The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0297-1 advisory.

    Update to version 1.25.6 (released 2026-01-15) (jsc#SLE-18320, bsc#1244485):

    Security fixes:

     - CVE-2025-4674 cmd/go: disable support for multiple vcs in one module (bsc#1246118).
     - CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH     configurations (bsc#1247719).
     - CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan (bsc#1247720).
     - CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches     (bsc#1249141).
     - CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames (bsc#1251257).
     - CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map (bsc#1251261).
     - CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory     exhaustion (bsc#1251258).
     - CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion (bsc#1251259).
     - CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints (bsc#1251254).
     - CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys (bsc#1251260).
     - CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information     (bsc#1251255).
     - CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs (bsc#1251256).
     - CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse (bsc#1251262).
     - CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress (bsc#1251253).
     - CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm (bsc#1256817).
     - CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN (bsc#1254430).
     - CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives (bsc#1256816).
     - CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host     certificate validation (bsc#1254431).
     - CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level     (bsc#1256821).
     - CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution (bsc#1256819).
     - CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain (bsc#1256820).
     - CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session     resumption does not account for the expiration of full certificate chain (bsc#1256818).

    Other fixes:

      * go#74822 cmd/go: 'get toolchain@latest' should ignore release candidates
      * go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP     sockets
      * go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
      * go#75021 testing/synctest: bubble not terminating
      * go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
      * go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
      * go#75116 os: Root.MkdirAll can return 'file exists' when called concurrently on the same path
      * go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
      * go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
      * go#75255 cmd/compile: export to DWARF types only referenced through interfaces
      * go#75347 testing/synctest: test timeout with no runnable goroutines
      * go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
      * go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
      * go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
      * go#75537 context: Err can return non-nil before Done channel is closed
      * go#75539 net/http: internal error: connCount underflow
      * go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
      * go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
      * go#75669 runtime: debug.decoratemappings don't work as expected
      * go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
      * go#75777 spec: Go1.25 spec should be dated closer to actual release date
      * go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
      * go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
      * go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
      * go#75952 encoding/pem: regression when decoding blocks with leading garbage
      * go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat     ... Access is denied
      * go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
      * go#76029 pem/encoding: malformed line endings can cause panics
      * go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
      * go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat     ... Access is denied, ReOpenFile error handling followup
      * go#76392 os: package initialization hangs is Stdin is blocked
      * go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
      * go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
      * go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
      * go#76776 runtime: race detector crash on ppc64le
      * go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>:
    runtime error: index out of range
      * go#76973 errors: errors.Join behavior changed in 1.25

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLES15 Security Update : go1.25-openssl (SUSE-SU-2026:0297-1)

critical Nessus Plugin ID 297011

Version 1.2

Version 1.1

Version 1.2 Feb 12, 2026, 7:05 AM CVSS metrics ("CVSSv2 score" set to 10.0) CVSS metrics ("CVSSv2 vector" set to "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C") CVSS metrics ("CVSSv3 score" set to 10.0) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H") CVSSv2 score source (changed from "CVE-2025-47912" to "CVE-2025-68121") CVSSv3 score source (changed from "CVE-2025-4674" to none) Plugin Feed: 202602120705
Version 1.1 Jan 28, 2026, 2:28 PM New Plugin Feed: 202601281428