SUSE SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:0297-1)

high Nessus Plugin ID 297011

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0297-1 advisory.

Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):

Security fixes:

- CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).
- CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations (bsc#1247719).
- CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
- CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches (bsc#1249141).
- CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
- CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
- CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (bsc#1251258).
- CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
- CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
- CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
- CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information (bsc#1251255).
- CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
- CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
- CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
- CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
- CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
- CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
- CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation (bsc#1254431).
- CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level (bsc#1256821).
- CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
- CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
- CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain (bsc#1256818).

Other fixes:

* go#74822 cmd/go: 'get toolchain@latest' should ignore release candidates
* go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
* go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
* go#75021 testing/synctest: bubble not terminating
* go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
* go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
* go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path
* go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75255 cmd/compile: export to DWARF types only referenced through interfaces
* go#75347 testing/synctest: test timeout with no runnable goroutines
* go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75537 context: Err can return non-nil before Done channel is closed
* go#75539 net/http: internal error: connCount underflow
* go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
* go#75669 runtime: debug.decoratemappings don't work as expected
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75777 spec: Go1.25 spec should be dated closer to actual release date
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>:
runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected go1.25-openssl, go1.25-openssl-doc and / or go1.25-openssl-race packages.

Plugin Details

Severity: High

ID: 297011

File Name: suse_SU-2026-0297-1.nasl

Version: 1.1

Type: local

Agent: unix

Family: SuSE Local Security Checks

Published: 1/28/2026

Updated: 1/28/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-47912

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-4674

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:go1.25-openssl-doc, p-cpe:/a:novell:suse_linux:go1.25-openssl, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:go1.25-openssl-race

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/26/2026

Vulnerability Publication Date: 7/10/2025

Reference Information

CVE: CVE-2025-4674, CVE-2025-47906, CVE-2025-47907, CVE-2025-47910, CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61731, CVE-2025-68119, CVE-2025-68121

SuSE: SUSE-SU-2026:0297-1

Detections

Analytics

SUSE SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:0297-1)

high Nessus Plugin ID 297011

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

Vulnerability Information

Reference Information