35181 – golang new security issues CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CVE-2026-2714[034], CVE-2026-3228[012389]

Bug 35181 - golang new security issues CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CVE-2026-2714[034], CVE-2026-3228[012389]

Summary: golang new security issues CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CV...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK,MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	33808
	Show dependency tree / graph

Reported:	2026-03-06 09:24 CET by Nicolas Salguero
Modified:	2026-05-16 08:18 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	golang-1.24.13-1.mga9.src.rpm
CVE:	CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289
Status comment:	Fixed upstream in 1.25.10

Flags:	j.alberto.vc: test_passed_mga9_64+ j.alberto.vc: test_passed_mga9_32+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-06 09:24:53 CET

Reference: https://www.openwall.com/lists/oss-security/2026/03/06/1

Moreover, golang 1.24 reached its EOL so Mageia 9 may be affected by those issues too.

Nicolas Salguero 2026-03-06 09:25:43 CET

Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
CVE: (none) => CVE-2026-27142, CVE-2026-25679, CVE-2026-27139
Status comment: (none) => Fixed upstream in 1.25.8
Source RPM: (none) => golang-1.25.7-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2026-03-06 10:03:14 CET

For Cauldron, I asked for a freeze move.

Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Source RPM: golang-1.25.7-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm => golang-1.24.13-1.mga9.src.rpm

katnatek 2026-03-09 17:55:52 CET

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-04-09 09:25:05 CEST

Reference: https://www.openwall.com/lists/oss-security/2026/04/08/14

Summary: golang new security issues CVE-2026-27142, CVE-2026-25679 and CVE-2026-27139 => golang new security issues CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CVE-2026-2714[034], CVE-2026-3228[012389]
Version: 9 => Cauldron
Source RPM: golang-1.24.13-1.mga9.src.rpm => golang-1.25.8-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm
CVE: CVE-2026-27142, CVE-2026-25679, CVE-2026-27139 => CVE-2026-27142, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289
Status comment: Fixed upstream in 1.25.8 => Fixed upstream in 1.25.9
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2026-04-09 09:28:00 CEST

Flags: (none) => affects_mga9+

Comment 3 Nicolas Salguero 2026-04-09 09:53:20 CEST

For Cauldron, I asked for a freeze move.

Whiteboard: MGA9TOO => (none)
Source RPM: golang-1.25.8-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm => golang-1.24.13-1.mga9.src.rpm
Version: Cauldron => 9
Flags: affects_mga9+ => (none)

Comment 4 Nicolas Salguero 2026-05-09 09:05:12 CEST

Reference:
https://www.openwall.com/lists/oss-security/2026/05/08/20

new CVEs: CVE-2026-42501, CVE-2026-39825, CVE-2026-39836, CVE-2026-42499, CVE-2026-39820, CVE-2026-39819, CVE-2026-39817, CVE-2026-33814, CVE-2026-39826, CVE-2026-33811, CVE-2026-39823

Status comment: Fixed upstream in 1.25.9 => Fixed upstream in 1.25.10
Source RPM: golang-1.24.13-1.mga9.src.rpm => golang-1.25.9-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
Version: 9 => Cauldron

Comment 5 Nicolas Salguero 2026-05-11 15:47:09 CEST

Reference:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KAPID34AVTSUVR5VLMYLTSVPCBNB7627/

Comment 6 Nicolas Salguero 2026-05-12 12:14:53 CEST

For Cauldron, I asked for a freeze move.

Nicolas Salguero 2026-05-12 12:16:08 CEST

Source RPM: golang-1.25.9-1.mga10.src.rpm, golang-1.24.13-1.mga9.src.rpm => golang-1.24.13-1.mga9.src.rpm
Flags: affects_mga9+ => (none)
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

katnatek 2026-05-15 19:43:11 CEST

Blocks: (none) => 33808

Comment 7 katnatek 2026-05-15 19:52:21 CEST

I take this, As is now blocking rclone

Assignee: pkg-bugs => j.alberto.vc

Comment 8 katnatek 2026-05-15 21:40:28 CEST

RPMS:
golang-1.25.10-1.mga9
golang-bin-1.25.10-1.mga9
golang-docs-1.25.10-1.mga9
golang-misc-1.25.10-1.mga9
golang-shared-1.25.10-1.mga9
golang-src-1.25.10-1.mga9
golang-tests-1.25.10-1.mga9

SRPM: golang-1.25.10-1.mga9

Assignee: j.alberto.vc => qa-bugs

Comment 9 katnatek 2026-05-15 21:57:19 CEST

RH x86_64

Used to rebuild rclone, looks OK
I know we use to test with docker, later I do it and upload advisory

Comment 10 katnatek 2026-05-16 00:53:20 CEST

Used in my copr to build docker in all supported architectures
Used in mageia's BS to build rclone

I think is good

Flags: (none) => test_passed_mga9_64+, test_passed_mga9_32+
Whiteboard: (none) => MGA9-64-OK,MGA9-32-OK

katnatek 2026-05-16 01:04:22 CEST

Keywords: (none) => advisory
CC: (none) => andrewsfarm

Comment 11 Thomas Andrews 2026-05-16 04:10:01 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2026-05-16 08:18:34 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0143.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.