All errata/p11/ALT-PU-2025-12749-4
ALT-PU-2025-12749-4

Package update golang in branch p11

Version1.24.8-alt1
Task#396635
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (20)

BDU:2025-13562
MEDIUM5.3

Уязвимость компонента crypto-x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-10-29Modified: 2026-03-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-13936
HIGH7.5

Уязвимость функции ParseAddress() языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-10Modified: 2026-04-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-13937
HIGH7.5

Уязвимость языка программирования Go, связанная с недостаточной проверкой входных данных, позволяющая нарушителю оказать воздействие на доступность защищаемой информации

Published: 2025-11-10Modified: 2026-04-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-13938
MEDIUM5.3

Уязвимость функции Reader.ReadResponse() языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-10Modified: 2026-03-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-14525
HIGH7.5

Уязвимость функции Equal() компонента crypto-x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-21Modified: 2026-04-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-14526
MEDIUM5.3

Уязвимость компонента crypto/tls языка программирования Go, позволяющая нарушителю раскрыть защищаемую информацию

Published: 2025-11-21Modified: 2026-04-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2025-14527
HIGH7.5

Уязвимость функции Parse() компонента net-url языка программирования Go, позволяющая нарушителю выполнить произвольный код

Published: 2025-11-21Modified: 2026-03-20
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2025-14528
MEDIUM4.3

Уязвимость компонента tar.Reader языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-21Modified: 2026-04-20
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-14529
MEDIUM5.3

Уязвимость компонента net/http языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-21Modified: 2026-03-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-14530
MEDIUM5.3

Уязвимость компонента encoding/asn1 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-11-21Modified: 2026-04-20
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
CVE-2025-47912
MEDIUM5.3

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2025-58183
MEDIUM4.3

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Published: 2025-10-29Modified: 2026-04-15
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
References
CVE-2025-58186
MEDIUM5.3

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Published: 2025-10-29Modified: 2026-04-15
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2025-58187
HIGH7.5

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-58188
HIGH7.5

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-58189
MEDIUM5.3

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2025-61723
HIGH7.5

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2025-61724
MEDIUM5.3

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Published: 2025-10-29Modified: 2026-01-29
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2025-61725
HIGH7.5

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Published: 2025-10-29Modified: 2026-04-15
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References