Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aOWyz7tkcULTJKut@netmeister.org>
Date: Tue, 7 Oct 2025 20:39:43 -0400
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8

Forwarding from
https://groups.google.com/g/golang-nuts/c/Gxn25BP4MXk/m/3KrM-XBOBAAJ
because I don't think I've seen it here on this list
yet.

----- Forwarded message from announce@...ang.org -----

> Date: Tue, 7 Oct 2025 18:50:38 +0000
> From: announce@...ang.org
> To: golang-nuts@...glegroups.com
> Subject: [security] Go 1.25.2 and Go 1.24.8 are released
> 
> Hello gophers,
> 
> We have just released Go versions 1.25.2 and 1.24.8, minor point releases.
> 
> These minor releases include 10 security fixes following the security policy <https://go.dev/security>:
> 
> -	net/mail: excessive CPU consumption in ParseAddress
> 
> 	The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
> 
> 	Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
> 
> 	This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.
> 
> -	crypto/x509: quadratic complexity when checking name constraints
> 
> 	Due to the design of the name constraint checking algorithm, the processing time
> 	of some inputs scales non-linearly with respect to the size of the certificate.
> 
> 	This affects programs which validate arbitrary certificate chains.
> 
> 	Thanks to Jakub Ciolek for reporting this issue.
> 
> 	This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.
> 
> -	crypto/tls: ALPN negotiation errors can contain arbitrary text
> 
> 	The crypto/tls conn.Handshake method returns an error on the server-side when
> 	ALPN negotation fails which can contain arbitrary attacker controlled
> 	information provided by the client-side of the connection which is not escaped.
> 
> 	This affects programs which log these errors without any additional form of
> 	sanitization, and may allow injection of attacker controlled information into
> 	logs.
> 
> 	Thanks to National Cyber Security Centre Finland for reporting this issue.
> 
> 	This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.
> 
> -	encoding/pem: quadratic complexity when parsing some invalid inputs
> 
> 	Due to the design of the PEM parsing function, the processing time for some
> 	inputs scales non-linearly with respect to the size of the input.
> 
> 	This affects programs which parse untrusted PEM inputs.
> 
> 	Thanks to Jakub Ciolek for reporting this issue.
> 
> 	This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.
> 
> -	net/url: insufficient validation of bracketed IPv6 hostnames
> 
> 	The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
> 
> 	Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.
> 
> 	This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.
> 
> -	encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
> 
> 	When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
> 	This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.
> 
> 	Thanks to Jakub Ciolek for reporting this issue.
> 
> 	This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.
> 
> -	net/http: lack of limit when parsing cookies can cause memory exhaustion
> 
> 	Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
> 	By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
> 
> 	net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.
> 
> 	Thanks to jub0bs for reporting this issue.
> 
> 	This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.
> 
> -	crypto/x509: panic when validating certificates with DSA public keys
> 
> 	Validating certificate chains which contain DSA public keys can cause programs
> 	to panic, due to a interface cast that assumes they implement the Equal method.
> 
> 	This affects programs which validate arbitrary certificate chains.
> 
> 	Thanks to Jakub Ciolek for reporting this issue.
> 
> 	This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.
> 
> -	archive/tar: unbounded allocation when parsing GNU sparse map
> 
> 	tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.
> 
> 	Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.
> 
> 	This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.
> 
> -	net/textproto: excessive CPU consumption in Reader.ReadResponse
> 
> 	The Reader.ReadResponse function constructed a response string through
> 	repeated string concatenation of lines. When the number of lines in a response is large,
> 	this could cause excessive CPU consumption.
> 
> 	Thanks to Jakub Ciolek for reporting this issue.
> 
> 	This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.
> 
> View the release notes for more information:
> https://go.dev/doc/devel/release#go1.25.2
> 
> You can download binary and source distributions from the Go website:
> https://go.dev/dl/
> 
> To compile from source using a Git clone, update to the release with
> git checkout go1.25.2 and build as usual.
> 
> Thanks to everyone who contributed to the releases.
> 
> Cheers,
> Michael and Carlos for the Go team
> 
> -- 
> You received this message because you are subscribed to the Google Groups "golang-announce" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-announce+unsubscribe@...glegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/golang-announce/459c470d.BAAAB6Txh8AAAAAAAAAAA-p9MGAAAYKKSQYAAAAAADE8OwBo5WD-%40mailjet.com.

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.