An update for golang is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2648 Final 1.0 1.0 2025-11-14 Initial 2025-11-14 2025-11-14 openEuler SA Tool V1.0 2025-11-14 golang security update An update for golang is now available for openEuler-22.03-LTS-SP3 . Security Fix(es): tar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.(CVE-2025-58183) In Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.(CVE-2025-58185) In Go before 1.24.8 and 1.25.x before 1.25.2, When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. The impact for this is relatively limited.(CVE-2025-58189) In Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption.(CVE-2025-61724) An update for golang is now available for openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium golang https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58183 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58185 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58189 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61724 https://nvd.nist.gov/vuln/detail/CVE-2025-58183 https://nvd.nist.gov/vuln/detail/CVE-2025-58185 https://nvd.nist.gov/vuln/detail/CVE-2025-58189 https://nvd.nist.gov/vuln/detail/CVE-2025-61724 openEuler-22.03-LTS-SP3 golang-1.17.3-43.oe2203sp3.aarch64.rpm golang-1.17.3-43.oe2203sp3.src.rpm golang-1.17.3-43.oe2203sp3.x86_64.rpm golang-devel-1.17.3-43.oe2203sp3.noarch.rpm golang-help-1.17.3-43.oe2203sp3.noarch.rpm tar.Reader in the Go archive/tar component did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. 2025-11-14 CVE-2025-58183 openEuler-22.03-LTS-SP3 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L golang security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648 In Go before 1.24.8 and 1.25.x before 1.25.2, when parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. 2025-11-14 CVE-2025-58185 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L golang security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648 In Go before 1.24.8 and 1.25.x before 1.25.2, When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. The impact for this is relatively limited. 2025-11-14 CVE-2025-58189 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N golang security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648 In Go before 1.24.8 and 1.25.x before 1.25.2, The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption. 2025-11-14 CVE-2025-61724 openEuler-22.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L golang security update 2025-11-14 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2648