedora 42 Version : 1.26.11 Release : 1.fc42 URL : https://gstreamer.freedesktop.org/src/gst-devtools Summary : Development and debugging tools for GStreamer Description : Development and debugging tools for GStreamer. -------------------------------------------------------------------------------- Update Information: 1.26.11 -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 30 2026 Gwyn Ciesla - 1.26.11-1 - 1.26.11 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-5e16254ca6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 03, 2026
Fedora
89
security advisoryfedorasoftware updateFedora 43 gst-devtools 1.26.11 Security Advisory FEDORA-2026-e77ad9d792
1.26.11. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-e77ad9d792 2026-04-01 00:56:24.864678+00:00 -------------------------------------------------------------------------------- Name : gst-devtools Product : Fedora 43 Version : 1.26.11 Release : 1.fc43 URL : https://gstreamer.freedesktop.org/src/gst-devtools Summary : Development and debugging tools for GStreamer Description : Development and debugging tools for GStreamer. -------------------------------------------------------------------------------- Update Information: 1.26.11 -------------------------------------------------------------------------------- ChangeLog: * Mon Mar 30 2026 Gwyn Ciesla - 1.26.11-1 - 1.26.11 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-e77ad9d792' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 01, 2026
•Important
Fedora
89
security advisoryfedoraupdateFedora 44 gst-devtools 1.28.1 Development Tools Update Advisory
1.28.1. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-9cfb46ac78 2026-03-14 00:15:28.464474+00:00 -------------------------------------------------------------------------------- Name : gst-devtools Product : Fedora 44 Version : 1.28.1 Release : 1.fc44 URL : https://gstreamer.freedesktop.org/src/gst-devtools Summary : Development and debugging tools for GStreamer Description : Development and debugging tools for GStreamer. -------------------------------------------------------------------------------- Update Information: 1.28.1 -------------------------------------------------------------------------------- ChangeLog: * Thu Feb 26 2026 Gwyn Ciesla - 1.28.1-1 - 1.28.1 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-9cfb46ac78' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 14, 2026
Fedora
202
security advisorymoderatesecurity issueopenSUSE 15.6 go1.26 Moderate Security Risks Fix 2026-0876-1
An update that solves five vulnerabilities and has one security fix can now be installed.. # Security update for go1.26 Announcement ID: SUSE-SU-2026:0876-1 Release Date: 2026-03-11T18:35:52Z Rating: moderate References: * bsc#1255111 * bsc#1259264 * bsc#1259265 * bsc#1259266 * bsc#1259267 * bsc#1259268 Cross-References: * CVE-2026-25679 * CVE-2026-27137 * CVE-2026-27138 * CVE-2026-27139 * CVE-2026-27142 CVSS scores: * CVE-2026-25679 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-25679 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N * CVE-2026-25679 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27137 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-27137 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-27137 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27138 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-27138 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27138 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-27139 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-27139 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-27139 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2026-27142 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-27142 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N * CVE-2026-27142 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High PerformanceComputing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves five vulnerabilities and has one security fix can now be installed. ## Description: This update for go1.26 fixes the following issues: Update to go1.26.1 (bsc#1255111): * CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264). * CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints (bsc#1259266). * CVE-2026-27138: crypto/x509: panic in name constraint checking for malformed certificates (bsc#1259267). * CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268). * CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265). Changelog: * go#77252 cmd/compile: miscompile of global array initialization * go#77407 os: Go 1.25.x regression on RemoveAll for windows * go#77474 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config * go#77529 cmd/fix, x/tools/go/analysis/passes/modernize: stringscut: OOB panic in indexArgValid analyzing "buf.Bytes()" call * go#77532 net/smtp: expiry date of localhostCert for testing is too short * go#77536 cmd/compile: internal compiler error: 'main.func1': not lowered: v15, Load STRUCT PTR SSA * go#77618 strings: HasSuffix doesn't work correctly for multibyte runes in go 1.26 * go#77623 cmd/compile: internal compiler error on : "tried to free an already free register" with generic function and type > = 192 bytes * go#77624 cmd/fix, x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when combining two strings.Builders * go#77680 cmd/link: TestFlagW/-w_-linkmode=external fails on illumos * go#77766 cmd/fix,x/tools/go/analysis/passes/modernize: rangeint uses target platform's type in the range expression, breaking other platforms * go#77780 reflect: breaking change for reflect.Value.Interface behaviour * go#77786 cmd/compile: rewriteFixedLoad does not properly sign extend AuxInt * go#77803 cmd/fix,x/tools/go/analysis/passes/modernize: reflect.TypeOf(nil) transformed into reflect.TypeForuntyped nil * go#77804 cmd/fix,x/tools/go/analysis/passes/modernize: minmax breaks select statements * go#77805 cmd/fix, x/tools/go/analysis/passes/modernize: waitgroup leads to a compilation error * go#77807 cmd/fix,x/tools/go/analysis/passes/modernize: stringsbuilder ignores variables if they are used multiple times * go#77849 cmd/fix,x/tools/go/analysis/passes/modernize: stringscut rewrite changes behavior * go#77860 cmd/go: change go mod init default go directive back to 1.N * go#77899 cmd/fix, x/tools/go/analysis/passes/modernize: bad rangeint rewriting * go#77904 x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when GenDecl is a block declaration ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2026-876=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patchSUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-876=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-876=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-876=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-876=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-876=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-876=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-876=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-876=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-876=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-876=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2026-876=1 ## Package List: * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 *go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * go1.26-race-1.26.1-150000.1.6.1 * go1.26-doc-1.26.1-150000.1.6.1 * go1.26-1.26.1-150000.1.6.1 ## References: * https://www.suse.com/security/cve/CVE-2026-25679.html * https://www.suse.com/security/cve/CVE-2026-27137.html * https://www.suse.com/security/cve/CVE-2026-27138.html * https://www.suse.com/security/cve/CVE-2026-27139.html * https://www.suse.com/security/cve/CVE-2026-27142.html * https://bugzilla.suse.com/show_bug.cgi?id=1255111 * https://bugzilla.suse.com/show_bug.cgi?id=1259264 * https://bugzilla.suse.com/show_bug.cgi?id=1259265 * https://bugzilla.suse.com/show_bug.cgi?id=1259266 *https://bugzilla.suse.com/show_bug.cgi?id=1259267 * https://bugzilla.suse.com/show_bug.cgi?id=1259268 . Update for go1.26 fixes five vulnerabilities, improving security and system stability for openSUSE users.. openSUSE security advisory, go1.26 vulnerabilities, Linux patch release. . LinuxSecurity.com Team
Mar 12, 2026
OpenSUSE
100
security advisorySuSEOpenSSLSUSE: go1.25-openssl Important Security Update SUSE-SU-2025:03161-1
* bsc#1244485 * bsc#1246118 * bsc#1247719 * bsc#1247720 * bsc#1247816 . # Security update for go1.25-openssl Announcement ID: SUSE-SU-2025:03161-1 Release Date: 2025-09-11T09:15:57Z Rating: important References: * bsc#1244485 * bsc#1246118 * bsc#1247719 * bsc#1247720 * bsc#1247816 * bsc#1248082 * jsc#SLE-18320 Cross-References: * CVE-2025-4674 * CVE-2025-47906 * CVE-2025-47907 CVSS scores: * CVE-2025-4674 ( SUSE ): 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-4674 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2025-4674 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2025-47906 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-47906 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-47907 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-47907 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N * CVE-2025-47907 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L Affected Products: * Development Tools Module 15-SP6 * Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves three vulnerabilities, contains one feature and has three security fixes can now be installed. ## Description: This update for go1.25-openssl fixes the following issues: Update to version 1.25.0 cut from the go1.25-fips-release branch at the revision tagged go1.25.0-1-openssl-fips. ( jsc#SLE-18320 ) * Rebase to 1.25.0 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt tobe passed as a hash length buffer of zeros. go1.25 (released 2025-08-12) is a major release of Go. go1.25.x minor releases will be provided through August 2026. https://github.com/golang/go/wiki/ Release-Cycle go1.25 arrives six months after Go 1.24. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. ( bsc#1244485 go1.25 release tracking ) * Language changes: There are no languages changes that affect Go programs in Go 1.25. However, in the language specification the notion of core types has been removed in favor of dedicated prose. See the respective blog post for more information. * go command: The go build -asan option now defaults to doing leak detection at program exit. This will report an error if memory allocated by C is not freed and is not referenced by any other memory allocated by either C or Go. These new error reports may be disabled by setting ASAN_OPTIONS=detect_leaks=0 in the environment when running the program. * go command: The Go distribution will include fewer prebuilt tool binaries. Core toolchain binaries such as the compiler and linker will still be included, but tools not invoked by build or test operations will be built and run by go tool as needed. * go command: The new go.mod ignore directive can be used to specify directories the go command should ignore. Files in these directories and their subdirectories will be ignored by the go command when matching package patterns, such as all or ./..., but will still be included in module zip files. * go command: The new go doc -http option will start a documentation server showing documentation for the requested object, and open the documentation in a browser window. * go command: The new go version -m -json option will print the JSON encodings of the runtime/debug.BuildInfostructures embedded in the given Go binary files. * go command: The go command now supports using a subdirectory of a repository as the path for a module root, when resolving a module path using the syntax to indicate that the root-path corresponds to the subdir of the repo-url with version control system vcs. * go command: The new work package pattern matches all packages in the work (formerly called main) modules: either the single work module in module mode or the set of workspace modules in workspace mode. * go command: When the go command updates the go line in a go.mod or go.work file, it no longer adds a toolchain line specifying the commandâs current version. * go vet: The go vet command includes new analyzers: * go vet: waitgroup reports misplaced calls to sync.WaitGroup.Add; * go vet: hostport reports uses of fmt.Sprintf("%s:%d", host, port) to construct addresses for net.Dial, as these will not work with IPv6; instead it suggests using net.JoinHostPort. * Runtime: Container-aware GOMAXPROCS. The default behavior of the GOMAXPROCS has changed. In prior versions of Go, GOMAXPROCS defaults to the number of logical CPUs available at startup (runtime.NumCPU). Go 1.25 introduces two changes: On Linux, the runtime considers the CPU bandwidth limit of the cgroup containing the process, if any. If the CPU bandwidth limit is lower than the number of logical CPUs available, GOMAXPROCS will default to the lower limit. In container runtime systems like Kubernetes, cgroup CPU bandwidth limits generally correspond to the âCPU limitâ option. The Go runtime does not consider the âCPU requestsâ option. On all OSes, the runtime periodically updates GOMAXPROCS if the number of logical CPUs available or the cgroup CPU bandwidth limit change. Both of these behaviors are automatically disabled if GOMAXPROCS is set manually via the GOMAXPROCS environment variable or a call toruntime.GOMAXPROCS. They can also be disabled explicitly with the GODEBUG settings containermaxprocs=0 and updatemaxprocs=0, respectively. In order to support reading updated cgroup limits, the runtime will keep cached file descriptors for the cgroup files for the duration of the process lifetime. * Runtime: garbage collector: A new garbage collector is now available as an experiment. This garbage collectorâs design improves the performance of marking and scanning small objects through better locality and CPU scalability. Benchmark result vary, but we expect somewhere between a 10â40% reduction in garbage collection overhead in real-world programs that heavily use the garbage collector. The new garbage collector may be enabled by setting GOEXPERIMENT=greenteagc at build time. We expect the design to continue to evolve and improve. To that end, we encourage Go developers to try it out and report back their experiences. See the GitHub issue for more details on the design and instructions for sharing feedback. * Runtime: trace flight recorder: Runtime execution traces have long provided a powerful, but expensive way to understand and debug the low-level behavior of an application. Unfortunately, because of their size and the cost of continuously writing an execution trace, they were generally impractical for debugging rare events. The new runtime/trace.FlightRecorder API provides a lightweight way to capture a runtime execution trace by continuously recording the trace into an in-memory ring buffer. When a significant event occurs, a program can call FlightRecorder.WriteTo to snapshot the last few seconds of the trace to a file. This approach produces a much smaller trace by enabling applications to capture only the traces that matter. The length of time and amount of data captured by a FlightRecorder may be configured within the FlightRecorderConfig. * Runtime: Change to unhandled panic output: Themessage printed when a program exits due to an unhandled panic that was recovered and repanicked no longer repeats the text of the panic value. * Runtime: VMA names on Linux: On Linux systems with kernel support for anonymous virtual memory area (VMA) names (CONFIG_ANON_VMA_NAME), the Go runtime will annotate anonymous memory mappings with context about their purpose. e.g., [anon: Go: heap] for heap memory. This can be disabled with the GODEBUG setting decoratemappings=0. * Compiler: nil pointer bug: This release fixes a compiler bug, introduced in Go 1.21, that could incorrectly delay nil pointer checks. * Compiler: DWARF5 support: The compiler and linker in Go 1.25 now generate debug information using DWARF version 5. The newer DWARF version reduces the space required for debugging information in Go binaries, and reduces the time for linking, especially for large Go binaries. DWARF 5 generation can be disabled by setting the environment variable GOEXPERIMENT=nodwarf5 at build time (this fallback may be removed in a future Go release). * Compiler: Faster slices: The compiler can now allocate the backing store for slices on the stack in more situations, which improves performance. This change has the potential to amplify the effects of incorrect unsafe.Pointer usage, see for example issue 73199. In order to track down these problems, the bisect tool can be used to find the allocation causing trouble using the -compile=variablemake flag. All such new stack allocations can also be turned off using -gcflags=all=-d=variablemakehash=n. * Linker: The linker now accepts a -funcalign=N command line option, which specifies the alignment of function entries. The default value is platform- dependent, and is unchanged in this release. * Standard library: testing/synctest: The new testing/synctest package provides support for testing concurrent code. This package was first available in Go 1.24 under GOEXPERIMENT=synctest, witha slightly different API. The experiment has now graduated to general availability. The old API is still present if GOEXPERIMENT=synctest is set, but will be removed in Go 1.26. * Standard library: testing/synctest: The Test function runs a test function in an isolated âbubbleâ. Within the bubble, time is virtualized: time package functions operate on a fake clock and the clock moves forward instantaneously if all goroutines in the bubble are blocked. * Standard library: testing/synctest: The Wait function waits for all goroutines in the current bubble to block. * Standard library: encoding/json/v2: Go 1.25 includes a new, experimental JSON implementation, which can be enabled by setting the environment variable GOEXPERIMENT=jsonv2 at build time. When enabled, two new packages are available: The encoding/json/v2 package is a major revision of the encoding/json package. The encoding/json/jsontext package provides lower- level processing of JSON syntax. In addition, when the âjsonv2â GOEXPERIMENT is enabled: The encoding/json package uses the new JSON implementation. Marshaling and unmarshaling behavior is unaffected, but the text of errors returned by package function may change. The encoding/json package contains a number of new options which may be used to configure the marshaler and unmarshaler. The new implementation performs substantially better than the existing one under many scenarios. In general, encoding performance is at parity between the implementations and decoding is substantially faster in the new one. See the github.com/go-json-experiment/jsonbench repository for more detailed analysis. We encourage users of encoding/json to test their programs with GOEXPERIMENT=jsonv2 enabled to help detect any compatibility issues with the new implementation. We expect the design of encoding/json/v2 to continue to evolve. We encourage developers to try out the new API and providefeedback on the proposal issue. * archive/tar: The Writer.AddFS implementation now supports symbolic links for filesystems that implement io/fs.ReadLinkFS. * encoding/asn1: Unmarshal and UnmarshalWithParams now parse the ASN.1 types T61String and BMPString more consistently. This may result in some previously accepted malformed encodings now being rejected. * crypto: MessageSigner is a new signing interface that can be implemented by signers that wish to hash the message to be signed themselves. A new function is also introduced, SignMessage, which attempts to upgrade a Signer interface to MessageSigner, using the MessageSigner.SignMessage method if successful, and Signer.Sign if not. This can be used when code wishes to support both Signer and MessageSigner. * crypto: Changing the fips140 GODEBUG setting after the program has started is now a no-op. Previously, it was documented as not allowed, and could cause a panic if changed. * crypto: SHA-1, SHA-256, and SHA-512 are now slower on amd64 when AVX2 instructions are not available. All server processors (and most others) produced since 2015 support AVX2. * crypto/ecdsa: The new ParseRawPrivateKey, ParseUncompressedPublicKey, PrivateKey.Bytes, and PublicKey.Bytes functions and methods implement low- level encodings, replacing the need to use crypto/elliptic or math/big functions and methods. * crypto/ecdsa: When FIPS 140-3 mode is enabled, signing is now four times faster, matching the performance of non-FIPS mode. * crypto/ed25519: When FIPS 140-3 mode is enabled, signing is now four times faster, matching the performance of non-FIPS mode. * crypto/elliptic: The hidden and undocumented Inverse and CombinedMult methods on some Curve implementations have been removed. * crypto/rsa: PublicKey no longer claims that the modulus value is treated as secret. VerifyPKCS1v15 and VerifyPSS already warned that all inputs are public and could be leaked, and there aremathematical attacks that can recover the modulus from other public values. * crypto/rsa: Key generation is now three times faster. * crypto/sha1: Hashing is now two times faster on amd64 when SHA-NI instructions are available. * crypto/sha3: The new SHA3.Clone method implements hash.Cloner. * crypto/sha3: Hashing is now two times faster on Apple M processors. * crypto/tls: The new ConnectionState.CurveID field exposes the key exchange mechanism used to establish the connection. * crypto/tls: The new Config.GetEncryptedClientHelloKeys callback can be used to set the EncryptedClientHelloKeys for a server to use when a client sends an Encrypted Client Hello extension. * crypto/tls: SHA-1 signature algorithms are now disallowed in TLS 1.2 handshakes, per RFC 9155. They can be re-enabled with the GODEBUG setting tlssha1=1. * crypto/tls: When FIPS 140-3 mode is enabled, Extended Master Secret is now required in TLS 1.2, and Ed25519 and X25519MLKEM768 are now allowed. * crypto/tls: TLS servers now prefer the highest supported protocol version, even if it isnât the clientâs most preferred protocol version. * crypto/tls: Both TLS clients and servers are now stricter in following the specifications and in rejecting off-spec behavior. Connections with compliant peers should be unaffected. * crypto/x509: CreateCertificate, CreateCertificateRequest, and CreateRevocationList can now accept a crypto.MessageSigner signing interface as well as crypto.Signer. This allows these functions to use signers which implement âone-shotâ signing interfaces, where hashing is done as part of the signing operation, instead of by the caller. * crypto/x509: CreateCertificate now uses truncated SHA-256 to populate the SubjectKeyId if it is missing. The GODEBUG setting x509sha256skid=0 reverts to SHA-1. * crypto/x509: ParseCertificate now rejects certificates which contain a BasicConstraints extension that contains a negativepathLenConstraint. * crypto/x509: ParseCertificate now handles strings encoded with the ASN.1 T61String and BMPString types more consistently. This may result in some previously accepted malformed encodings now being rejected. * debug/elf: The debug/elf package adds two new constants: PT_RISCV_ATTRIBUTES and SHT_RISCV_ATTRIBUTES for RISC-V ELF parsing. * go/ast: The FilterPackage, PackageExports, and MergePackageFiles functions, and the MergeMode type and its constants, are all deprecated, as they are for use only with the long-deprecated Object and Package machinery. * go/ast: The new PreorderStack function, like Inspect, traverses a syntax tree and provides control over descent into subtrees, but as a convenience it also provides the stack of enclosing nodes at each point. * go/parser: The ParseDir function is deprecated. * go/token: The new FileSet.AddExistingFiles method enables existing Files to be added to a FileSet, or a FileSet to be constructed for an arbitrary set of Files, alleviating the problems associated with a single global FileSet in long-lived applications. * go/types: Var now has a Var.Kind method that classifies the variable as one of: package-level, receiver, parameter, result, local variable, or a struct field. * go/types: The new LookupSelection function looks up the field or method of a given name and receiver type, like the existing LookupFieldOrMethod function, but returns the result in the form of a Selection. * hash: The new XOF interface can be implemented by âextendable output functionsâ, which are hash functions with arbitrary or unlimited output length such as SHAKE. * hash: Hashes implementing the new Cloner interface can return a copy of their state. All standard library Hash implementations now implement Cloner. * hash/maphash: The new Hash.Clone method implements hash.Cloner. * io/fs: A new ReadLinkFS interface provides the ability to read symbolic links in a filesystem. * log/slog: GroupAttrs creates a group Attr from a slice of Attr values. * log/slog: Record now has a Source method, returning its source location or nil if unavailable. * mime/multipart: The new helper function FileContentDisposition builds multipart Content-Disposition header fields. * net: LookupMX and Resolver.LookupMX now return DNS names that look like valid IP address, as well as valid domain names. Previously if a name server returned an IP address as a DNS name, LookupMX would discard it, as required by the RFCs. However, name servers in practice do sometimes return IP addresses. * net: On Windows, ListenMulticastUDP now supports IPv6 addresses. * net: On Windows, it is now possible to convert between an os.File and a network connection. Specifcally, the FileConn, FilePacketConn, and FileListener functions are now implemented, and return a network connection or listener corresponding to an open file. Similarly, the File methods of TCPConn, UDPConn, UnixConn, IPConn, TCPListener, and UnixListener are now implemented, and return the underlying os.File of a network connection. * net/http: The new CrossOriginProtection implements protections against Cross-Site Request Forgery (CSRF) by rejecting non-safe cross-origin browser requests. It uses modern browser Fetch metadata, doesnât require tokens or cookies, and supports origin-based and pattern-based bypasses. * os: On Windows, NewFile now supports handles opened for asynchronous I/O (that is, syscall.FILE_FLAG_OVERLAPPED is specified in the syscall.CreateFile call). These handles are associated with the Go runtimeâs I/O completion port, which provides the following benefits for the resulting File: I/O methods (File.Read, File.Write, File.ReadAt, and File.WriteAt) do not block an OS thread. Deadline methods (File.SetDeadline, File.SetReadDeadline, and File.SetWriteDeadline) are supported. This enhancement is especially beneficial for applications thatcommunicate via named pipes on Windows. Note that a handle can only be associated with one completion port at a time. If the handle provided to NewFile is already associated with a completion port, the returned File is downgraded to synchronous I/O mode. In this case, I/O methods will block an OS thread, and the deadline methods have no effect. * os: The filesystems returned by DirFS and Root.FS implement the new io/fs.ReadLinkFS interface. CopyFS supports symlinks when copying filesystems that implement io/fs.ReadLinkFS. The Root type supports the following additional methods: Root.Chmod, Root.Chown, Root.Chtimes, Root.Lchown, Root.Link, Root.MkdirAll, Root.ReadFile, Root.Readlink, Root.RemoveAll, Root.Rename, Root.Symlink, and Root.WriteFile. * reflect: The new TypeAssert function permits converting a Value directly to a Go value of the given type. This is like using a type assertion on the result of Value.Interface, but avoids unnecessary memory allocations. * regexp/syntax: The \p{name} and \P{name} character class syntaxes now accept the names Any, ASCII, Assigned, Cn, and LC, as well as Unicode category aliases like \p{Letter} for \pL. Following Unicode TR18, they also now use case-insensitive name lookups, ignoring spaces, underscores, and hyphens. * runtime: Cleanup functions scheduled by AddCleanup are now executed concurrently and in parallel, making cleanups more viable for heavy use like the unique package. Note that individual cleanups should still shunt their work to a new goroutine if they must execute or block for a long time to avoid blocking the cleanup queue. * runtime: A new GODEBUG=checkfinalizers=1 setting helps find common issues with finalizers and cleanups, such as those described in the GC guide. In this mode, the runtime runs diagnostics on each garbage collection cycle, and will also regularly report the finalizer and cleanup queue lengths to stderr to help identify issues withlong-running finalizers and/or cleanups. See the GODEBUG documentation for more details. * runtime: The new SetDefaultGOMAXPROCS function sets GOMAXPROCS to the runtime default value, as if the GOMAXPROCS environment variable is not set. This is useful for enabling the new GOMAXPROCS default if it has been disabled by the GOMAXPROCS environment variable or a prior call to GOMAXPROCS. * runtime/pprof: The mutex profile for contention on runtime-internal locks now correctly points to the end of the critical section that caused the delay. This matches the profileâs behavior for contention on sync.Mutex values. The runtimecontentionstacks setting for GODEBUG, which allowed opting in to the unusual behavior of Go 1.22 through 1.24 for this part of the profile, is now gone. * sync: The new WaitGroup.Go method makes the common pattern of creating and counting goroutines more convenient. * testing: The new methods T.Attr, B.Attr, and F.Attr emit an attribute to the test log. An attribute is an arbitrary key and value associated with a test. * testing: With the -json flag, attributes appear as a new âattrâ action. * testing: The new Output method of T, B and F provides an io.Writer that writes to the same test output stream as TB.Log. Like TB.Log, the output is indented, but it does not include the file and line number. * testing: The AllocsPerRun function now panics if parallel tests are running. The result of AllocsPerRun is inherently flaky if other tests are running. The new panicking behavior helps catch such bugs. * testing/fstest: MapFS implements the new io/fs.ReadLinkFS interface. TestFS will verify the functionality of the io/fs.ReadLinkFS interface if implemented. TestFS will no longer follow symlinks to avoid unbounded recursion. * unicode: The new CategoryAliases map provides access to category alias names, such as âLetterâ for âLâ. * unicode: The new categories Cn and LCdefine unassigned codepoints and cased letters, respectively. These have always been defined by Unicode but were inadvertently omitted in earlier versions of Go. The C category now includes Cn, meaning it has added all unassigned code points. * unique: The unique package now reclaims interned values more eagerly, more efficiently, and in parallel. As a consequence, applications using Make are now less likely to experience memory blow-up when lots of truly unique values are interned. * unique: Values passed to Make containing Handles previously required multiple garbage collection cycles to collect, proportional to the depth of the chain of Handle values. Now, once unused, they are collected promptly in a single cycle. * Darwin port: As announced in the Go 1.24 release notes, Go 1.25 requires macOS 12 Monterey or later. Support for previous versions has been discontinued. * Windows port: Go 1.25 is the last release that contains the broken 32-bit windows/arm port (GOOS=windows GOARCH=arm). It will be removed in Go 1.26. * Loong64 port: The linux/loong64 port now supports the race detector, gathering traceback information from C code using runtime.SetCgoTraceback, and linking cgo programs with the internal link mode. * RISC-V port: The linux/riscv64 port now supports the plugin build mode. * RISC-V port: The GORISCV64 environment variable now accepts a new value rva23u64, which selects the RVA23U64 user-mode application profile. Fixed during development: * go#74466 bsc#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations * go#74831 bsc#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan CVE-2025-4674 * go#74380 bsc#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaSTonline_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-3161=1 SUSE-2025-3161=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-3161=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3161=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * go1.25-openssl-doc-1.25.0-150600.13.3.1 * go1.25-openssl-debuginfo-1.25.0-150600.13.3.1 * go1.25-openssl-1.25.0-150600.13.3.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * go1.25-openssl-race-1.25.0-150600.13.3.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * go1.25-openssl-doc-1.25.0-150600.13.3.1 * go1.25-openssl-debuginfo-1.25.0-150600.13.3.1 * go1.25-openssl-race-1.25.0-150600.13.3.1 * go1.25-openssl-1.25.0-150600.13.3.1 * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * go1.25-openssl-doc-1.25.0-150600.13.3.1 * go1.25-openssl-debuginfo-1.25.0-150600.13.3.1 * go1.25-openssl-race-1.25.0-150600.13.3.1 * go1.25-openssl-1.25.0-150600.13.3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-4674.html * https://www.suse.com/security/cve/CVE-2025-47906.html * https://www.suse.com/security/cve/CVE-2025-47907.html * https://bugzilla.suse.com/show_bug.cgi?id=1244485 * https://bugzilla.suse.com/show_bug.cgi?id=1246118 * https://bugzilla.suse.com/show_bug.cgi?id=1247719 * https://bugzilla.suse.com/show_bug.cgi?id=1247720 * https://bugzilla.suse.com/show_bug.cgi?id=1247816 * https://bugzilla.suse.com/show_bug.cgi?id=1248082 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FSLE-18320&page_caps=&user_role= . Essential patch release for go1.25-openssl tackling significant flaws in SUSE offerings. Prompt response advisable.. SUSE Security Advisory, Go1.25 OpenSSLIssues, Linux Patch Management. . Severity: Important. LinuxSecurity.com Team
Sep 11, 2025
•Important
SuSE
100
security advisorySuSEOpenSSLSUSE 15 SP6: Important Security Update for go1.24-openssl Issues Fixed
* bsc#1236217 * bsc#1244156 * bsc#1244157 * bsc#1244158 * bsc#1246118 . # Security update for go1.24-openssl Announcement ID: SUSE-SU-2025:03158-1 Release Date: 2025-09-11T03:04:54Z Rating: important References: * bsc#1236217 * bsc#1244156 * bsc#1244157 * bsc#1244158 * bsc#1246118 * bsc#1247719 * bsc#1247720 * jsc#SLE-18320 Cross-References: * CVE-2025-0913 * CVE-2025-22874 * CVE-2025-4673 * CVE-2025-4674 * CVE-2025-47906 * CVE-2025-47907 CVSS scores: * CVE-2025-0913 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2025-0913 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2025-0913 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2025-22874 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2025-22874 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2025-22874 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2025-4673 ( SUSE ): 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N * CVE-2025-4673 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N * CVE-2025-4673 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N * CVE-2025-4674 ( SUSE ): 9.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-4674 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2025-4674 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2025-47906 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-47906 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-47907 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-47907 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N * CVE-2025-47907 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L Affected Products: * Development Tools Module 15-SP6 *Development Tools Module 15-SP7 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves six vulnerabilities, contains one feature and has one security fix can now be installed. ## Description: This security update of go1.24-openssl fixes the following issues: Update to version 1.24.6 cut from the go1.24-fips-release branch at the revision tagged go1.24.6-1-openssl-fips. Refs jsc#SLE-18320 * Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros. go1.24.6 (released 2025-08-06) includes security fixes to the database/sql and os/exec packages, as well as bug fixes to the runtime. ( boo#1236217 go1.24 release tracking) CVE-2025-47906 CVE-2025-47907: * go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations * go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan * go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not * go#74416 runtime: use-after-free of allpSnapshot in findRunnable * go#74694 runtime: segfaults in runtime.(*unwinder).next * go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures go1.24.5 (released 2025-07-08) includes security fixes to the go command, as well as bug fixes to the compiler, the linker, the , and the go command. ( boo#1236217 go1.24 release tracking) j CVE-2025-4674: * go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module * go#73908 runtime: bad frame pointer during panicduring duffcopy * go#74098 cmd/compile: regression on ppc64le bit operations * go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection * go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning * go#74294 internal/trace: stress tests triggering suspected deadlock in tracer * go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk * go#74363 runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile * go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( boo#1236217 go1.24 release tracking) CVE-2025-22874 CVE-2025-0913 CVE-2025-4673 * go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation * go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows * go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect * go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD * go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG * go#73809 cmd/go: add fips140 module selection mechanism * go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Development Tools Module 15-SP6 zypper in -t patchSUSE-SLE-Module-Development-Tools-15-SP6-2025-3158=1 * Development Tools Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3158=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2025-3158=1 openSUSE-SLE-15.6-2025-3158=1 ## Package List: * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * go1.24-openssl-race-1.24.6-150600.13.9.1 * go1.24-openssl-doc-1.24.6-150600.13.9.1 * go1.24-openssl-1.24.6-150600.13.9.1 * Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64) * go1.24-openssl-race-1.24.6-150600.13.9.1 * go1.24-openssl-debuginfo-1.24.6-150600.13.9.1 * go1.24-openssl-doc-1.24.6-150600.13.9.1 * go1.24-openssl-1.24.6-150600.13.9.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * go1.24-openssl-debuginfo-1.24.6-150600.13.9.1 * go1.24-openssl-doc-1.24.6-150600.13.9.1 * go1.24-openssl-1.24.6-150600.13.9.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * go1.24-openssl-race-1.24.6-150600.13.9.1 ## References: * https://www.suse.com/security/cve/CVE-2025-0913.html * https://www.suse.com/security/cve/CVE-2025-22874.html * https://www.suse.com/security/cve/CVE-2025-4673.html * https://www.suse.com/security/cve/CVE-2025-4674.html * https://www.suse.com/security/cve/CVE-2025-47906.html * https://www.suse.com/security/cve/CVE-2025-47907.html * https://bugzilla.suse.com/show_bug.cgi?id=1236217 * https://bugzilla.suse.com/show_bug.cgi?id=1244156 * https://bugzilla.suse.com/show_bug.cgi?id=1244157 * https://bugzilla.suse.com/show_bug.cgi?id=1244158 * https://bugzilla.suse.com/show_bug.cgi?id=1246118 * https://bugzilla.suse.com/show_bug.cgi?id=1247719 * https://bugzilla.suse.com/show_bug.cgi?id=1247720 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FSLE-18320&page_caps=&user_role= . An urgent security patch for version go1.24-openssl addresses serious vulnerabilities in SUSE platforms and necessitates immediateimplementation.. SUSE go1.24-openssl important security update. . Severity: Important. LinuxSecurity.com Team
Sep 11, 2025
•Important
SuSE
202
security advisorymoderatesoftware updateopenSUSE: 2025:0802-1 moderate: Go 1.24 Proxy Bypass Issue
An update that solves one vulnerability and has one security fix can now be installed.. # Security update for go1.24 Announcement ID: SUSE-SU-2025:0802-1 Release Date: 2025-03-06T14:05:35Z Rating: moderate References: * bsc#1236217 * bsc#1238572 Cross-References: * CVE-2025-22870 CVSS scores: * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L Affected Products: * Development Tools Module 15-SP6 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for go1.24 fixes the following issues: * CVE-2025-22870: golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238572) Other fixes: * Updated go version to go1.24.1 (bsc#1236217): * go#71986 go#71984 bsc#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71687 cmd/go: panics with GOAUTH='git dir' go get -x * go#71705 runtime: add linkname of runtime.lastmoduledatap for cloudwego/sonic * go#71728 runtime: usleep computes wrong tv_nsec on s390x * go#71745 crypto: add fips140 as an opaque GODEBUG setting and add documentation for it * go#71829 cmd/compile: fail to compile package in 1.24 * go#71836 os: possible regression from Go 1.23 to Go 1.24 when opening DevNull with O_TRUNC * go#71840 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71849 os: spurious SIGCHILD on running child process * go#71855 cmd/compile: Pow10 freeze the compiler on certain condition on Go 1.24 * go#71858 debug/buildinfo:false positives with external scanners flag for go117 binary in testdata * go#71876 reflect: Value.Seq panicking on functional iterator methods * go#71904 cmd/compile: nil dereference when storing field of non-nil struct value * go#71916 reflect: Value.Seq iteration value types not matching the type of given int types * go#71938 cmd/compile: "fatal error: found pointer to free object" on arm64 * go#71955 proposal: runtime: allow cleanups to run concurrently * go#71963 runtime/cgo: does not build with -Wdeclaration-after-statement * go#71977 syscall: js/wasm file operations fail on windows / node.js ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-802=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-802=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * go1.24-race-1.24.1-150000.1.12.1 * go1.24-1.24.1-150000.1.12.1 * go1.24-doc-1.24.1-150000.1.12.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * go1.24-race-1.24.1-150000.1.12.1 * go1.24-1.24.1-150000.1.12.1 * go1.24-doc-1.24.1-150000.1.12.1 ## References: * https://www.suse.com/security/cve/CVE-2025-22870.html * https://bugzilla.suse.com/show_bug.cgi?id=1236217 * https://bugzilla.suse.com/show_bug.cgi?id=1238572 . The recent update for openSUSE resolves a vulnerability concerning proxy bypass in Go version 1.24, classified as having moderate risk. It is advisable to apply the suggested patches promptly.. openSUSE Security Advisory, Go 1.24 Update, Proxy Bypass Fix. . LinuxSecurity.com Team
Mar 06, 2025
OpenSUSE
202
security advisorysecurity updatedevelopment toolsopenSUSE 15.6: 2025:0803-1 moderate: go1.23 proxy bypass fix
An update that solves one vulnerability and has one security fix can now be installed.. # Security update for go1.23 Announcement ID: SUSE-SU-2025:0803-1 Release Date: 2025-03-06T14:05:48Z Rating: moderate References: * bsc#1229122 * bsc#1238572 Cross-References: * CVE-2025-22870 CVSS scores: * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L Affected Products: * Development Tools Module 15-SP6 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for go1.23 fixes the following issues: * CVE-2025-22870: golang.org/x/net/proxy, golang.org/x/net/http/httpproxy: Fixed proxy bypass using IPv6 zone IDs (bsc#1238572) Other fixes: * Updated go version to go1.23.7 (bsc#1229122): * go#71985 go#71984 bsc#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs * go#71727 runtime: usleep computes wrong tv_nsec on s390x * go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error * go#71848 os: spurious SIGCHILD on running child process * go#71875 reflect: Value.Seq panicking on functional iterator methods * go#71915 reflect: Value.Seq iteration value types not matching the type of given int types * go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patchopenSUSE-SLE-15.6-2025-803=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-803=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * go1.23-doc-1.23.7-150000.1.24.1 * go1.23-1.23.7-150000.1.24.1 * go1.23-race-1.23.7-150000.1.24.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * go1.23-doc-1.23.7-150000.1.24.1 * go1.23-1.23.7-150000.1.24.1 * go1.23-race-1.23.7-150000.1.24.1 ## References: * https://www.suse.com/security/cve/CVE-2025-22870.html * https://bugzilla.suse.com/show_bug.cgi?id=1229122 * https://bugzilla.suse.com/show_bug.cgi?id=1238572 . Urgent security patch for openSUSE tackling proxy evasion in Go programming framework, maintaining robustness and safety.. openSUSE, security advisory, go programming, software update. . LinuxSecurity.com Team
Mar 06, 2025
OpenSUSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!