SUSE-CU-2025:4221-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Jun 10 07:09:12 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:4221-1
Container Tags        : bci/golang:1.24 , bci/golang:1.24.4 , bci/golang:1.24.4-1.38.6 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.38.6
Container Release     : 38.6
Severity              : important
Type                  : security
References            : 1236217 1242715 1244156 1244157 1244158 CVE-2025-0913 CVE-2025-22873
                        CVE-2025-22874 CVE-2025-4673 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1846-1
Released:    Mon Jun  9 20:33:58 2025
Summary:     Security update for go1.24
Type:        security
Severity:    important
References:  1236217,1242715,1244156,1244157,1244158,CVE-2025-0913,CVE-2025-22873,CVE-2025-22874,CVE-2025-4673
This update for go1.24 fixes the following issues:

go1.24.4 (released 2025-06-05) includes security fixes to the
crypto/x509, net/http, and os packages, as well as bug fixes to
the linker, the go command, and the hash/maphash and os packages.
( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673)

* CVE-2025-22874: crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158)
* CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157)
* CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156)
* os: Root.Mkdir creates directories with zero permissions on OpenBSD
* hash/maphash: hashing channels with purego impl. of maphash.Comparable panics
* runtime/debug: BuildSetting does not document DefaultGODEBUG
* cmd/go: add fips140 module selection mechanism
* cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
* CVE-2025-22873: os: Root permits access to parent directory

The following package changes have been done:

- go1.24-doc-1.24.4-150000.1.26.1 updated
- go1.24-1.24.4-150000.1.26.1 updated
- go1.24-race-1.24.4-150000.1.26.1 updated

More information about the sle-container-updates mailing list