SUSE-SU-2025:03159-1: important: Security update for go1.23-openssl
SLE-UPDATES
null at suse.de
Thu Sep 11 08:30:37 UTC 2025
# Security update for go1.23-openssl
Announcement ID: SUSE-SU-2025:03159-1
Release Date: 2025-09-11T03:05:08Z
Rating: important
References:
* bsc#1229122
* bsc#1236045
* bsc#1236046
* bsc#1236801
* bsc#1238572
* bsc#1240550
* bsc#1244156
* bsc#1244157
* bsc#1246118
* bsc#1247719
* bsc#1247720
* bsc#1247816
* jsc#SLE-18320
Cross-References:
* CVE-2024-45336
* CVE-2024-45341
* CVE-2025-0913
* CVE-2025-22866
* CVE-2025-22870
* CVE-2025-22871
* CVE-2025-4673
* CVE-2025-4674
* CVE-2025-47906
* CVE-2025-47907
CVSS scores:
* CVE-2024-45336 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-45336 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2024-45341 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-45341 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
* CVE-2025-0913 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-0913 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-0913 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-22866 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-22866 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-22866 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-22870 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
* CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
* CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
* CVE-2025-22871 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
* CVE-2025-22871 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-22871 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-4673 ( SUSE ): 8.9
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
* CVE-2025-4673 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2025-4673 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
* CVE-2025-4674 ( SUSE ): 9.3
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-4674 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2025-4674 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
* CVE-2025-47906 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-47906 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-47907 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-47907 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
* CVE-2025-47907 ( NVD ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Affected Products:
* Development Tools Module 15-SP6
* Development Tools Module 15-SP7
* openSUSE Leap 15.6
* SUSE Linux Enterprise Desktop 15 SP6
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Real Time 15 SP6
* SUSE Linux Enterprise Real Time 15 SP7
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves 10 vulnerabilities, contains one feature and has two
security fixes can now be installed.
## Description:
This update for go1.23-openssl fixes the following issues:
Update to version 1.23.12 cut from the go1.23-fips-release branch at the
revision tagged go1.23.12-1-openssl-fips. ( jsc#SLE-18320)
* Rebase to 1.23.12
* Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be
passed as a hash length buffer of zeros.
Packaging improvements:
* Update go_bootstrap_version to go1.21 from go1.20 to shorten the bootstrap
chain. go1.21 can optionally be bootstrapped with gccgo and serve as the
inital version of go1.x.
* Refs boo#1247816 bootstrap go1.21 with gccgo
go1.23.12 (released 2025-08-06) includes security fixes to the database/sql and
os/exec packages, as well as bug fixes to the runtime.
CVE-2025-47906 CVE-2025-47907: * go#74803 go#74466 boo#1247719 security: fix
CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in
some PATH configurations * go#74832 go#74831 boo#1247720 security: fix
CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
* go#74415 runtime: use-after-free of allpSnapshot in findRunnable
* go#74693 runtime: segfaults in runtime.(*unwinder).next
* go#74721 cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on
release-branch.go1.23
* go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation
fault or exit status 66
go1.23.11 (released 2025-07-08) includes security fixes to the go command, as
well as bug fixes to the compiler, the linker, and the runtime.
CVE-2025-4674: * go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674
cmd/go: disable support for multiple vcs in one module
* go#73907 runtime: bad frame pointer during panic during duffcopy
* go#74289 runtime: heap mspan limit is set too late, causing data race
between span allocation and conservative scanning
* go#74293 internal/trace: stress tests triggering suspected deadlock in
tracer
* go#74362 runtime/pprof: crash "cannot read stack of running goroutine" in
goroutine profile
* go#74402 cmd/link: duplicated definition of symbol
github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
go1.23.10 (released 2025-06-05) includes security fixes to the net/http and os
packages, as well as bug fixes to the linker. (boo#1229122 go1.23 release
tracking)
CVE-2025-0913 CVE-2025-4673: * go#73719 go#73612 boo#1244157 security: fix
CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows *
go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive
headers not cleared on cross-origin redirect
* go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG
* go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition
of symbol dlopen
go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
(boo#1229122 go1.23 release tracking)
* go#73091 cmd/link: linkname directive on userspace variable can override
runtime variable
* go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command.
CVE-2025-22871: * go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871
net/http: reject bare LF in chunked encoding
* go#72114 runtime: process hangs for mips hardware
* go#72871 runtime: cgo callback on extra M treated as external code after
nested cgo callback returns
* go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect
defaults for Go 1.22
go1.23.7 (released 2025-03-04) includes security fixes to the net/http package,
as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall
packages.
CVE-2025-22870: * go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870
net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71727 runtime: usleep computes wrong tv_nsec on s390x
* go#71839 runtime: recover added in range-over-func loop body doesn't stop
panic propagation / segfaults printing error
* go#71848 os: spurious SIGCHILD on running child process
* go#71875 reflect: Value.Seq panicking on functional iterator methods
* go#71915 reflect: Value.Seq iteration value types not matching the type of
given int types
* go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement
go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic
package, as well as bug fixes to the compiler and the go command.
CVE-2025-22866 * go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866
crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le
* go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1
* go#71230 cmd/compile: broken write barrier
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and
net/http packages, as well as bug fixes to the compiler, the runtime, and the
net package.
CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 boo#1236045 security: fix
CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name
constraints * go#71211 go#70530 boo#1236046 security: fix CVE-2024-45336
net/http: sensitive headers incorrectly sent after cross-domain redirect
* go#69988 runtime: severe performance drop for cgo calls in go1.22.5
* go#70517 cmd/compile/internal/importer: flip enable alias to true
* go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately
without waiting for input
* go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures
* go#71147 internal/trace: TestTraceCPUProfile/Stress failures
go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the
trace command, and the syscall package.
* go#70644 crypto/rsa: new key generation prohibitively slow under race
detector
* go#70645 proposal: go/types: add Scope.Node convenience getter
* go#70646 x/tools/gopls: unimported completion corrupts import decl
(client=BBEdit)
* go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures
* go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures
* go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures
* go#70651 x/tools/go/gcexportdata: simplify implementation assuming go >=
1.21
* go#70654 cmd/go: Incorrect output from go list
* go#70655 x/build/cmd/relui: add workflows for some remaining manual
recurring Go major release cycle tasks
* go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes
* go#70658 x/net/http2: stuck extended CONNECT requests
* go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-
mips
* go#70660 crypto/ecdsa: TestRFC6979 failures on s390x
* go#70664 x/mobile: target maccatalyst cannot find OpenGLES header
* go#70665 x/tools/gopls: refactor.extract.variable fails at package level
* go#70666 x/tools/gopls: panic in GetIfaceStubInfo
* go#70667 proposal: crypto/x509: support extracting X25519 public keys from
certificates
* go#70668 proposal: x/mobile: better support for unrecovered panics
* go#70669 cmd/go: local failure in TestScript/build_trimpath_cgo
* go#70670 cmd/link: unused functions aren't getting deadcoded from the binary
* go#70674 x/pkgsite: package removal request for
https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate
* go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on
plan9
* go#70677 all: remote file server I/O flakiness with "Bad fid" errors on
plan9
* go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD
is closed
* go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link
Update to version 1.23.2.3 cut from the go1.23-fips-release branch at the
revision tagged go1.23.2-3-openssl-fips. ( jsc#SLE-18320)
* Add negative tests for openssl (#243)
go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and
the net/http, os, and syscall packages.
* go#69258 runtime: corrupted GoroutineProfile stack traces
* go#69259 runtime: multi-arch build via qemu fails to exec go binary
* go#69640 os: os.checkPidfd() crashes with SIGSYS
* go#69746 runtime: TestGdbAutotmpTypes failures
* go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit
* go#69865 runtime: MutexProfile missing root frames in go1.23
* go#69882 time,runtime: too many concurrent timer firings for short
time.Ticker
* go#69978 time,runtime: too many concurrent timer firings for short, fast-
resetting time.Timer
* go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure
to access local network on macOS 15
* go#70001 net/http/pprof: coroutines + pprof makes the program panic
* go#70020 net/http: short writes with FileServer on macos
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.6
zypper in -t patch SUSE-2025-3159=1 openSUSE-SLE-15.6-2025-3159=1
* Development Tools Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2025-3159=1
* Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-3159=1
## Package List:
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
* go1.23-openssl-1.23.12-150600.13.9.1
* go1.23-openssl-doc-1.23.12-150600.13.9.1
* go1.23-openssl-debuginfo-1.23.12-150600.13.9.1
* openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
* go1.23-openssl-race-1.23.12-150600.13.9.1
* Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64)
* go1.23-openssl-1.23.12-150600.13.9.1
* go1.23-openssl-doc-1.23.12-150600.13.9.1
* go1.23-openssl-race-1.23.12-150600.13.9.1
* go1.23-openssl-debuginfo-1.23.12-150600.13.9.1
* Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* go1.23-openssl-1.23.12-150600.13.9.1
* go1.23-openssl-doc-1.23.12-150600.13.9.1
* go1.23-openssl-race-1.23.12-150600.13.9.1
* go1.23-openssl-debuginfo-1.23.12-150600.13.9.1
## References:
* https://www.suse.com/security/cve/CVE-2024-45336.html
* https://www.suse.com/security/cve/CVE-2024-45341.html
* https://www.suse.com/security/cve/CVE-2025-0913.html
* https://www.suse.com/security/cve/CVE-2025-22866.html
* https://www.suse.com/security/cve/CVE-2025-22870.html
* https://www.suse.com/security/cve/CVE-2025-22871.html
* https://www.suse.com/security/cve/CVE-2025-4673.html
* https://www.suse.com/security/cve/CVE-2025-4674.html
* https://www.suse.com/security/cve/CVE-2025-47906.html
* https://www.suse.com/security/cve/CVE-2025-47907.html
* https://bugzilla.suse.com/show_bug.cgi?id=1229122
* https://bugzilla.suse.com/show_bug.cgi?id=1236045
* https://bugzilla.suse.com/show_bug.cgi?id=1236046
* https://bugzilla.suse.com/show_bug.cgi?id=1236801
* https://bugzilla.suse.com/show_bug.cgi?id=1238572
* https://bugzilla.suse.com/show_bug.cgi?id=1240550
* https://bugzilla.suse.com/show_bug.cgi?id=1244156
* https://bugzilla.suse.com/show_bug.cgi?id=1244157
* https://bugzilla.suse.com/show_bug.cgi?id=1246118
* https://bugzilla.suse.com/show_bug.cgi?id=1247719
* https://bugzilla.suse.com/show_bug.cgi?id=1247720
* https://bugzilla.suse.com/show_bug.cgi?id=1247816
* https://jira.suse.com/browse/SLE-18320
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250911/99fba73d/attachment.htm>
More information about the sle-updates
mailing list