SUSE-SU-2026:1862-1
- Source
- https://www.suse.com/support/update/announcement/2026/suse-su-20261862-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1862-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2026:1862-1
- Upstream
- Related
- Published
- 2026-05-14T22:34:20Z
- Modified
- 2026-05-16T08:19:14.592386Z
- Summary
- Security update for go1.25
- Details
-
This update for go1.25 fixes the following issues
Security issues:
- CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
- CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAME_SIZE (bsc#1264506).
- CVE-2026-39817: cmd/go: 'go tool pack' does not sanitize output paths (bsc#1264505).
- CVE-2026-39819: cmd/go: 'go bug' follows symlinks in predictable temporary filenames (bsc#1264504).
- CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
- CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
- CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters (bsc#1264500).
- CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
- CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
- CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase (bsc#1264502).
- CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499).
Non security issues:
- Updated to go1.25.10 (bsc#1244485).
- Go packages miss binutils-gold dependency (bsc#1170826).
- References
-
- https://www.suse.com/support/update/announcement/2026/suse-su-20261862-1/
- https://bugzilla.suse.com/1170826
- https://bugzilla.suse.com/1244485
- https://bugzilla.suse.com/1264499
- https://bugzilla.suse.com/1264500
- https://bugzilla.suse.com/1264501
- https://bugzilla.suse.com/1264502
- https://bugzilla.suse.com/1264503
- https://bugzilla.suse.com/1264504
- https://bugzilla.suse.com/1264505
- https://bugzilla.suse.com/1264506
- https://bugzilla.suse.com/1264507
- https://bugzilla.suse.com/1264508
- https://bugzilla.suse.com/1264509
- https://www.suse.com/security/cve/CVE-2026-33811
- https://www.suse.com/security/cve/CVE-2026-33814
- https://www.suse.com/security/cve/CVE-2026-39817
- https://www.suse.com/security/cve/CVE-2026-39819
- https://www.suse.com/security/cve/CVE-2026-39820
- https://www.suse.com/security/cve/CVE-2026-39823
- https://www.suse.com/security/cve/CVE-2026-39825
- https://www.suse.com/security/cve/CVE-2026-39826
- https://www.suse.com/security/cve/CVE-2026-39836
- https://www.suse.com/security/cve/CVE-2026-42499
- https://www.suse.com/security/cve/CVE-2026-42501