Advisories ยป MGASA-2025-0256

Updated golang packages fix security vulnerabilities

Publication date: 04 Nov 2025
Modification date: 04 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-47912 , CVE-2025-58183 , CVE-2025-58185 , CVE-2025-58186 , CVE-2025-58187 , CVE-2025-58188 , CVE-2025-58189 , CVE-2025-61723 , CVE-2025-61724 , CVE-2025-61725

Description

Insufficient validation of bracketed IPv6 hostnames in net/url.
(CVE-2025-47912)
Unbounded allocation when parsing GNU sparse map in archive/tar.
(CVE-2025-58183)
Parsing DER payload can cause memory exhaustion in encoding/asn1.
(CVE-2025-58185)
Lack of limit when parsing cookies can cause memory exhaustion in
net/http. (CVE-2025-58186)
Quadratic complexity when checking name constraints in crypto/x509.
(CVE-2025-58187)
Panic when validating certificates with DSA public keys in crypto/x509.
(CVE-2025-58188)
ALPN negotiation error contains attacker controlled information in
crypto/tls. (CVE-2025-58189)
Quadratic complexity when parsing some invalid inputs in encoding/pem.
(CVE-2025-61723)
Excessive CPU consumption in Reader.ReadResponse in net/textproto.
(CVE-2025-61724)
Excessive CPU consumption in ParseAddress in net/mail. (CVE-2025-61725)
These packages fix the issues for the compiler only; applications using the
functions still need to be rebuilt.

References

SRPMS

9/core