Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.25 (SUSE-SU-2025:03547-1)

high Nessus Plugin ID 270294

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03547-1 advisory.

 go1.25.2 (released 2025-10-07) includes security fixes to the archive/tar, crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail, net/textproto, and net/url packages, as well as bug fixes to the compiler, the runtime, and the context, debug/pe, net/http, os, and sync/atomic packages. (bsc#1244485)

 CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

 * bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
 * bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
 * bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
 * bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
 * bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
 * bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
 * bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
 * bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
 * bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
 * bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

 * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
 * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path
 * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
 * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
 * go#75255 cmd/compile: export to DWARF types only referenced through interfaces
 * go#75347 testing/synctest: test timeout with no runnable goroutines
 * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
 * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
 * go#75537 context: Err can return non-nil before Done channel is closed
 * go#75539 net/http: internal error: connCount underflow
 * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
 * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
 * go#75669 runtime: debug.decoratemappings don't work as expected

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go1.25, go1.25-doc and / or go1.25-race packages.

See Also

https://bugzilla.suse.com/1251254

https://bugzilla.suse.com/1251255

https://bugzilla.suse.com/1251256

https://bugzilla.suse.com/1251257

https://bugzilla.suse.com/1251258

https://bugzilla.suse.com/1251259

https://bugzilla.suse.com/1251260

https://bugzilla.suse.com/1251261

https://bugzilla.suse.com/1251262

https://lists.suse.com/pipermail/sle-updates/2025-October/042110.html

https://www.suse.com/security/cve/CVE-2025-47912

https://www.suse.com/security/cve/CVE-2025-58183

https://www.suse.com/security/cve/CVE-2025-58185

https://www.suse.com/security/cve/CVE-2025-58186

https://www.suse.com/security/cve/CVE-2025-58187

https://www.suse.com/security/cve/CVE-2025-58188

https://www.suse.com/security/cve/CVE-2025-58189

https://www.suse.com/security/cve/CVE-2025-61723

https://www.suse.com/security/cve/CVE-2025-61724

https://www.suse.com/security/cve/CVE-2025-61725

https://bugzilla.suse.com/1244485

https://bugzilla.suse.com/1251253

Plugin Details

Severity: High

ID: 270294

File Name: suse_SU-2025-03547-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 10/14/2025

Updated: 10/24/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-47912

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:go1.25, p-cpe:/a:novell:suse_linux:go1.25-doc, p-cpe:/a:novell:suse_linux:go1.25-race

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/11/2025

Vulnerability Publication Date: 10/11/2025

Reference Information

CVE: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725

IAVB: 2025-B-0177

SuSE: SUSE-SU-2025:03547-1