An update for golang is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2827 Final 1.0 1.0 2025-12-12 Initial 2025-12-12 2025-12-12 openEuler SA Tool V1.0 2025-12-12 golang security update An update for golang is now available for openEuler-24.03-LTS . Security Fix(es): The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.(CVE-2025-47912) Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.(CVE-2025-58186) Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.(CVE-2025-61729) An update for golang is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High golang https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2827 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-47912 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58186 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-61729 https://nvd.nist.gov/vuln/detail/CVE-2025-47912 https://nvd.nist.gov/vuln/detail/CVE-2025-58186 https://nvd.nist.gov/vuln/detail/CVE-2025-61729 openEuler-24.03-LTS golang-1.21.4-41.oe2403.aarch64.rpm golang-1.21.4-41.oe2403.src.rpm golang-1.21.4-41.oe2403.x86_64.rpm golang-devel-1.21.4-41.oe2403.noarch.rpm golang-help-1.21.4-41.oe2403.noarch.rpm The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. 2025-12-12 CVE-2025-47912 openEuler-24.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N golang security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2827 Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. 2025-12-12 CVE-2025-58186 openEuler-24.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L golang security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2827 Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. 2025-12-12 CVE-2025-61729 openEuler-24.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H golang security update 2025-12-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2827