34651 – golang new security issues CVE-2025-47912, CVE-2025-5818[356789], CVE-2025-6172[3-5]

Bug 34651 - golang new security issues CVE-2025-47912, CVE-2025-5818[356789], CVE-2025-6172[3-5]

Summary: golang new security issues CVE-2025-47912, CVE-2025-5818[356789], CVE-2025-61...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK,MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-10-08 09:08 CEST by Nicolas Salguero
Modified:	2025-11-04 17:15 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	golang-1.24.6-1.mga9.src.rpm
CVE:	CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-10-08 09:08:52 CEST

https://www.openwall.com/lists/oss-security/2025/10/08/1

Nicolas Salguero 2025-10-08 09:10:26 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725
Source RPM: (none) => golang-1.24.6-1.mga10.src.rpm, golang-1.24.6-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.24.8

Comment 1 Marja Van Waes 2025-10-08 10:18:01 CEST

Assigning to our golang maintainer.

Assignee: bugsquad => joequant
CC: (none) => marja11

Comment 2 Nicolas Salguero 2025-10-31 10:56:26 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Insufficient validation of bracketed IPv6 hostnames in net/url. (CVE-2025-47912)

Unbounded allocation when parsing GNU sparse map in archive/tar. (CVE-2025-58183)

Parsing DER payload can cause memory exhaustion in encoding/asn1. (CVE-2025-58185)

Lack of limit when parsing cookies can cause memory exhaustion in net/http. (CVE-2025-58186)

Quadratic complexity when checking name constraints in crypto/x509. (CVE-2025-58187)

Panic when validating certificates with DSA public keys in crypto/x509. (CVE-2025-58188)

ALPN negotiation error contains attacker controlled information in crypto/tls. (CVE-2025-58189)

Quadratic complexity when parsing some invalid inputs in encoding/pem. (CVE-2025-61723)

Excessive CPU consumption in Reader.ReadResponse in net/textproto. (CVE-2025-61724)

Excessive CPU consumption in ParseAddress in net/mail. (CVE-2025-61725)

References:
https://www.openwall.com/lists/oss-security/2025/10/08/1
========================

Updated packages in core/updates_testing:
========================
golang-1.24.9-1.mga9
golang-bin-1.24.9-1.mga9
golang-docs-1.24.9-1.mga9
golang-misc-1.24.9-1.mga9
golang-shared-1.24.9-1.mga9
golang-src-1.24.9-1.mga9
golang-tests-1.24.9-1.mga9

from SRPM:
golang-1.24.9-1.mga9.src.rpm

Status comment: Fixed upstream in 1.24.8 => (none)
Whiteboard: MGA9TOO => (none)
Source RPM: golang-1.24.6-1.mga10.src.rpm, golang-1.24.6-1.mga9.src.rpm => golang-1.24.6-1.mga9.src.rpm
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: joequant => qa-bugs

katnatek 2025-10-31 18:36:56 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-11-01 02:54:49 CET

Used to build current version of docker
Looks good to me

Whiteboard: (none) => MGA9-64-OK,MGA9-32-OK

Comment 4 Thomas Andrews 2025-11-02 13:32:12 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Dan Fandrich 2025-11-04 16:33:01 CET

Here is another case where packages relying on these vulnerable Go features need to be rebuilt or they will remain vulnerable to these issues. I'm glad to at least see the text in the advisory to that effect, but our user will remain vulnerable as long as those packages are not pushed.

CC: (none) => dan

Comment 6 Dan Fandrich 2025-11-04 16:35:53 CET

My mistake—I was referring to the text in bug 34584. I will add it to this advisory as well:

  These packages fix the issues for the compiler only; applications using the
  functions still need to be rebuilt.

Comment 7 Mageia Robot 2025-11-04 17:15:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0256.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.