"go-toolset":"rhel8" delve-1.25.2-1.module+el8+1955+25070eea.ML.1, golang-1.25.7-1.module+el8+1955+25070eea.ML.1
エラータID: AXSA:2026-195:01
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip (CVE-2025-61728)
* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)
* cmd/cgo: Potential code smuggling via doc comments in cmd/cgo (CVE-2025-61732)
* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2025-61726
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVE-2025-61728
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61732
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Modularity name: "go-toolset"
Stream name: "rhel8"
Update packages.
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
N/A
SRPMS
- delve-1.25.2-1.module+el8+1955+25070eea.ML.1.src.rpm
MD5: be308d63f197b8eb5d4db368474dd38a
SHA-256: 513a88bea628817e7b7c62cf3786a37fbfd9a43eac9d62b9279494b54fccb8a9
Size: 9.29 MB - golang-1.25.7-1.module+el8+1955+25070eea.ML.1.src.rpm
MD5: 2e305419e5b497f5fe6f9fcd81779403
SHA-256: 3b963ac3a34f4a8da15748a066904445ba51f496d3dec25cf43a24cd4ebd507f
Size: 32.80 MB
Asianux Server 8 for x86_64
- delve-1.25.2-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: 77d6ed23b39ac3bca3743e427d72e4ad
SHA-256: bd7b8518b06b86182916e8996c0336251ee43dbe2ec6a2afd75dc274c9817716
Size: 5.55 MB - delve-debugsource-1.25.2-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: 905e998c513053cdb8cb02e1eb70a3bf
SHA-256: 563286c94ad1f6f15a877a9d5bd953b86a499e74aabb323913bc8ddc65d63f6a
Size: 1.27 MB - golang-1.25.7-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: 0e385df06ad94660f43c6e74aa4bec07
SHA-256: 0a57df5a3d9f70d1505e622d535beaa444c5a3a420d9dd3ee8e2f0a211cac25b
Size: 1.34 MB - golang-bin-1.25.7-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: 5c4d488302290d8beb98e7ad195ddda4
SHA-256: e7960534cebb6466bda31dc3904378f773055c7d7db4d43076a8fb4863965e12
Size: 40.13 MB - golang-docs-1.25.7-1.module+el8+1955+25070eea.ML.1.noarch.rpm
MD5: cef202af6914129cc6ae400f40fcc2a4
SHA-256: 3c255077a62c3f7b29f6517d2bc5e00469c3040ab3a4e776b98974d2fc8110b3
Size: 134.92 kB - golang-misc-1.25.7-1.module+el8+1955+25070eea.ML.1.noarch.rpm
MD5: 596d21c37854b4ba077623b693c5395d
SHA-256: 821f7b9699d66150e44106df15f3b3a711fa219087712b4ddfc633cf2b21a582
Size: 59.54 kB - golang-race-1.25.7-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: 38a7a5320bd0717055906ea54919c8ad
SHA-256: 70e9daeacfbe1afb1de21b598f3963c1508a3ee426671800356e2779520f2542
Size: 1.27 MB - golang-src-1.25.7-1.module+el8+1955+25070eea.ML.1.noarch.rpm
MD5: 1d29aa8b2157e5f958707642fe38faff
SHA-256: 305ca2681f2b71e6aed41c80ece2a34faa1a6e3a4288cbed4f65ef3c26b9f08b
Size: 11.56 MB - golang-tests-1.25.7-1.module+el8+1955+25070eea.ML.1.noarch.rpm
MD5: 15334bce6a490d1394bff1b82fcf760b
SHA-256: fc51618a5c312cada2975eda812840d4483d1e93871ada8bb7ebb6ee2239bf9e
Size: 10.77 MB - go-toolset-1.25.7-1.module+el8+1955+25070eea.ML.1.x86_64.rpm
MD5: f101c0325a96cad56e80d0940697a0e9
SHA-256: 3d256414ed17f6b3d3a8de2a907fb3b6cbfff386ca0c033e6f23d887fe7e0c8e
Size: 33.08 kB