SUSE-CU-2025:7576-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Oct 25 07:35:54 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7576-1
Container Tags        : bci/golang:1.24-openssl , bci/golang:1.24.7-openssl , bci/golang:1.24.7-openssl-78.3 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-78.3
Container Release     : 78.3
Severity              : moderate
Type                  : security
References            : 1236217 1241219 1247816 1248082 1251264 CVE-2025-3576 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3596-1
Released:    Wed Oct 15 09:51:21 2025
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1251264

This update for curl fixes the following issue:

- rebuilds it against a newer nghttp2 to fix handling 2 or more whitespaces in headers. (bsc#1251264)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3619-1
Released:    Thu Oct 16 15:03:39 2025
Summary:     Recommended update for go1.24-openssl
Type:        recommended
Severity:    moderate
References:  1236217,1247816,1248082
This update for go1.24-openssl fixes the following issues:

Update to version 1.24.7 cut from the go1.24-fips-release
branch at the revision tagged go1.24.7-1-openssl-fips.
(jsc#SLE-18320)

go1.24.7 (released 2025-09-03) includes fixes to the go command,
and the net and os/exec packages.
( bsc#1236217 go1.24 release tracking)

  * go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
  * go#74821 cmd/go: 'get toolchain at latest' should ignore release candidates
  * go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.


The following package changes have been done:

- krb5-1.20.1-150600.11.14.1 updated
- libcurl4-8.14.1-150700.7.2.1 updated
- curl-8.14.1-150700.7.2.1 updated
- go1.24-openssl-doc-1.24.7-150600.13.12.1 updated
- go1.24-openssl-1.24.7-150600.13.12.1 updated
- go1.24-openssl-race-1.24.7-150600.13.12.1 updated
- container:registry.suse.com-bci-bci-base-15.7-231a93ad62347ed0484baa9242d06c7c7fc48241452613423a9c25e30102fb8f-0 updated
- libopenssl-devel-3.2.3-150700.1.1 removed
- openssl-3.2.3-150700.1.1 removed
- openssl-3-3.2.3-150700.5.21.1 removed

More information about the sle-container-updates mailing list