SUSE-CU-2025:7324-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Oct 14 07:47:19 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7324-1
Container Tags        : bci/golang:1.25 , bci/golang:1.25.2 , bci/golang:1.25.2-1.73.8 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.73.8
Container Release     : 73.8
Severity              : important
Type                  : security
References            : 1244485 1249584 1249985 1250232 1251253 1251254 1251255 1251256
                        1251257 1251258 1251259 1251260 1251261 1251262 CVE-2025-47912
                        CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188
                        CVE-2025-58189 CVE-2025-59375 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725
                        CVE-2025-9230 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3508-1
Released:    Thu Oct  9 10:32:56 2025
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1249584,CVE-2025-59375
This update for expat fixes the following issues:

- CVE-2025-59375: memory amplification vulnerability allows attackers to trigger excessive dynamic memory allocations
  by submitting crafted XML input (bsc#1249584).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3512-1
Released:    Thu Oct  9 12:35:38 2025
Summary:     Recommended update for go1.25
Type:        recommended
Severity:    moderate
References:  1249985
This update for go1.25 fixes the following issues:

- Package svgpan.js to fix issues with 'go tool pprof'. bsc#1249985

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3546-1
Released:    Sat Oct 11 03:21:33 2025
Summary:     Security update for openssl-3
Type:        security
Severity:    important
References:  1250232,CVE-2025-9230
This update for openssl-3 fixes the following issues:

- CVE-2025-9230: Fixed out-of-bounds read & write in RFC 3211 KEK unwrap (bsc#1250232).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3547-1
Released:    Sat Oct 11 03:22:16 2025
Summary:     Security update for go1.25
Type:        security
Severity:    important
References:  1244485,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725
This update for go1.25 fixes the following issues:

go1.25.2 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the runtime, and
the context, debug/pe, net/http, os, and sync/atomic packages.  (bsc#1244485)

  CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

  * bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
  * bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
  * bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
  * bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
  * bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
  * bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
  * bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
  * bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
  * bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
  * bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

  * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
  * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path
  * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
  * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
  * go#75255 cmd/compile: export to DWARF types only referenced through interfaces
  * go#75347 testing/synctest: test timeout with no runnable goroutines
  * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
  * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
  * go#75537 context: Err can return non-nil before Done channel is closed
  * go#75539 net/http: internal error: connCount underflow
  * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
  * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
  * go#75669 runtime: debug.decoratemappings don't work as expected


The following package changes have been done:

- libopenssl3-3.2.3-150700.5.21.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.21.1 updated
- go1.25-doc-1.25.2-150000.1.14.1 updated
- libexpat1-2.7.1-150700.3.6.1 updated
- go1.25-1.25.2-150000.1.14.1 updated
- go1.25-race-1.25.2-150000.1.14.1 updated
- container:registry.suse.com-bci-bci-base-15.7-d36081e98ce32c994ddc5040947999e9d8c2098074802f4382d029673fb91903-0 updated

More information about the sle-container-updates mailing list