SUSE-CU-2025:7703-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Thu Oct 30 12:25:08 UTC 2025 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7703-1
Container Tags        : bci/golang:1.24 , bci/golang:1.24.9 , bci/golang:1.24.9-2.75.4 , bci/golang:oldstable , bci/golang:oldstable-2.75.4
Container Release     : 75.4
Severity              : important
Type                  : security
References            : 1236217 1241219 1251253 1251254 1251255 1251256 1251257 1251258
                        1251259 1251260 1251261 1251262 1251264 CVE-2025-3576 CVE-2025-47912
                        CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188
                        CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3596-1
Released:    Wed Oct 15 09:51:21 2025
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1251264

This update for curl fixes the following issue:

- rebuilds it against a newer nghttp2 to fix handling 2 or more whitespaces in headers. (bsc#1251264)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3682-1
Released:    Mon Oct 20 15:12:08 2025
Summary:     Security update for go1.24
Type:        security
Severity:    important
References:  1236217,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725
This update for go1.24 fixes the following issues:

go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509
package. (bsc#1236217)

* crypto/x509: TLS validation fails for FQDNs with trailing dot

go1.24.8 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the linker, and
the debug/pe, net/http, os, and sync/atomic packages.
(bsc#1236217)

  CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

  * bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
  * bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
  * bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
  * bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
  * bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
  * bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
  * bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
  * bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
  * bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
  * bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse
  * os: Root.OpenRoot sets incorrect name, losing prefix of original root
  * debug/pe: pe.Open fails on object files produced by llvm-mingw 21
  * cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
  * net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
  * os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
  * crypto/internal/fips140/rsa: requires a panic if self-tests fail
  * net/http: internal error: connCount underflow
  * cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
  * sync/atomic: comment for Uintptr.Or incorrectly describes return value

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released:    Tue Oct 21 12:07:47 2025
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1241219,CVE-2025-3576
This update for krb5 fixes the following issues:

- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
  RC4-HMAC-MD5 (bsc#1241219).

Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.

To avoid problems with those, SUSE has by default now disabled
those alorithms.

The following algorithms have been removed from valid krb5 enctypes:

- des3-cbc-sha1
- arcfour-hmac-md5

To reenable those algorithms, you can use allow options in krb5.conf:

[libdefaults]
allow_des3 = true
allow_rc4 = true

to reenable them.


The following package changes have been done:

- krb5-1.20.1-150600.11.14.1 updated
- libcurl4-8.14.1-150700.7.2.1 updated
- curl-8.14.1-150700.7.2.1 updated
- go1.24-doc-1.24.9-150000.1.42.1 updated
- go1.24-1.24.9-150000.1.42.1 updated
- go1.24-race-1.24.9-150000.1.42.1 updated
- container:registry.suse.com-bci-bci-base-15.7-231a93ad62347ed0484baa9242d06c7c7fc48241452613423a9c25e30102fb8f-0 updated

More information about the sle-container-updates mailing list