Bug 35007 - golang new security issues CVE-2025-6172[68], CVE-2025-6173[01], CVE-2025-68119, CVE-2025-68121 and CVE-2025-61732
Summary: golang new security issues CVE-2025-6172[68], CVE-2025-6173[01], CVE-2025-681...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-01-16 09:44 CET by Nicolas Salguero
Modified: 2026-02-11 18:57 CET (History)
3 users (show)

See Also:
Source RPM: golang-1.24.11-1.mga9.src.rpm
CVE: CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-01-16 09:45:13 CET

Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121
Source RPM: (none) => golang-1.25.5-2.mga10.src.rpm, golang-1.24.11-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.25.6 and 1.24.12

Comment 1 Nicolas Salguero 2026-01-16 11:10:49 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

net/http: memory exhaustion in Request.ParseForm. (CVE-2025-61726)

archive/zip: denial of service when parsing arbitrary ZIP archives. (CVE-2025-61728)

crypto/tls: handshake messages may be processed at the incorrect encryption level. (CVE-2025-61730)

cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (CVE-2025-61731)

cmd/go: unexpected code execution when invoking toolchain. (CVE-2025-68119)

crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (CVE-2025-68121)

References:
https://www.openwall.com/lists/oss-security/2026/01/15/3
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
========================

Updated packages in core/updates_testing:
========================
golang-1.24.12-1.mga9
golang-bin-1.24.12-1.mga9
golang-docs-1.24.12-1.mga9
golang-misc-1.24.12-1.mga9
golang-shared-1.24.12-1.mga9
golang-src-1.24.12-1.mga9
golang-tests-1.24.12-1.mga9

from SRPM:
golang-1.24.12-1.mga9.src.rpm

Source RPM: golang-1.25.5-2.mga10.src.rpm, golang-1.24.11-1.mga9.src.rpm => golang-1.24.11-1.mga9.src.rpm
Version: Cauldron => 9
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 1.25.6 and 1.24.12 => (none)
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Nicolas Salguero 2026-01-16 11:10:55 CET

Flags: affects_mga9+ => (none)

katnatek 2026-01-17 02:10:58 CET

Keywords: (none) => advisory

Comment 2 Nicolas Salguero 2026-01-18 09:22:46 CET 
It seems there are regressions with the fix for CVE-2025-68121:
https://openwall.com/lists/oss-security/2026/01/17/2
https://openwall.com/lists/oss-security/2026/01/17/3

Flags: (none) => affects_mga9+
Version: 9 => Cauldron
Whiteboard: (none) => MGA9TOO
Assignee: qa-bugs => nicolas.salguero
Source RPM: golang-1.24.11-1.mga9.src.rpm => golang-1.25.6-1.mga10.src.rpm, golang-1.24.11-1.mga9.src.rpm

Comment 3 Len Lawrence 2026-01-18 10:15:37 CET 
So what is the policy here?  Do we go ahead with testing or wait for a further update?

CC: (none) => tarazed25

Comment 4 katnatek 2026-01-18 18:53:30 CET 
(In reply to Len Lawrence from comment #3)
> So what is the policy here?  Do we go ahead with testing or wait for a
> further update?

Due the security break described in the links, I think wait to new update
Comment 6 Nicolas Salguero 2026-02-09 09:02:18 CET 
https://www.openwall.com/lists/oss-security/2026/02/07/2

Summary: golang new security issues CVE-2025-6172[68], CVE-2025-6173[01], CVE-2025-68119 and CVE-2025-68121 => golang new security issues CVE-2025-6172[68], CVE-2025-6173[01], CVE-2025-68119, CVE-2025-68121 and CVE-2025-61732
CVE: CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121 => CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121, CVE-2025-61732

Comment 7 Nicolas Salguero 2026-02-09 09:44:46 CET 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

net/http: memory exhaustion in Request.ParseForm. (CVE-2025-61726)

archive/zip: denial of service when parsing arbitrary ZIP archives. (CVE-2025-61728)

crypto/tls: handshake messages may be processed at the incorrect encryption level. (CVE-2025-61730)

cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (CVE-2025-61731)

Potential code smuggling via doc comments in cmd/cgo. (CVE-2025-61732)

cmd/go: unexpected code execution when invoking toolchain. (CVE-2025-68119)

crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (CVE-2025-68121)

References:
https://www.openwall.com/lists/oss-security/2026/01/15/3
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
https://openwall.com/lists/oss-security/2026/01/17/2
https://openwall.com/lists/oss-security/2026/01/17/3
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NH2ETRY5I4475P2G36TA426YNBGAZLJM/
https://www.openwall.com/lists/oss-security/2026/02/07/2
========================

Updated packages in core/updates_testing:
========================
golang-1.24.13-1.mga9
golang-bin-1.24.13-1.mga9
golang-docs-1.24.13-1.mga9
golang-misc-1.24.13-1.mga9
golang-shared-1.24.13-1.mga9
golang-src-1.24.13-1.mga9
golang-tests-1.24.13-1.mga9

from SRPM:
golang-1.24.13-1.mga9.src.rpm

CVE: CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121, CVE-2025-61732 => CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121
Version: Cauldron => 9
Source RPM: golang-1.25.6-1.mga10.src.rpm, golang-1.24.11-1.mga9.src.rpm => golang-1.24.11-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Keywords: advisory => (none)
Flags: affects_mga9+ => (none)

Comment 8 Len Lawrence 2026-02-10 02:07:35 CET 
Mageia 9
6.12.60-desktop-1.stable.mga9

Installed these on Mate desktop:
golang-src-1.24.13-1.mga9
golang-bin-1.24.13-1.mga9
golang-1.24.13-1.mga9
golang-docs-1.24.13-1.mga9
golang-tests-1.24.13-1.mga9
golang-misc-1.24.13-1.mga9
golang-shared-1.24.13-1.mga9

As suggested years ago by bugsquad this can be tested by rebuilding docker. 
$ mgarepo co docker
$ cd docker
$ sudo urpmi --buildrequires SPECS/docker.spec
$ bm -ls
$ bm -l

At the buildrequires stage:
Some 355 packages installed.
Tail end of terminal output:
+ umask 022
+ cd ~/docker/BUILD
+ cd moby-28.5.2
+ /usr/bin/rm -rf /home/lcl/docker/BUILDROOT/docker-28.5.2-1.mga9.x86_64
+ RPM_EC=0
++ jobs -p
+ exit 0
Executing(rmbuild): /bin/sh -e /home/lcl/docker/BUILDROOT/rpm-tmp.Q4XUDm
+ umask 022
+ cd ~/docker/BUILD
+ rm -rf moby-28.5.2 moby-28.5.2.gemspec
+ RPM_EC=0
++ jobs -p
+ exit 0

RPM build warnings:
    Macro expanded in comment on line 38: %{shortcommit_moby}

    line 114: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-swarm
    line 116: It's not recommended to have unversioned Obsoletes: Obsoletes: docker-vim
succeeded!

$ cd docker/RPMS/x86_64
$ ll
total 42144
-rw-r--r-- 1 ~ ~ 39582527 Feb 10 00:35 docker-28.5.2-1.mga9.x86_64.rpm
-rw-r--r-- 1 ~ ~  3509931 Feb 10 00:34 docker-devel-28.5.2-1.mga9.x86_64.rpm
-rw-r--r-- 1 ~ ~    14572 Feb 10 00:34 docker-fish-completion-28.5.2-1.mga9.x86_64.rpm
-rw-r--r-- 1 ~ ~     7551 Feb 10 00:34 docker-logrotate-28.5.2-1.mga9.x86_64.rpm
-rw-r--r-- 1 ~ ~     7148 Feb 10 00:34 docker-nano-28.5.2-1.mga9.x86_64.rpm
-rw-r--r-- 1 ~ ~    25018 Feb 10 00:34 docker-zsh-completion-28.5.2-1.mga9.x86_64.rpm

This is what is currently installed:
$ rpm -qa | grep docker
docker-compose-2.20.3-2.mga9
docker-25.0.7-1.mga9
docker-containerd-1.7.29-1.mga9
...

That is a good workout for golang, as ever.

Whiteboard: (none) => MGA9-64-OK

Comment 9 katnatek 2026-02-10 03:35:48 CET 
Advisory updated
katnatek 2026-02-10 22:57:27 CET

Keywords: (none) => advisory

Comment 10 Thomas Andrews 2026-02-10 23:31:04 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Mageia Robot 2026-02-11 18:57:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0035.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.