SUSE-CU-2026:492-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jan 30 08:24:02 UTC 2026 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:492-1
Container Tags        : bci/golang:1.24-openssl , bci/golang:1.24.12-openssl , bci/golang:1.24.12-openssl-81.12 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-81.12
Container Release     : 81.12
Severity              : critical
Type                  : security
References            : 1236217 1245878 1247816 1248082 1249985 1251224 1251253 1251254
                        1251255 1251256 1251257 1251258 1251259 1251260 1251261 1251262
                        1254430 1254431 1256105 1256816 1256817 1256818 1256819 1256820
                        1256821 1256830 1256834 1256835 1256836 1256837 1256838 1256839
                        1256840 1257049 CVE-2025-14017 CVE-2025-15467 CVE-2025-47912
                        CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188
                        CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725 CVE-2025-61726
                        CVE-2025-61727 CVE-2025-61728 CVE-2025-61729 CVE-2025-61730 CVE-2025-61731
                        CVE-2025-68119 CVE-2025-68121 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419
                        CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795 CVE-2026-22796
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:221-1
Released:    Thu Jan 22 13:15:35 2026
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1256105,CVE-2025-14017
This update for curl fixes the following issues:

- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:242-1
Released:    Thu Jan 22 14:57:13 2026
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1251224

This update for git fixes the following issue:

- Revert incorrect AppArmor profile change, in SLE 15 the binaries remain
  in /usr/lib/git (bsc#1251224)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:286-1
Released:    Sat Jan 24 00:35:35 2026
Summary:     Security update for glib2
Type:        security
Severity:    low
References:  1257049,CVE-2026-0988
This update for glib2 fixes the following issues:

- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:308-1
Released:    Wed Jan 28 09:38:38 2026
Summary:     Security update for go1.24-openssl
Type:        security
Severity:    important
References:  1236217,1245878,1247816,1248082,1249985,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121
This update for go1.24-openssl fixes the following issues:

Update to version 1.24.12 (released 2026-01-15) (jsc#SLE-18320, bsc#1236217):

Security fixes:

 - CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
 - CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
 - CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
 - CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
 - CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
 - CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
 - CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
 - CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
 - CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
 - CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
 - CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
 - CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
 - CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
 - CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
 - CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
 - CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
 - CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
 - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).

Other fixes:

  * go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
  * go#74821 cmd/go: 'get toolchain at latest' should ignore release candidates
  * go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
  * go#75138 os: Root.OpenRoot sets incorrect name, losing prefix of original root
  * go#75220 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
  * go#75351 cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
  * go#75356 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
  * go#75359 os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
  * go#75523 crypto/internal/fips140/rsa: requires a panic if self-tests fail
  * go#75538 net/http: internal error: connCount underflow
  * go#75594 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
  * go#75609 sync/atomic: comment for Uintptr.Or incorrectly describes return value
  * go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
  * go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot
  * go#75951 encoding/pem: regression when decoding blocks with leading garbage
  * go#76028 pem/encoding: malformed line endings can cause panics
  * go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores
  * go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
  * go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
  * go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
  * go#76796 runtime: race detector crash on ppc64le
  * go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:309-1
Released:    Wed Jan 28 10:36:32 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    critical
References:  1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:

 - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
 - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
 - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
 - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
 - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
 - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
 - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
 - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).


The following package changes have been done:

- libopenssl3-3.2.3-150700.5.24.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated
- libglib-2_0-0-2.78.6-150600.4.28.1 updated
- libcurl4-8.14.1-150700.7.11.1 updated
- curl-8.14.1-150700.7.11.1 updated
- go1.24-openssl-doc-1.24.12-150600.13.15.1 updated
- git-core-2.51.0-150600.3.15.1 updated
- libopenssl-3-devel-3.2.3-150700.5.24.1 updated
- go1.24-openssl-1.24.12-150600.13.15.1 updated
- go1.24-openssl-race-1.24.12-150600.13.15.1 updated
- container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated

More information about the sle-container-updates mailing list