SUSE-CU-2025:6793-1: Security update of bci/golang
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Fri Sep 12 19:23:11 UTC 2025
SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:6793-1
Container Tags : bci/golang:1.25 , bci/golang:1.25.1 , bci/golang:1.25.1-1.71.5 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.71.5
Container Release : 71.5
Severity : important
Type : security
References : 1228260 1236589 1243397 1243706 1243933 1244485 1246197 1247816
1248082 1249141 1249191 1249348 1249367 CVE-2024-6874 CVE-2025-0665
CVE-2025-10148 CVE-2025-47910 CVE-2025-4947 CVE-2025-5025 CVE-2025-5399
CVE-2025-9086
-----------------------------------------------------------------
The container bci/golang was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3198-1
Released: Fri Sep 12 14:15:08 2025
Summary: Security update for curl
Type: security
Severity: important
References: 1228260,1236589,1243397,1243706,1243933,1246197,1249191,1249348,1249367,CVE-2024-6874,CVE-2025-0665,CVE-2025-10148,CVE-2025-4947,CVE-2025-5025,CVE-2025-5399,CVE-2025-9086
This update for curl fixes the following issues:
Update to version 8.14.1 (jsc#PED-13055, jsc#PED-13056).
Security issues fixed:
- CVE-2025-0665: eventfd double close can cause libcurl to act unreliably (bsc#1236589).
- CVE-2025-4947: QUIC certificate check is skipped with wolfSSL allows for MITM attacks (bsc#1243397).
- CVE-2025-5025: no QUIC certificate pinning with wolfSSL can lead to connections to impostor servers that are not
easily noticed (bsc#1243706).
- CVE-2025-5399: bug in websocket code can cause libcurl to get trapped in an endless busy-loop when processing
specially crafted packets (bsc#1243933).
- CVE-2024-6874: punycode conversions to/from IDN can leak stack content when libcurl is built to use the macidn IDN
backend (bsc#1228260).
- CVE-2025-9086: bug in patch comparison logic when processing cookies can lead to out-of-bounds read in heap buffer
(bsc#1249191).
- CVE-2025-10148: predictable websocket mask can lead to proxy cache poisoning by malicious server (bsc#1249348).
Other issues fixed:
- Fix wrong return code when --retry is used (bsc#1249367).
* tool_operate: fix return code when --retry is used but not triggered [b42776b]
- Fix the --ftp-pasv option in curl v8.14.1 (bsc#1246197).
* tool_getparam: fix --ftp-pasv [5f805ee]
- Fixed with version 8.14.1:
* TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs.
* websocket: add option to disable auto-pong reply.
* huge number of bugfixes.
Please see https://curl.se/ch/ for full changelogs.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3200-1
Released: Fri Sep 12 14:22:05 2025
Summary: Security update for go1.25
Type: security
Severity: moderate
References: 1244485,1247816,1248082,1249141,CVE-2025-47910
This update for go1.25 fixes the following issues:
Update to go1.25.1, released 2025-09-03 (bsc#1244485).
Security issues fixed:
- CVE-2025-47910: net/http: `CrossOriginProtection` insecure bypass patterns not limited to exact matches (bsc#1249141).
Other issues fixed:
- go#74822 cmd/go: 'get toolchain at latest' should ignore release candidates.
- go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets.
- go#75008 os/exec: TestLookPath fails on plan9 after CL 685755.
- go#75021 testing/synctest: bubble not terminating.
- go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles.
The following package changes have been done:
- go1.25-doc-1.25.1-150000.1.8.1 updated
- libcurl4-8.14.1-150600.4.28.1 updated
- curl-8.14.1-150600.4.28.1 updated
- go1.25-1.25.1-150000.1.8.1 updated
- go1.25-race-1.25.1-150000.1.8.1 updated
More information about the sle-container-updates
mailing list