os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:01846-1 advisory.

    go1.24.4 (released 2025-06-05) includes security fixes to the     crypto/x509, net/http, and os packages, as well as bug fixes to     the linker, the go command, and the hash/maphash and os packages.
    ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673)

    * CVE-2025-22874: crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158)
    * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157)
    * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156)
    * os: Root.Mkdir creates directories with zero permissions on OpenBSD
    * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics
    * runtime/debug: BuildSetting does not document DefaultGODEBUG
    * cmd/go: add fips140 module selection mechanism
    * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
    * CVE-2025-22873: os: Root permits access to parent directory

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:01848-1 advisory.

    go1.23.10 (released 2025-06-05) includes security fixes to the     /http and os packages, as well as bug fixes to the linker.
    (bsc#1229122 go1.23 release tracking CVE-2025-0913 CVE-2025-4673)

    * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157)
    * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156)

      * runtime/debug: BuildSetting does not document DefaultGODEBUG
      * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
238043	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.24 (SUSE-SU-2025:01846-1)	Nessus	SuSE Local Security Checks	high
238039	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.23 (SUSE-SU-2025:01848-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2025-0913

medium

Tenable Plugins

high

medium