{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"golang security update", "category":"general", "title":"Synopsis" }, { "text":"An update for golang is now available for openEuler-22.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":".\n\nSecurity Fix(es):\n\ntar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.(CVE-2025-58183)\n\nIn Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.(CVE-2025-58185)\n\nIn Go before 1.24.8 and 1.25.x before 1.25.2, When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. The impact for this is relatively limited.(CVE-2025-58189)\n\nIn Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption.(CVE-2025-61724)", "category":"general", "title":"Description" }, { "text":"An update for golang is now available for openEuler-22.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"golang", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2648", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648" }, { "summary":"CVE-2025-58183", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58183&packageName=golang" }, { "summary":"CVE-2025-58185", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58185&packageName=golang" }, { "summary":"CVE-2025-58189", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58189&packageName=golang" }, { "summary":"CVE-2025-61724", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61724&packageName=golang" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58183" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58185" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58189" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61724" }, { "summary":"openEuler-SA-2025-2648 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openEuler-SA-2025-2648.json" } ], "title":"An update for golang is now available for openEuler-22.03-LTS-SP3", "tracking":{ "initial_release_date":"2025-11-17T10:36:41+08:00", "revision_history":[ { "date":"2025-11-17T10:36:41+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-11-17T10:36:41+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-11-17T10:36:41+08:00", "id":"openEuler-SA-2025-2648", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"openEuler-22.03-LTS-SP3", "name":"openEuler-22.03-LTS-SP3" }, "name":"openEuler-22.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-43.oe2203sp3.aarch64.rpm", "name":"golang-1.17.3-43.oe2203sp3.aarch64.rpm" }, "name":"golang-1.17.3-43.oe2203sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-43.oe2203sp3.src.rpm", "name":"golang-1.17.3-43.oe2203sp3.src.rpm" }, "name":"golang-1.17.3-43.oe2203sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-1.17.3-43.oe2203sp3.x86_64.rpm", "name":"golang-1.17.3-43.oe2203sp3.x86_64.rpm" }, "name":"golang-1.17.3-43.oe2203sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-devel-1.17.3-43.oe2203sp3.noarch.rpm", "name":"golang-devel-1.17.3-43.oe2203sp3.noarch.rpm" }, "name":"golang-devel-1.17.3-43.oe2203sp3.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP3" }, "product_id":"golang-help-1.17.3-43.oe2203sp3.noarch.rpm", "name":"golang-help-1.17.3-43.oe2203sp3.noarch.rpm" }, "name":"golang-help-1.17.3-43.oe2203sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-43.oe2203sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "name":"golang-1.17.3-43.oe2203sp3.aarch64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-43.oe2203sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "name":"golang-1.17.3-43.oe2203sp3.src as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-1.17.3-43.oe2203sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "name":"golang-1.17.3-43.oe2203sp3.x86_64 as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-devel-1.17.3-43.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "name":"golang-devel-1.17.3-43.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP3", "product_reference":"golang-help-1.17.3-43.oe2203sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch", "name":"golang-help-1.17.3-43.oe2203sp3.noarch as a component of openEuler-22.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-58183", "notes":[ { "text":"tar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.3, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-58183" }, { "cve":"CVE-2025-58185", "notes":[ { "text":"In Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-58185" }, { "cve":"CVE-2025-58189", "notes":[ { "text":"In Go before 1.24.8 and 1.25.x before 1.25.2, When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. The impact for this is relatively limited.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-58189" }, { "cve":"CVE-2025-61724", "notes":[ { "text":"In Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ], "details":"golang security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.aarch64", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.src", "openEuler-22.03-LTS-SP3:golang-1.17.3-43.oe2203sp3.x86_64", "openEuler-22.03-LTS-SP3:golang-devel-1.17.3-43.oe2203sp3.noarch", "openEuler-22.03-LTS-SP3:golang-help-1.17.3-43.oe2203sp3.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2025-61724" } ] }