Updated golang packages fix security vulnerabilities
Publication date: 11 Feb 2026Modification date: 11 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61726 , CVE-2025-61728 , CVE-2025-61730 , CVE-2025-61731 , CVE-2025-61732 , CVE-2025-68119 , CVE-2025-68121
Description
net/http: memory exhaustion in Request.ParseForm. (CVE-2025-61726)
archive/zip: denial of service when parsing arbitrary ZIP archives.
(CVE-2025-61728)
crypto/tls: handshake messages may be processed at the incorrect
encryption level. (CVE-2025-61730)
cmd/go: bypass of flag sanitization can lead to arbitrary code
execution. (CVE-2025-61731)
Potential code smuggling via doc comments in cmd/cgo. (CVE-2025-61732)
cmd/go: unexpected code execution when invoking toolchain.
(CVE-2025-68119)
crypto/tls: Config.Clone copies automatically generated session ticket
keys, session resumption does not account for the expiration of full
certificate chain. (CVE-2025-68121)
References
- https://bugs.mageia.org/show_bug.cgi?id=35007
- https://www.openwall.com/lists/oss-security/2026/01/15/3
- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://openwall.com/lists/oss-security/2026/01/17/2
- https://openwall.com/lists/oss-security/2026/01/17/3
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/NH2ETRY5I4475P2G36TA426YNBGAZLJM/
- https://www.openwall.com/lists/oss-security/2026/02/07/2
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61726
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61728
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61730
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61731
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61732
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68119
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68121
SRPMS
9/core
- golang-1.24.13-1.mga9