SB2026012718 - SUSE update for go1.25-openssl
Published: January 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2025-4674)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when handling multiple VCS configuration metadata in Go toolchain. A remote attacker can trick the victim into directly cloning specially crafted Git or Mercurial repositories and execute arbitrary OS commands on the system.
2) Input validation error (CVE-ID: CVE-2025-47906)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges.
3) Race condition (CVE-ID: CVE-2025-47907)
The vulnerability allows an attacker to tamper with the application.
The vulnerability exists due to a race condition when canceling a DB query. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system. A remote user can overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
4) Protection Mechanism Failure (CVE-ID: CVE-2025-47910)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in http.CrossOriginProtection. The AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. An attacker can bypass implemented security restrictions.
5) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
6) Resource exhaustion (CVE-ID: CVE-2025-58183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.
7) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
9) Resource exhaustion (CVE-ID: CVE-2025-58187)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to quadratic complexity when checking name constraints in crypto/x509. A remote attacker can pass a specially crafted x509 certificate to the application and trigger resource exhaustion.
10) Input validation error (CVE-ID: CVE-2025-58188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.
11) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)
The vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack.
12) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
13) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
14) Resource exhaustion (CVE-ID: CVE-2025-61725)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service.
15) Improper certificate validation (CVE-ID: CVE-2025-61727)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in crypto/x509 due to incorrect handling of wildcard SANs in the leaf certificate when processing excluded constraint in a certificate chain. A remote attacker can create a specially crafted certificate and bypass implemented domain restrictions and perform MitM or phishing attacks.
16) Resource exhaustion (CVE-ID: CVE-2025-61729)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the HostnameError.Error() function in crypto/x509 when printing error string for host certificate validation. A remote attacker can supply a specially crafted certificate to the application and trigger resource exhaustion, leading to a denial of service condition.
Remediation
Install update from vendor's website.