SB2025123058 - openEuler 24.03 LTS SP2 update for golang
Published: December 30, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
3) Improper certificate validation (CVE-ID: CVE-2025-61727)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in crypto/x509 due to incorrect handling of wildcard SANs in the leaf certificate when processing excluded constraint in a certificate chain. A remote attacker can create a specially crafted certificate and bypass implemented domain restrictions and perform MitM or phishing attacks.
4) Resource exhaustion (CVE-ID: CVE-2025-61729)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the HostnameError.Error() function in crypto/x509 when printing error string for host certificate validation. A remote attacker can supply a specially crafted certificate to the application and trigger resource exhaustion, leading to a denial of service condition.
Remediation
Install update from vendor's website.