34009 – golang new security issue CVE-2025-22866

Bug 34009 - golang new security issue CVE-2025-22866

Summary: golang new security issue CVE-2025-22866

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-02-11 17:16 CET by Nicolas Salguero
Modified:	2025-02-14 21:37 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	golang-1.22.11-1.mga9.src.rpm
CVE:	CVE-2025-22866
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-02-11 17:16:14 CET

openSUSE has issued advisories on February 10:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3TLTJ366QWWXT5LOMCQMCAWW4WSJRVJG/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/W6TTCBIHX5XQ47UDP2T42HPMIEMGZGJX/

Nicolas Salguero 2025-02-11 17:17:08 CET

CVE: (none) => CVE-2025-22866
Source RPM: (none) => golang-1.23.5-1.mga10.src.rpm, golang-1.22.11-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.23.6 and 1.22.12

Comment 1 Nicolas Salguero 2025-02-12 16:34:31 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec. (CVE-2025-22866)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3TLTJ366QWWXT5LOMCQMCAWW4WSJRVJG/
========================

Updated packages in core/updates_testing:
========================
golang-1.22.12-1.mga9
golang-bin-1.22.12-1.mga9
golang-docs-1.22.12-1.mga9
golang-misc-1.22.12-1.mga9
golang-shared-1.22.12-1.mga9
golang-src-1.22.12-1.mga9
golang-tests-1.22.12-1.mga9

from SRPM:
golang-1.22.12-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Source RPM: golang-1.23.5-1.mga10.src.rpm, golang-1.22.11-1.mga9.src.rpm => golang-1.22.11-1.mga9.src.rpm
Status comment: Fixed upstream in 1.23.6 and 1.22.12 => (none)
Version: Cauldron => 9

katnatek 2025-02-12 17:49:07 CET

Keywords: (none) => advisory

Comment 2 Len Lawrence 2025-02-12 18:34:01 CET

mga9, x64
Waiting for the mirror to sync.
Meanwhile updated golang packages to the current versions.

CC: (none) => tarazed25

Comment 3 katnatek 2025-02-12 19:25:41 CET

Used to build docker without issues

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2025-02-14 16:33:28 CET

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2025-02-14 21:37:14 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0065.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.