{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"golang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for golang is now available for openEuler-24.03-LTS-SP2", "category":"general", "title":"Summary" }, { "text":".\n\nSecurity Fix(es):\n\nThe Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: \"http://[::1]/\". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.(CVE-2025-47912)\n\nDespite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.(CVE-2025-58186)\n\ncrypto/x509: Exclude subdomain constraints do not restrict wildcard SANs Exclude subdomain constraints in certificate chains do not restrict the use of wildcard SANs in leaf certificates. For example, excluding the constraint on the subdomain test.example.com does not prevent the leaf certificate from claiming SAN*. example.com.(CVE-2025-61727)\n\nWithin HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.(CVE-2025-61729)", "category":"general", "title":"Description" }, { "text":"An update for golang is now available for openEuler-24.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"golang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2868", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2868" }, { "summary":"CVE-2025-47912", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-47912&packageName=golang" }, { "summary":"CVE-2025-58186", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58186&packageName=golang" }, { "summary":"CVE-2025-61727", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61727&packageName=golang" }, { "summary":"CVE-2025-61729", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61729&packageName=golang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47912" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58186" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61727" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61729" }, { "summary":"openEuler-SA-2025-2868 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openEuler-SA-2025-2868.json" } ], "title":"An update for golang is now available for openEuler-24.03-LTS-SP2", "tracking":{ "initial_release_date":"2025-12-31T10:23:02+08:00", "revision_history":[ { "date":"2025-12-31T10:23:02+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-12-31T10:23:02+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-12-31T10:23:02+08:00", "id":"openEuler-SA-2025-2868", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"openEuler-24.03-LTS-SP2", "name":"openEuler-24.03-LTS-SP2" }, "name":"openEuler-24.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"golang-devel-1.21.4-41.oe2403sp2.noarch.rpm", "name":"golang-devel-1.21.4-41.oe2403sp2.noarch.rpm" }, "name":"golang-devel-1.21.4-41.oe2403sp2.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"golang-help-1.21.4-41.oe2403sp2.noarch.rpm", "name":"golang-help-1.21.4-41.oe2403sp2.noarch.rpm" }, "name":"golang-help-1.21.4-41.oe2403sp2.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"golang-1.21.4-41.oe2403sp2.aarch64.rpm", "name":"golang-1.21.4-41.oe2403sp2.aarch64.rpm" }, "name":"golang-1.21.4-41.oe2403sp2.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"golang-1.21.4-41.oe2403sp2.src.rpm", "name":"golang-1.21.4-41.oe2403sp2.src.rpm" }, "name":"golang-1.21.4-41.oe2403sp2.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP2" }, "product_id":"golang-1.21.4-41.oe2403sp2.x86_64.rpm", "name":"golang-1.21.4-41.oe2403sp2.x86_64.rpm" }, "name":"golang-1.21.4-41.oe2403sp2.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"golang-devel-1.21.4-41.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "name":"golang-devel-1.21.4-41.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"golang-help-1.21.4-41.oe2403sp2.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "name":"golang-help-1.21.4-41.oe2403sp2.noarch as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"golang-1.21.4-41.oe2403sp2.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "name":"golang-1.21.4-41.oe2403sp2.aarch64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"golang-1.21.4-41.oe2403sp2.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "name":"golang-1.21.4-41.oe2403sp2.src as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP2", "product_reference":"golang-1.21.4-41.oe2403sp2.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64", "name":"golang-1.21.4-41.oe2403sp2.x86_64 as a component of openEuler-24.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-47912", "notes":[ { "text":"The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: \"http://[::1]/\". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2868" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-47912" }, { "cve":"CVE-2025-58186", "notes":[ { "text":"Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2868" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-58186" }, { "cve":"CVE-2025-61727", "notes":[ { "text":"crypto/x509: Exclude subdomain constraints do not restrict wildcard SANs Exclude subdomain constraints in certificate chains do not restrict the use of wildcard SANs in leaf certificates. For example, excluding the constraint on the subdomain test.example.com does not prevent the leaf certificate from claiming SAN*. example.com.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2868" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-61727" }, { "cve":"CVE-2025-61729", "notes":[ { "text":"Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2868" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP2:golang-devel-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-help-1.21.4-41.oe2403sp2.noarch", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.aarch64", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.src", "openEuler-24.03-LTS-SP2:golang-1.21.4-41.oe2403sp2.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-61729" } ] }