OESA-2025-2828
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2828
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-2828.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2025-2828
- Upstream
- Published
- 2025-12-12T12:20:44Z
- Modified
- 2025-12-12T12:44:49.923637Z
- Summary
- golang security update
- Details
-
.
Security Fix(es):
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.(CVE-2025-47912)
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.(CVE-2025-58186)
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.(CVE-2025-58187)
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.(CVE-2025-61723)
- Database specific
{ "severity": "High" }- References
Affected packages
openEuler:24.03-LTS-SP1 / golang
Package
- Name
- golang
- Purl
- pkg:rpm/openEuler/golang&distro=openEuler-24.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.21.4-40.oe2403sp1