Security update for go1.24
| Announcement ID: | SUSE-SU-2025:01551-1 |
|---|---|
| Release Date: | 2025-05-29T09:29:39Z |
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves one vulnerability and has one security fix can now be installed.
Description:
This update for go1.24 fixes the following issues:
Update to go1.24.3 (bsc#1236217):
Security fixes:
- CVE-2025-22873: Fixed os.Root permits access to parent directory (bsc#1242715)
Changelog:
- go#73556 go#73555 security: fix CVE-2025-22873 os: Root permits access to parent directory
- go#73082 os: Root.Open panics when opening a symlink referencing the root
- go#73092 cmd/link: linkname directive on userspace variable can override runtime variable
- go#73118 crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions
- go#73144 runtime: segmentation fault from vgetrandomPutState and runtime.growslice w/ runtime.OSLockThread
- go#73192 runtime: -race data race map traceback report incorrect functions
- go#73281 cmd/compile: program compiles to wasm but is invalid: go:wasmexport: integer too large
- go#73379 runtime, x/sys/unix: Connectx is broken on darwin/amd64
- go#73440 cmd/compile: infinite loop in the inliner
- go#73500 cmd/go: +dirty in version stamping doesn't combine well with +incompatible
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
Development Tools Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP7-2025-1551=1
Package List:
-
Development Tools Module 15-SP7 (aarch64 ppc64le s390x x86_64)
- go1.24-doc-1.24.3-150000.1.23.1
- go1.24-race-1.24.3-150000.1.23.1
- go1.24-1.24.3-150000.1.23.1