Security update for go1.24-openssl

Announcement ID:	SUSE-SU-2026:20629-1
Release Date:	2026-03-03T17:46:58Z
Rating:	critical
References:	bsc#1236217 bsc#1245878 bsc#1247816 bsc#1248082 bsc#1249985 bsc#1251253 bsc#1251254 bsc#1251255 bsc#1251256 bsc#1251257 bsc#1251258 bsc#1251259 bsc#1251260 bsc#1251261 bsc#1251262 bsc#1254430 bsc#1254431 bsc#1256816 bsc#1256817 bsc#1256818 bsc#1256819 bsc#1256820 bsc#1256821 bsc#1257692 jsc#SLE-18320
Cross-References:	CVE-2025-47912 CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188 CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725 CVE-2025-61726 CVE-2025-61727 CVE-2025-61728 CVE-2025-61729 CVE-2025-61730 CVE-2025-61731 CVE-2025-61732 CVE-2025-68119 CVE-2025-68121
CVSS scores:	CVE-2025-47912 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-47912 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2025-47912 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-58183 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58183 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-58183 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-58185 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58185 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58185 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58186 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58186 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58186 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58187 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-58187 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-58187 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-58188 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-58188 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-58188 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-58189 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVE-2025-58189 ( SUSE ): 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2025-58189 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-61723 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-61723 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-61723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61724 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-61724 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-61724 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-61725 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61725 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-61725 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61726 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61726 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-61726 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61727 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61727 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61727 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-61728 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61728 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-61728 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-61729 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-61729 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61729 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-61730 ( SUSE ): 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-61730 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-61730 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-61731 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-61731 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-61731 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-61732 ( SUSE ): 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-61732 ( SUSE ): 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2025-61732 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2025-68119 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-68119 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-68119 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-68121 ( SUSE ): 7.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-68121 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-68121 ( NVD ): 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2025-68121 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0

An update that solves 19 vulnerabilities, contains one feature and has five fixes can now be installed.

Description:

This update for go1.24-openssl fixes the following issues:

• Update to version 1.24.13 (jsc#SLE-18320)
• CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information. (bsc#1251255)
• CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress. (bsc#1251253)
• CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys. (bsc#1251260)
• CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion. (bsc#1251258)
• CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion. (bsc#1251259)
• CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs. (bsc#1251256)
• CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map. (bsc#1251261)
• CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames. (bsc#1251257)
• CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints. (bsc#1251254)
• CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse. (bsc#1251262)
• CVE-2025-61729: crypto/x509: excessive resource consumption in printing error string for host certificate validation. (bsc#1254431)
• CVE-2025-61727: crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN. (bsc#1254430)
• CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level. (bsc#1256821)
• CVE-2025-61731: cmd/go: bypass of flag sanitization can lead to arbitrary code execution. (bsc#1256819)
• CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm. (bsc#1256817)
• CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP archives. (bsc#1256816)
• CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain. (bsc#1256818)
• CVE-2025-61732: cmd/go: potential code smuggling using doc comments. (bsc#1257692)
• CVE-2025-68119: cmd/go: unexpected code execution when invoking toolchain. (bsc#1256820)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-346=1
• SUSE Linux Enterprise Server for SAP Applications 16.0
  zypper in -t patch SUSE-SLES-16.0-346=1

Package List:

• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • go1.24-openssl-race-1.24.13-160000.1.1
  • go1.24-openssl-doc-1.24.13-160000.1.1
  • go1.24-openssl-debuginfo-1.24.13-160000.1.1
  • go1.24-openssl-1.24.13-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
  • go1.24-openssl-race-1.24.13-160000.1.1
  • go1.24-openssl-doc-1.24.13-160000.1.1
  • go1.24-openssl-debuginfo-1.24.13-160000.1.1
  • go1.24-openssl-1.24.13-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2025-47912.html
• https://www.suse.com/security/cve/CVE-2025-58183.html
• https://www.suse.com/security/cve/CVE-2025-58185.html
• https://www.suse.com/security/cve/CVE-2025-58186.html
• https://www.suse.com/security/cve/CVE-2025-58187.html
• https://www.suse.com/security/cve/CVE-2025-58188.html
• https://www.suse.com/security/cve/CVE-2025-58189.html
• https://www.suse.com/security/cve/CVE-2025-61723.html
• https://www.suse.com/security/cve/CVE-2025-61724.html
• https://www.suse.com/security/cve/CVE-2025-61725.html
• https://www.suse.com/security/cve/CVE-2025-61726.html
• https://www.suse.com/security/cve/CVE-2025-61727.html
• https://www.suse.com/security/cve/CVE-2025-61728.html
• https://www.suse.com/security/cve/CVE-2025-61729.html
• https://www.suse.com/security/cve/CVE-2025-61730.html
• https://www.suse.com/security/cve/CVE-2025-61731.html
• https://www.suse.com/security/cve/CVE-2025-61732.html
• https://www.suse.com/security/cve/CVE-2025-68119.html
• https://www.suse.com/security/cve/CVE-2025-68121.html
• https://bugzilla.suse.com/show_bug.cgi?id=1236217
• https://bugzilla.suse.com/show_bug.cgi?id=1245878
• https://bugzilla.suse.com/show_bug.cgi?id=1247816
• https://bugzilla.suse.com/show_bug.cgi?id=1248082
• https://bugzilla.suse.com/show_bug.cgi?id=1249985
• https://bugzilla.suse.com/show_bug.cgi?id=1251253
• https://bugzilla.suse.com/show_bug.cgi?id=1251254
• https://bugzilla.suse.com/show_bug.cgi?id=1251255
• https://bugzilla.suse.com/show_bug.cgi?id=1251256
• https://bugzilla.suse.com/show_bug.cgi?id=1251257
• https://bugzilla.suse.com/show_bug.cgi?id=1251258
• https://bugzilla.suse.com/show_bug.cgi?id=1251259
• https://bugzilla.suse.com/show_bug.cgi?id=1251260
• https://bugzilla.suse.com/show_bug.cgi?id=1251261
• https://bugzilla.suse.com/show_bug.cgi?id=1251262
• https://bugzilla.suse.com/show_bug.cgi?id=1254430
• https://bugzilla.suse.com/show_bug.cgi?id=1254431
• https://bugzilla.suse.com/show_bug.cgi?id=1256816
• https://bugzilla.suse.com/show_bug.cgi?id=1256817
• https://bugzilla.suse.com/show_bug.cgi?id=1256818
• https://bugzilla.suse.com/show_bug.cgi?id=1256819
• https://bugzilla.suse.com/show_bug.cgi?id=1256820
• https://bugzilla.suse.com/show_bug.cgi?id=1256821
• https://bugzilla.suse.com/show_bug.cgi?id=1257692
• https://jira.suse.com/browse/SLE-18320