{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-4674: disallow multiple VCS metadata dirs in one module to\n prevent VCS injection attacks", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2025/clsa-2025_1756931716.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716" } ], "tracking": { "current_release_date": "2026-02-16T09:36:34Z", "generator": { "date": "2026-02-16T09:36:34Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1756931716", "initial_release_date": "2025-09-03T20:36:03Z", "revision_history": [ { "date": "2025-09-03T20:36:03Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-16T09:36:34Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "golang: Fix of CVE-2025-4674" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product": { "name": "go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_id": "go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/go-toolset@1.22.5-1.el9_2.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product": { "name": "golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_id": "golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-bin@1.22.5-1.el9_2.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product": { "name": "golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_id": "golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang@1.22.5-1.el9_2.tuxcare.els6?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product": { "name": "golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_id": "golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-tests@1.22.5-1.el9_2.tuxcare.els6?arch=noarch" } } }, { "category": "product_version", "name": "golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product": { "name": "golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_id": "golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-docs@1.22.5-1.el9_2.tuxcare.els6?arch=noarch" } } }, { "category": "product_version", "name": "golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product": { "name": "golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_id": "golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-src@1.22.5-1.el9_2.tuxcare.els6?arch=noarch" } } }, { "category": "product_version", "name": "golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product": { "name": "golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_id": "golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/golang-misc@1.22.5-1.el9_2.tuxcare.els6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64" }, "product_reference": "go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" }, "product_reference": "golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch" }, "product_reference": "golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64" }, "product_reference": "golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch" }, "product_reference": "golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64" }, "product_reference": "golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch" }, "product_reference": "golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-4674", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" }, "notes": [ { "category": "description", "text": "The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via \"go get\", are not affected.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-4674" } ], "release_date": "2025-07-29T21:19:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-09-03T20:35:18.006413Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716", "product_ids": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2023-29409", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-29409" }, { "category": "external", "summary": "https://go.dev/cl/515257", "url": "https://go.dev/cl/515257" }, { "category": "external", "summary": "https://go.dev/issue/61460", "url": "https://go.dev/issue/61460" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ", "url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-1987", "url": "https://pkg.go.dev/vuln/GO-2023-1987" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202311-09", "url": "https://security.gentoo.org/glsa/202311-09" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230831-0010/", "url": "https://security.netapp.com/advisory/ntap-20230831-0010/" } ], "release_date": "2023-08-02T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-09-03T20:35:18.006413Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716", "product_ids": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-22871", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" }, "notes": [ { "category": "description", "text": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-22871" } ], "release_date": "2025-04-08T20:04:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-09-03T20:35:18.006413Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716", "product_ids": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1756931716" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:go-toolset-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-bin-0:1.22.5-1.el9_2.tuxcare.els6.x86_64", "AlmaLinux-9.2:golang-docs-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-misc-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-src-0:1.22.5-1.el9_2.tuxcare.els6.noarch", "AlmaLinux-9.2:golang-tests-0:1.22.5-1.el9_2.tuxcare.els6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }