SB2025121247 - openEuler 24.03 LTS SP1 update for golang

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-47912)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks. 

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption. 

3) Resource exhaustion (CVE-ID: CVE-2025-58187)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to quadratic complexity when checking name constraints in crypto/x509. A remote attacker can pass a specially crafted x509 certificate to the application and trigger resource exhaustion. 

4) Resource exhaustion (CVE-ID: CVE-2025-61723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2828