SUSE-SU-2026:0977-1
- Source
- https://www.suse.com/support/update/announcement/2026/suse-su-20260977-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:0977-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2026:0977-1
- Upstream
- Related
- Published
- 2026-03-23T16:35:10Z
- Modified
- 2026-03-25T08:31:31.803135Z
- Summary
- Security update for go1.25-openssl
- Details
-
This update for go1.25-openssl fixes the following issues:
Update to go 1.25.8 (bsc#1244485, jsc#SLE-18320):
- CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling (bsc#1257692).
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).
Changelog:
- go#77253 cmd/compile: miscompile of global array initialization
- go#77406 os: Go 1.25.x regression on RemoveAll for windows
- go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
- go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config
- go#77531 net/smtp: expiry date of localhostCert for testing is too short
- go#75844 cmd/compile: OOM killed on linux/arm64
- go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
- go#77425 crypto/tls: CL 737700 broke session resumption on macOS
- References
-
- https://www.suse.com/support/update/announcement/2026/suse-su-20260977-1/
- https://bugzilla.suse.com/1244485
- https://bugzilla.suse.com/1256818
- https://bugzilla.suse.com/1257692
- https://bugzilla.suse.com/1259264
- https://bugzilla.suse.com/1259265
- https://bugzilla.suse.com/1259268
- https://www.suse.com/security/cve/CVE-2025-61732
- https://www.suse.com/security/cve/CVE-2025-68121
- https://www.suse.com/security/cve/CVE-2026-25679
- https://www.suse.com/security/cve/CVE-2026-27139
- https://www.suse.com/security/cve/CVE-2026-27142
Affected packages
openSUSE:Leap 15.6
go1.25-openssl
Package
- Name
- go1.25-openssl
- Purl
- pkg:rpm/opensuse/go1.25-openssl&distro=openSUSE%20Leap%2015.6
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.25.8-150600.13.15.1
SUSE:Linux Enterprise Module for Development Tools 15 SP7
go1.25-openssl
Package
- Name
- go1.25-openssl
- Purl
- pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.25.8-150600.13.15.1
SUSE:Linux Enterprise Server 15 SP6-LTSS
go1.25-openssl
Package
- Name
- go1.25-openssl
- Purl
- pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.25.8-150600.13.15.1
SUSE:Linux Enterprise Server for SAP Applications 15 SP6
go1.25-openssl
Package
- Name
- go1.25-openssl
- Purl
- pkg:rpm/suse/go1.25-openssl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.25.8-150600.13.15.1