OESA-2025-2647
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2647
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-2647.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2025-2647
- Upstream
- Published
- 2025-11-14T12:38:02Z
- Modified
- 2025-11-14T13:02:50.138936Z
- Summary
- golang security update
- Details
-
.
Security Fix(es):
tar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.(CVE-2025-58183)
In Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.(CVE-2025-58185)
In Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption.(CVE-2025-61724)
- Database specific
{ "severity": "Medium" }- References