SUSE-CU-2026:500-1: Security update of bci/golang

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri Jan 30 16:33:39 UTC 2026 

SUSE Container Update Advisory: bci/golang
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:500-1
Container Tags        : bci/golang:1.25-openssl , bci/golang:1.25.6-openssl , bci/golang:1.25.6-openssl-81.13 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-81.13
Container Release     : 81.13
Severity              : critical
Type                  : security
References            : 1244485 1245878 1246118 1247719 1247720 1247816 1248082 1249141
                        1249985 1251224 1251253 1251254 1251255 1251256 1251257 1251258
                        1251259 1251260 1251261 1251262 1254227 1254430 1254431 1256105
                        1256816 1256817 1256818 1256819 1256820 1256821 1256830 1256834
                        1256835 1256836 1256837 1256838 1256839 1256840 1257049 CVE-2025-14017
                        CVE-2025-15467 CVE-2025-4674 CVE-2025-47906 CVE-2025-47907 CVE-2025-47910
                        CVE-2025-47912 CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187
                        CVE-2025-58188 CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725
                        CVE-2025-61726 CVE-2025-61727 CVE-2025-61728 CVE-2025-61729 CVE-2025-61730
                        CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68160 CVE-2025-69418
                        CVE-2025-69419 CVE-2025-69420 CVE-2025-69421 CVE-2026-0988 CVE-2026-22795
                        CVE-2026-22796 
-----------------------------------------------------------------

The container bci/golang was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:221-1
Released:    Thu Jan 22 13:15:35 2026
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1256105,CVE-2025-14017
This update for curl fixes the following issues:

- CVE-2025-14017: Fixed broken TLS options for threaded LDAPS (bsc#1256105).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2026:242-1
Released:    Thu Jan 22 14:57:13 2026
Summary:     Recommended update for git
Type:        recommended
Severity:    moderate
References:  1251224

This update for git fixes the following issue:

- Revert incorrect AppArmor profile change, in SLE 15 the binaries remain
  in /usr/lib/git (bsc#1251224)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:286-1
Released:    Sat Jan 24 00:35:35 2026
Summary:     Security update for glib2
Type:        security
Severity:    low
References:  1257049,CVE-2026-0988
This update for glib2 fixes the following issues:

- CVE-2026-0988: Fixed a potential integer overflow in g_buffered_input_stream_peek (bsc#1257049).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:298-1
Released:    Mon Jan 26 17:11:03 2026
Summary:     Security update for go1.25-openssl
Type:        security
Severity:    important
References:  1244485,1245878,1246118,1247719,1247720,1247816,1248082,1249141,1249985,1251253,1251254,1251255,1251256,1251257,1251258,1251259,1251260,1251261,1251262,1254227,1254430,1254431,1256816,1256817,1256818,1256819,1256820,1256821,CVE-2025-4674,CVE-2025-47906,CVE-2025-47907,CVE-2025-47910,CVE-2025-47912,CVE-2025-58183,CVE-2025-58185,CVE-2025-58186,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-61723,CVE-2025-61724,CVE-2025-61725,CVE-2025-61726,CVE-2025-61727,CVE-2025-61728,CVE-2025-61729,CVE-2025-61730,CVE-2025-61731,CVE-2025-68119,CVE-2025-68121
This update for go1.25-openssl fixes the following issues:

Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):

Security fixes:

 - CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).
 - CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations (bsc#1247719).
 - CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
 - CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).
 - CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
 - CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
 - CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
 - CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
 - CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
 - CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
 - CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
 - CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
 - CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
 - CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
 - CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
 - CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
 - CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
 - CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
 - CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
 - CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
 - CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
 - CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).

Other fixes:

  * go#74822 cmd/go: 'get toolchain at latest' should ignore release candidates
  * go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
  * go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
  * go#75021 testing/synctest: bubble not terminating
  * go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
  * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
  * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path
  * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
  * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
  * go#75255 cmd/compile: export to DWARF types only referenced through interfaces
  * go#75347 testing/synctest: test timeout with no runnable goroutines
  * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
  * go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
  * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
  * go#75537 context: Err can return non-nil before Done channel is closed
  * go#75539 net/http: internal error: connCount underflow
  * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
  * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
  * go#75669 runtime: debug.decoratemappings don't work as expected
  * go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
  * go#75777 spec: Go1.25 spec should be dated closer to actual release date
  * go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
  * go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
  * go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
  * go#75952 encoding/pem: regression when decoding blocks with leading garbage
  * go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
  * go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
  * go#76029 pem/encoding: malformed line endings can cause panics
  * go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
  * go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup
  * go#76392 os: package initialization hangs is Stdin is blocked
  * go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
  * go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
  * go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
  * go#76776 runtime: race detector crash on ppc64le
  * go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
  * go#76973 errors: errors.Join behavior changed in 1.25

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:309-1
Released:    Wed Jan 28 10:36:32 2026
Summary:     Security update for openssl-3
Type:        security
Severity:    critical
References:  1256830,1256834,1256835,1256836,1256837,1256838,1256839,1256840,CVE-2025-15467,CVE-2025-68160,CVE-2025-69418,CVE-2025-69419,CVE-2025-69420,CVE-2025-69421,CVE-2026-22795,CVE-2026-22796
This update for openssl-3 fixes the following issues:

 - CVE-2025-15467: Stack buffer overflow in CMS AuthEnvelopedData parsing (bsc#1256830).
 - CVE-2025-68160: Heap out-of-bounds write in BIO_f_linebuffer on short writes (bsc#1256834).
 - CVE-2025-69418: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls (bsc#1256835).
 - CVE-2025-69419: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion (bsc#1256836).
 - CVE-2025-69420: Missing ASN1_TYPE validation in TS_RESP_verify_response() function (bsc#1256837).
 - CVE-2025-69421: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function (bsc#1256838).
 - CVE-2026-22795: Missing ASN1_TYPE validation in PKCS#12 parsing (bsc#1256839).
 - CVE-2026-22796: ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function (bsc#1256840).


The following package changes have been done:

- libopenssl3-3.2.3-150700.5.24.1 updated
- libopenssl-3-fips-provider-3.2.3-150700.5.24.1 updated
- libglib-2_0-0-2.78.6-150600.4.28.1 updated
- libcurl4-8.14.1-150700.7.11.1 updated
- curl-8.14.1-150700.7.11.1 updated
- go1.25-openssl-doc-1.25.6-150600.13.9.1 updated
- git-core-2.51.0-150600.3.15.1 updated
- libopenssl-3-devel-3.2.3-150700.5.24.1 updated
- go1.25-openssl-1.25.6-150600.13.9.1 updated
- go1.25-openssl-race-1.25.6-150600.13.9.1 updated
- container:registry.suse.com-bci-bci-base-15.7-f9184822761ad484aca07587791f6b9d7abdb9a0b5cb88d5017f8891d8d8b001-0 updated

More information about the sle-container-updates mailing list