An update for golang is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2709 Final 1.0 1.0 2025-11-22 Initial 2025-11-22 2025-11-22 openEuler SA Tool V1.0 2025-11-22 golang security update An update for golang is now available for openEuler-24.03-LTS-SP2 . Security Fix(es): tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.(CVE-2025-58183) Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.(CVE-2025-58185) Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.(CVE-2025-58188) When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.(CVE-2025-58189) The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.(CVE-2025-61724) An update for golang is now available for openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High golang https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58183 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58185 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58188 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58189 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61724 https://nvd.nist.gov/vuln/detail/CVE-2025-58183 https://nvd.nist.gov/vuln/detail/CVE-2025-58185 https://nvd.nist.gov/vuln/detail/CVE-2025-58188 https://nvd.nist.gov/vuln/detail/CVE-2025-58189 https://nvd.nist.gov/vuln/detail/CVE-2025-61724 openEuler-24.03-LTS-SP2 golang-1.21.4-38.oe2403sp2.aarch64.rpm golang-1.21.4-38.oe2403sp2.src.rpm golang-1.21.4-38.oe2403sp2.x86_64.rpm golang-devel-1.21.4-38.oe2403sp2.noarch.rpm golang-help-1.21.4-38.oe2403sp2.noarch.rpm tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. 2025-11-22 CVE-2025-58183 openEuler-24.03-LTS-SP2 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L golang security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709 Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. 2025-11-22 CVE-2025-58185 openEuler-24.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L golang security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709 Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. 2025-11-22 CVE-2025-58188 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H golang security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709 When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. 2025-11-22 CVE-2025-58189 openEuler-24.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N golang security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709 The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. 2025-11-22 CVE-2025-61724 openEuler-24.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L golang security update 2025-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2709