Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.24 (SUSE-SU-2025:3682-1)

high Nessus Plugin ID 270849

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:3682-1 advisory.

 go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509 package. (bsc#1236217)

 * crypto/x509: TLS validation fails for FQDNs with trailing dot

 go1.24.8 (released 2025-10-07) includes security fixes to the archive/tar, crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail, net/textproto, and net/url packages, as well as bug fixes to the compiler, the linker, and the debug/pe, net/http, os, and sync/atomic packages.
 (bsc#1236217)

 CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724:

 * bsc#1251255 CVE-2025-58189: crypto/tls: ALPN negotiation error contains attacker controlled information
 * bsc#1251253 CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
 * bsc#1251260 CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
 * bsc#1251258 CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
 * bsc#1251259 CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
 * bsc#1251256 CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
 * bsc#1251261 CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
 * bsc#1251257 CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
 * bsc#1251254 CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
 * bsc#1251262 CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse
 * os: Root.OpenRoot sets incorrect name, losing prefix of original root
 * debug/pe: pe.Open fails on object files produced by llvm-mingw 21
 * cmd/link: panic on riscv64 with CGO enabled due to empty container symbol
 * net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
 * os: new test TestOpenFileCreateExclDanglingSymlink fails on Plan 9
 * crypto/internal/fips140/rsa: requires a panic if self-tests fail
 * net/http: internal error: connCount underflow
 * cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
 * sync/atomic: comment for Uintptr.Or incorrectly describes return value

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go1.24, go1.24-doc and / or go1.24-race packages.

See Also

https://bugzilla.suse.com/1236217

https://bugzilla.suse.com/1251253

https://bugzilla.suse.com/1251254

https://bugzilla.suse.com/1251255

https://bugzilla.suse.com/1251256

https://bugzilla.suse.com/1251257

https://bugzilla.suse.com/1251258

https://bugzilla.suse.com/1251259

https://bugzilla.suse.com/1251260

https://bugzilla.suse.com/1251261

https://bugzilla.suse.com/1251262

https://lists.suse.com/pipermail/sle-updates/2025-October/042220.html

https://www.suse.com/security/cve/CVE-2025-47912

https://www.suse.com/security/cve/CVE-2025-58183

https://www.suse.com/security/cve/CVE-2025-58185

https://www.suse.com/security/cve/CVE-2025-58186

https://www.suse.com/security/cve/CVE-2025-58187

https://www.suse.com/security/cve/CVE-2025-58188

https://www.suse.com/security/cve/CVE-2025-58189

https://www.suse.com/security/cve/CVE-2025-61723

https://www.suse.com/security/cve/CVE-2025-61724

https://www.suse.com/security/cve/CVE-2025-61725

Plugin Details

Severity: High

ID: 270849

File Name: suse_SU-2025-3682-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/21/2025

Updated: 10/21/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-47912

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:go1.24, p-cpe:/a:novell:suse_linux:go1.24-doc, p-cpe:/a:novell:suse_linux:go1.24-race, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/20/2025

Vulnerability Publication Date: 10/20/2025

Reference Information

CVE: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725

SuSE: SUSE-SU-2025:3682-1