golang-1.25.9-1.el9_7
エラータID: AXSA:2026-520:04
The golang packages provide the Go programming language compiler.
Security Fix(es):
* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)
* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)
* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)
* golang: cmd/compile: no-op interface conversion bypasses overlap checking (CVE-2026-27144)
* cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names (CVE-2026-27140)
* golang: cmd/compile: possible memory corruption after bound check elimination (CVE-2026-27143)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-27140
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
CVE-2026-27143
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
CVE-2026-27144
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
CVE-2026-32280
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
CVE-2026-32282
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
CVE-2026-32283
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Update packages.
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
N/A
SRPMS
- golang-1.25.9-1.el9_7.src.rpm
MD5: 8f318bbf46a0829a1a4761221c3cd9c9
SHA-256: 9e8da15187526dbb7fdbc8d386ef237826d94585b733a191a3d727d19121cf2d
Size: 32.76 MB
Asianux Server 9 for x86_64
- golang-1.25.9-1.el9_7.x86_64.rpm
MD5: ec62fe4316df7dada603bf52c6a0174e
SHA-256: f6f71616be2c1211b955ea8b2fbfdaa359595f08ca9c98798314db8abf06c718
Size: 1.25 MB - golang-bin-1.25.9-1.el9_7.x86_64.rpm
MD5: cbe66b35c8bbd7d52bf7987ce81e2396
SHA-256: 2b1b3ae6076f6925452d7c20a1dfdfd5e40b5047fb28032e25fd66d14433002a
Size: 36.51 MB - golang-docs-1.25.9-1.el9_7.noarch.rpm
MD5: 84291d6e0cb8706732652e29160bbdcf
SHA-256: a59e48a71befcf41b081559080bd70d02e8c43b656e078beaab2d6ef9c8d8f36
Size: 108.72 kB - golang-misc-1.25.9-1.el9_7.noarch.rpm
MD5: c3362d7c1cb3b48e0ca6e6664378f737
SHA-256: 7fce068a44a51603c9c14c383e056d4c9e1ba26ea75ab180b6bc0867a3f41ea1
Size: 41.60 kB - golang-race-1.25.9-1.el9_7.x86_64.rpm
MD5: f1e5022cc947a9b80c1a817f698bbe69
SHA-256: 6efe409d3bfeb60cd2f483976759037eb00002f3317814cdd4b9cfbd4141c163
Size: 1.68 MB - golang-src-1.25.9-1.el9_7.noarch.rpm
MD5: ccfbb299d6d85409cc33e4cc1fe5f3e7
SHA-256: 460dba799aa2f29f1d61d4ef889131d858cea1cb75292b8f0a7941ca8a58eafb
Size: 11.44 MB - golang-tests-1.25.9-1.el9_7.noarch.rpm
MD5: 6a4630fb1e1471ff2917166fda7d3cf0
SHA-256: cf56ac77c78812bd7c098000b1dbcb3c3570f430cadb13a3a5e0e897f1161dde
Size: 11.48 MB - go-toolset-1.25.9-1.el9_7.x86_64.rpm
MD5: c96fbb949b799e4f7cf6434d611dcb1c
SHA-256: 2c4c35013fafbf6e34869ff6168b15054e93fe851b908a61f8dfb0cdb5320e5e
Size: 9.56 kB