Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-47906 (GCVE-0-2025-47906)
Vulnerability from cvelistv5 – Published: 2025-09-18 18:41 – Updated: 2025-11-04 21:10
VLAI
EPSS
Title
Unexpected paths returned from LookPath in os/exec
Summary
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-115 - Misinterpretation of Input
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | os/exec |
Affected:
0 , < 1.23.12
(semver)
Affected: 1.24.0 , < 1.24.6 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47906",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T20:42:17.936162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T20:42:38.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:54.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "os/exec",
"product": "os/exec",
"programRoutines": [
{
"name": "LookPath"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.23.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.24.6",
"status": "affected",
"version": "1.24.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-115: Misinterpretation of Input",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T18:41:11.847Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/691775"
},
{
"url": "https://go.dev/issue/74466"
},
{
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"title": "Unexpected paths returned from LookPath in os/exec"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-47906",
"datePublished": "2025-09-18T18:41:11.847Z",
"dateReserved": "2025-05-13T23:31:29.596Z",
"dateUpdated": "2025-11-04T21:10:54.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-47906",
"date": "2026-06-07",
"epss": "0.00044",
"percentile": "0.14038"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47906\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2025-09-18T19:15:37.660\",\"lastModified\":\"2026-01-27T19:56:17.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.23.12\",\"matchCriteriaId\":\"6B868FEB-2BCB-4816-B575-BEF1ADD15C5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.24.0\",\"versionEndExcluding\":\"1.24.6\",\"matchCriteriaId\":\"21442DAA-1345-47FB-8DA6-2589ABB8CB08\"}]}]}],\"references\":[{\"url\":\"https://go.dev/cl/691775\",\"source\":\"security@golang.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://go.dev/issue/74466\",\"source\":\"security@golang.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://groups.google.com/g/golang-announce/c/x5MKroML2yM\",\"source\":\"security@golang.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://pkg.go.dev/vuln/GO-2025-3956\",\"source\":\"security@golang.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/08/06/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Issue Tracking\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/08/06/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T21:10:54.782Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47906\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-18T20:42:17.936162Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-18T20:42:34.381Z\"}}], \"cna\": {\"title\": \"Unexpected paths returned from LookPath in os/exec\", \"affected\": [{\"vendor\": \"Go standard library\", \"product\": \"os/exec\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.23.12\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"1.24.0\", \"lessThan\": \"1.24.6\", \"versionType\": \"semver\"}], \"packageName\": \"os/exec\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"LookPath\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/691775\"}, {\"url\": \"https://go.dev/issue/74466\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/x5MKroML2yM\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2025-3956\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\\\"\\\", \\\".\\\", and \\\"..\\\"), can result in the binaries listed in the PATH being unexpectedly returned.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-115: Misinterpretation of Input\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-09-18T18:41:11.847Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47906\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T21:10:54.782Z\", \"dateReserved\": \"2025-05-13T23:31:29.596Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2025-09-18T18:41:11.847Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
OPENSUSE-SU-2025:15566-1
Vulnerability from csaf_opensuse - Published: 2025-09-19 00:00 - Updated: 2025-09-19 00:00Summary
govulncheck-vulndb-0.0.20250918T182144-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: govulncheck-vulndb-0.0.20250918T182144-1.1 on GA media
Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20250918T182144-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15566
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.7 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20250918T182144-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250918T182144-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15566",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15566-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47906 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47906/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-5187 page",
"url": "https://www.suse.com/security/cve/CVE-2025-5187/"
}
],
"title": "govulncheck-vulndb-0.0.20250918T182144-1.1 on GA media",
"tracking": {
"current_release_date": "2025-09-19T00:00:00Z",
"generator": {
"date": "2025-09-19T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15566-1",
"initial_release_date": "2025-09-19T00:00:00Z",
"revision_history": [
{
"date": "2025-09-19T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20250918T182144-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47906"
}
],
"notes": [
{
"category": "general",
"text": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47906",
"url": "https://www.suse.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "SUSE Bug 1247719 for CVE-2025-47906",
"url": "https://bugzilla.suse.com/1247719"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-19T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47906"
},
{
"cve": "CVE-2025-5187",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-5187"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-5187",
"url": "https://www.suse.com/security/cve/CVE-2025-5187"
},
{
"category": "external",
"summary": "SUSE Bug 1248812 for CVE-2025-5187",
"url": "https://bugzilla.suse.com/1248812"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250918T182144-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-19T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-5187"
}
]
}
OPENSUSE-SU-2025:15586-1
Vulnerability from csaf_opensuse - Published: 2025-09-29 00:00 - Updated: 2025-09-29 00:00Summary
kubecolor-0.5.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: kubecolor-0.5.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the kubecolor-0.5.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15586
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "kubecolor-0.5.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the kubecolor-0.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15586",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15586-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-0913 page",
"url": "https://www.suse.com/security/cve/CVE-2025-0913/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47906 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47906/"
}
],
"title": "kubecolor-0.5.2-1.1 on GA media",
"tracking": {
"current_release_date": "2025-09-29T00:00:00Z",
"generator": {
"date": "2025-09-29T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15586-1",
"initial_release_date": "2025-09-29T00:00:00Z",
"revision_history": [
{
"date": "2025-09-29T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubecolor-0.5.2-1.1.aarch64",
"product": {
"name": "kubecolor-0.5.2-1.1.aarch64",
"product_id": "kubecolor-0.5.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubecolor-0.5.2-1.1.ppc64le",
"product": {
"name": "kubecolor-0.5.2-1.1.ppc64le",
"product_id": "kubecolor-0.5.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kubecolor-0.5.2-1.1.s390x",
"product": {
"name": "kubecolor-0.5.2-1.1.s390x",
"product_id": "kubecolor-0.5.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kubecolor-0.5.2-1.1.x86_64",
"product": {
"name": "kubecolor-0.5.2-1.1.x86_64",
"product_id": "kubecolor-0.5.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubecolor-0.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64"
},
"product_reference": "kubecolor-0.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubecolor-0.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le"
},
"product_reference": "kubecolor-0.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubecolor-0.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x"
},
"product_reference": "kubecolor-0.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubecolor-0.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
},
"product_reference": "kubecolor-0.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-0913",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-0913"
}
],
"notes": [
{
"category": "general",
"text": "os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-0913",
"url": "https://www.suse.com/security/cve/CVE-2025-0913"
},
{
"category": "external",
"summary": "SUSE Bug 1244157 for CVE-2025-0913",
"url": "https://bugzilla.suse.com/1244157"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-29T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-0913"
},
{
"cve": "CVE-2025-47906",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47906"
}
],
"notes": [
{
"category": "general",
"text": "If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47906",
"url": "https://www.suse.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "SUSE Bug 1247719 for CVE-2025-47906",
"url": "https://bugzilla.suse.com/1247719"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.aarch64",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.s390x",
"openSUSE Tumbleweed:kubecolor-0.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-29T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-47906"
}
]
}
RHSA-2025:13935
Vulnerability from csaf_redhat - Published: 2025-08-18 00:53 - Updated: 2026-05-29 11:28Summary
Red Hat Security Advisory: golang security update
Severity
Important
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.
8.6 (High)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.
7.0 (High)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
28 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:13935",
"url": "https://access.redhat.com/errata/RHSA-2025:13935"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2384329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
},
{
"category": "external",
"summary": "RHEL-108935",
"url": "https://issues.redhat.com/browse/RHEL-108935"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13935.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-05-29T11:28:58+00:00",
"generator": {
"date": "2026-05-29T11:28:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:13935",
"initial_release_date": "2025-08-18T00:53:52+00:00",
"revision_history": [
{
"date": "2025-08-18T00:53:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-18T00:53:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-29T11:28:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el9_6.aarch64",
"product": {
"name": "go-toolset-0:1.24.6-1.el9_6.aarch64",
"product_id": "go-toolset-0:1.24.6-1.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el9_6.aarch64",
"product": {
"name": "golang-0:1.24.6-1.el9_6.aarch64",
"product_id": "golang-0:1.24.6-1.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el9_6.aarch64",
"product": {
"name": "golang-bin-0:1.24.6-1.el9_6.aarch64",
"product_id": "golang-bin-0:1.24.6-1.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el9_6.aarch64",
"product": {
"name": "golang-race-0:1.24.6-1.el9_6.aarch64",
"product_id": "golang-race-0:1.24.6-1.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
"product": {
"name": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
"product_id": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el9_6.ppc64le",
"product": {
"name": "golang-0:1.24.6-1.el9_6.ppc64le",
"product_id": "golang-0:1.24.6-1.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
"product": {
"name": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
"product_id": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el9_6.ppc64le",
"product": {
"name": "golang-race-0:1.24.6-1.el9_6.ppc64le",
"product_id": "golang-race-0:1.24.6-1.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el9_6.x86_64",
"product": {
"name": "go-toolset-0:1.24.6-1.el9_6.x86_64",
"product_id": "go-toolset-0:1.24.6-1.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el9_6.x86_64",
"product": {
"name": "golang-0:1.24.6-1.el9_6.x86_64",
"product_id": "golang-0:1.24.6-1.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el9_6.x86_64",
"product": {
"name": "golang-bin-0:1.24.6-1.el9_6.x86_64",
"product_id": "golang-bin-0:1.24.6-1.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el9_6.x86_64",
"product": {
"name": "golang-race-0:1.24.6-1.el9_6.x86_64",
"product_id": "golang-race-0:1.24.6-1.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el9_6.s390x",
"product": {
"name": "go-toolset-0:1.24.6-1.el9_6.s390x",
"product_id": "go-toolset-0:1.24.6-1.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el9_6.s390x",
"product": {
"name": "golang-0:1.24.6-1.el9_6.s390x",
"product_id": "golang-0:1.24.6-1.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el9_6.s390x",
"product": {
"name": "golang-bin-0:1.24.6-1.el9_6.s390x",
"product_id": "golang-bin-0:1.24.6-1.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el9_6.s390x",
"product": {
"name": "golang-race-0:1.24.6-1.el9_6.s390x",
"product_id": "golang-race-0:1.24.6-1.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el9_6.src",
"product": {
"name": "golang-0:1.24.6-1.el9_6.src",
"product_id": "golang-0:1.24.6-1.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.24.6-1.el9_6.noarch",
"product": {
"name": "golang-docs-0:1.24.6-1.el9_6.noarch",
"product_id": "golang-docs-0:1.24.6-1.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.24.6-1.el9_6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.24.6-1.el9_6.noarch",
"product": {
"name": "golang-misc-0:1.24.6-1.el9_6.noarch",
"product_id": "golang-misc-0:1.24.6-1.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.24.6-1.el9_6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.24.6-1.el9_6.noarch",
"product": {
"name": "golang-src-0:1.24.6-1.el9_6.noarch",
"product_id": "golang-src-0:1.24.6-1.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.24.6-1.el9_6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.24.6-1.el9_6.noarch",
"product": {
"name": "golang-tests-0:1.24.6-1.el9_6.noarch",
"product_id": "golang-tests-0:1.24.6-1.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.24.6-1.el9_6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64"
},
"product_reference": "go-toolset-0:1.24.6-1.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le"
},
"product_reference": "go-toolset-0:1.24.6-1.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x"
},
"product_reference": "go-toolset-0:1.24.6-1.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64"
},
"product_reference": "go-toolset-0:1.24.6-1.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64"
},
"product_reference": "golang-0:1.24.6-1.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le"
},
"product_reference": "golang-0:1.24.6-1.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x"
},
"product_reference": "golang-0:1.24.6-1.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el9_6.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src"
},
"product_reference": "golang-0:1.24.6-1.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64"
},
"product_reference": "golang-0:1.24.6-1.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64"
},
"product_reference": "golang-bin-0:1.24.6-1.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le"
},
"product_reference": "golang-bin-0:1.24.6-1.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x"
},
"product_reference": "golang-bin-0:1.24.6-1.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64"
},
"product_reference": "golang-bin-0:1.24.6-1.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch"
},
"product_reference": "golang-docs-0:1.24.6-1.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch"
},
"product_reference": "golang-misc-0:1.24.6-1.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64"
},
"product_reference": "golang-race-0:1.24.6-1.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le"
},
"product_reference": "golang-race-0:1.24.6-1.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x"
},
"product_reference": "golang-race-0:1.24.6-1.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64"
},
"product_reference": "golang-race-0:1.24.6-1.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch"
},
"product_reference": "golang-src-0:1.24.6-1.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.24.6-1.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
},
"product_reference": "golang-tests-0:1.24.6-1.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-4674",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"discovery_date": "2025-07-29T22:00:54.774680+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2384329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cmd/go: Go VCS Command Execution Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is Important rather than Moderate because it enables arbitrary command execution at the tooling level before any code is built or reviewed, effectively compromising the software supply chain at its earliest stage. Unlike flaws that require user interaction with the code itself, this issue is triggered simply by running go operations on a malicious repository\u2014an action routinely performed by developers and automated build systems. The problem lies in cmd/go\u2019s unsafe interpretation of cross-VCS metadata, allowing an attacker to inject commands that execute with the privileges of the go process.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4674"
},
{
"category": "external",
"summary": "RHBZ#2384329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4674",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4674"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674"
},
{
"category": "external",
"summary": "https://go.dev/cl/686515",
"url": "https://go.dev/cl/686515"
},
{
"category": "external",
"summary": "https://go.dev/issue/74380",
"url": "https://go.dev/issue/74380"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34",
"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3828",
"url": "https://pkg.go.dev/vuln/GO-2025-3828"
}
],
"release_date": "2025-07-29T21:19:08.519000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:53:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13935"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cmd/go: Go VCS Command Execution Vulnerability"
},
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:53:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13935"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-47907",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2025-08-07T16:01:06.247481+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2387083"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "database/sql: Postgres Scan Race Condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability marked as Moderate severity issues rather than Important. The os/exec LookPath flaw requires a misconfigured PATH to be exploitable, and the database/sql race condition primarily impacts applications that cancel queries while running multiple queries concurrently. Both can cause unexpected behavior, but the exploitation scope is limited and unlikely to result in direct compromise in most typical deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47907"
},
{
"category": "external",
"summary": "RHBZ#2387083",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387083"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
},
{
"category": "external",
"summary": "https://go.dev/cl/693735",
"url": "https://go.dev/cl/693735"
},
{
"category": "external",
"summary": "https://go.dev/issue/74831",
"url": "https://go.dev/issue/74831"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3849",
"url": "https://pkg.go.dev/vuln/GO-2025-3849"
}
],
"release_date": "2025-08-07T15:25:30.704000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:53:52+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13935"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:go-toolset-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.src",
"AppStream-9.6.0.Z.MAIN.EUS:golang-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-bin-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-docs-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-misc-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.aarch64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.ppc64le",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.s390x",
"AppStream-9.6.0.Z.MAIN.EUS:golang-race-0:1.24.6-1.el9_6.x86_64",
"AppStream-9.6.0.Z.MAIN.EUS:golang-src-0:1.24.6-1.el9_6.noarch",
"AppStream-9.6.0.Z.MAIN.EUS:golang-tests-0:1.24.6-1.el9_6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "database/sql: Postgres Scan Race Condition"
}
]
}
RHSA-2025:13941
Vulnerability from csaf_redhat - Published: 2025-08-18 00:42 - Updated: 2026-05-29 11:28Summary
Red Hat Security Advisory: golang security update
Severity
Important
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 10.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.
8.6 (High)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.
7.0 (High)
Affected products
Fixed
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* cmd/go: Go VCS Command Execution Vulnerability (CVE-2025-4674)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:13941",
"url": "https://access.redhat.com/errata/RHSA-2025:13941"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2384329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_13941.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-05-29T11:28:58+00:00",
"generator": {
"date": "2026-05-29T11:28:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2025:13941",
"initial_release_date": "2025-08-18T00:42:23+00:00",
"revision_history": [
{
"date": "2025-08-18T00:42:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-08-18T00:42:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-29T11:28:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el10_0.aarch64",
"product": {
"name": "go-toolset-0:1.24.6-1.el10_0.aarch64",
"product_id": "go-toolset-0:1.24.6-1.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el10_0.aarch64",
"product": {
"name": "golang-0:1.24.6-1.el10_0.aarch64",
"product_id": "golang-0:1.24.6-1.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el10_0.aarch64",
"product": {
"name": "golang-bin-0:1.24.6-1.el10_0.aarch64",
"product_id": "golang-bin-0:1.24.6-1.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el10_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el10_0.aarch64",
"product": {
"name": "golang-race-0:1.24.6-1.el10_0.aarch64",
"product_id": "golang-race-0:1.24.6-1.el10_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el10_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el10_0.ppc64le",
"product": {
"name": "go-toolset-0:1.24.6-1.el10_0.ppc64le",
"product_id": "go-toolset-0:1.24.6-1.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el10_0.ppc64le",
"product": {
"name": "golang-0:1.24.6-1.el10_0.ppc64le",
"product_id": "golang-0:1.24.6-1.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el10_0.ppc64le",
"product": {
"name": "golang-bin-0:1.24.6-1.el10_0.ppc64le",
"product_id": "golang-bin-0:1.24.6-1.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el10_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el10_0.ppc64le",
"product": {
"name": "golang-race-0:1.24.6-1.el10_0.ppc64le",
"product_id": "golang-race-0:1.24.6-1.el10_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el10_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el10_0.x86_64",
"product": {
"name": "go-toolset-0:1.24.6-1.el10_0.x86_64",
"product_id": "go-toolset-0:1.24.6-1.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el10_0.x86_64",
"product": {
"name": "golang-0:1.24.6-1.el10_0.x86_64",
"product_id": "golang-0:1.24.6-1.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el10_0.x86_64",
"product": {
"name": "golang-bin-0:1.24.6-1.el10_0.x86_64",
"product_id": "golang-bin-0:1.24.6-1.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el10_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el10_0.x86_64",
"product": {
"name": "golang-race-0:1.24.6-1.el10_0.x86_64",
"product_id": "golang-race-0:1.24.6-1.el10_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el10_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.24.6-1.el10_0.s390x",
"product": {
"name": "go-toolset-0:1.24.6-1.el10_0.s390x",
"product_id": "go-toolset-0:1.24.6-1.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.24.6-1.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el10_0.s390x",
"product": {
"name": "golang-0:1.24.6-1.el10_0.s390x",
"product_id": "golang-0:1.24.6-1.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.24.6-1.el10_0.s390x",
"product": {
"name": "golang-bin-0:1.24.6-1.el10_0.s390x",
"product_id": "golang-bin-0:1.24.6-1.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.24.6-1.el10_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.24.6-1.el10_0.s390x",
"product": {
"name": "golang-race-0:1.24.6-1.el10_0.s390x",
"product_id": "golang-race-0:1.24.6-1.el10_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.24.6-1.el10_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.24.6-1.el10_0.src",
"product": {
"name": "golang-0:1.24.6-1.el10_0.src",
"product_id": "golang-0:1.24.6-1.el10_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.24.6-1.el10_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.24.6-1.el10_0.noarch",
"product": {
"name": "golang-docs-0:1.24.6-1.el10_0.noarch",
"product_id": "golang-docs-0:1.24.6-1.el10_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.24.6-1.el10_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.24.6-1.el10_0.noarch",
"product": {
"name": "golang-misc-0:1.24.6-1.el10_0.noarch",
"product_id": "golang-misc-0:1.24.6-1.el10_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.24.6-1.el10_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.24.6-1.el10_0.noarch",
"product": {
"name": "golang-src-0:1.24.6-1.el10_0.noarch",
"product_id": "golang-src-0:1.24.6-1.el10_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.24.6-1.el10_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.24.6-1.el10_0.noarch",
"product": {
"name": "golang-tests-0:1.24.6-1.el10_0.noarch",
"product_id": "golang-tests-0:1.24.6-1.el10_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.24.6-1.el10_0?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64"
},
"product_reference": "go-toolset-0:1.24.6-1.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le"
},
"product_reference": "go-toolset-0:1.24.6-1.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x"
},
"product_reference": "go-toolset-0:1.24.6-1.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.24.6-1.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64"
},
"product_reference": "go-toolset-0:1.24.6-1.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64"
},
"product_reference": "golang-0:1.24.6-1.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le"
},
"product_reference": "golang-0:1.24.6-1.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x"
},
"product_reference": "golang-0:1.24.6-1.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el10_0.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src"
},
"product_reference": "golang-0:1.24.6-1.el10_0.src",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.24.6-1.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64"
},
"product_reference": "golang-0:1.24.6-1.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64"
},
"product_reference": "golang-bin-0:1.24.6-1.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le"
},
"product_reference": "golang-bin-0:1.24.6-1.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x"
},
"product_reference": "golang-bin-0:1.24.6-1.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.24.6-1.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64"
},
"product_reference": "golang-bin-0:1.24.6-1.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.24.6-1.el10_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch"
},
"product_reference": "golang-docs-0:1.24.6-1.el10_0.noarch",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.24.6-1.el10_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch"
},
"product_reference": "golang-misc-0:1.24.6-1.el10_0.noarch",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el10_0.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64"
},
"product_reference": "golang-race-0:1.24.6-1.el10_0.aarch64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el10_0.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le"
},
"product_reference": "golang-race-0:1.24.6-1.el10_0.ppc64le",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el10_0.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x"
},
"product_reference": "golang-race-0:1.24.6-1.el10_0.s390x",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.24.6-1.el10_0.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64"
},
"product_reference": "golang-race-0:1.24.6-1.el10_0.x86_64",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.24.6-1.el10_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch"
},
"product_reference": "golang-src-0:1.24.6-1.el10_0.noarch",
"relates_to_product_reference": "AppStream-10.0.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.24.6-1.el10_0.noarch as a component of Red Hat Enterprise Linux AppStream (v. 10)",
"product_id": "AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
},
"product_reference": "golang-tests-0:1.24.6-1.el10_0.noarch",
"relates_to_product_reference": "AppStream-10.0.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-4674",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"discovery_date": "2025-07-29T22:00:54.774680+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2384329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in cmd/go. The `go` command can execute arbitrary commands when processing untrusted version control system (VCS) repositories containing malicious configuration. This issue occurs because the command interprets VCS metadata, potentially leading to unintended command execution. This vulnerability allows a malicious actor to trigger this by providing a repository with a crafted VCS configuration, resulting in arbitrary code execution within the context of the `go` process.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cmd/go: Go VCS Command Execution Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is Important rather than Moderate because it enables arbitrary command execution at the tooling level before any code is built or reviewed, effectively compromising the software supply chain at its earliest stage. Unlike flaws that require user interaction with the code itself, this issue is triggered simply by running go operations on a malicious repository\u2014an action routinely performed by developers and automated build systems. The problem lies in cmd/go\u2019s unsafe interpretation of cross-VCS metadata, allowing an attacker to inject commands that execute with the privileges of the go process.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-4674"
},
{
"category": "external",
"summary": "RHBZ#2384329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2384329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-4674",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4674"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4674"
},
{
"category": "external",
"summary": "https://go.dev/cl/686515",
"url": "https://go.dev/cl/686515"
},
{
"category": "external",
"summary": "https://go.dev/issue/74380",
"url": "https://go.dev/issue/74380"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34",
"url": "https://groups.google.com/g/golang-announce/c/gTNJnDXmn34"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3828",
"url": "https://pkg.go.dev/vuln/GO-2025-3828"
}
],
"release_date": "2025-07-29T21:19:08.519000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:42:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13941"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cmd/go: Go VCS Command Execution Vulnerability"
},
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:42:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13941"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-47907",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
},
"discovery_date": "2025-08-07T16:01:06.247481+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2387083"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in database/sql. Concurrent queries can produce unexpected results when a query is cancelled during a Scan method call on returned Rows, creating a race condition. This vulnerability allows an attacker who can initiate and cancel queries to trigger this condition, possibly leading to inconsistent data being returned to the application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "database/sql: Postgres Scan Race Condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability marked as Moderate severity issues rather than Important. The os/exec LookPath flaw requires a misconfigured PATH to be exploitable, and the database/sql race condition primarily impacts applications that cancel queries while running multiple queries concurrently. Both can cause unexpected behavior, but the exploitation scope is limited and unlikely to result in direct compromise in most typical deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47907"
},
{
"category": "external",
"summary": "RHBZ#2387083",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387083"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
},
{
"category": "external",
"summary": "https://go.dev/cl/693735",
"url": "https://go.dev/cl/693735"
},
{
"category": "external",
"summary": "https://go.dev/issue/74831",
"url": "https://go.dev/issue/74831"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3849",
"url": "https://pkg.go.dev/vuln/GO-2025-3849"
}
],
"release_date": "2025-08-07T15:25:30.704000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-08-18T00:42:23+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:13941"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:go-toolset-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.src",
"AppStream-10.0.Z:golang-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-bin-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-docs-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-misc-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.aarch64",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.ppc64le",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.s390x",
"AppStream-10.0.Z:golang-race-0:1.24.6-1.el10_0.x86_64",
"AppStream-10.0.Z:golang-src-0:1.24.6-1.el10_0.noarch",
"AppStream-10.0.Z:golang-tests-0:1.24.6-1.el10_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "database/sql: Postgres Scan Race Condition"
}
]
}
RHSA-2025:21856
Vulnerability from csaf_redhat - Published: 2025-11-20 15:48 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
17 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:21856",
"url": "https://access.redhat.com/errata/RHSA-2025:21856"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_21856.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:19+00:00",
"generator": {
"date": "2026-06-07T15:33:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:21856",
"initial_release_date": "2025-11-20T15:48:22+00:00",
"revision_history": [
{
"date": "2025-11-20T15:48:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-20T15:48:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-12.el9_4.aarch64",
"product": {
"name": "go-toolset-0:1.21.13-12.el9_4.aarch64",
"product_id": "go-toolset-0:1.21.13-12.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-12.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-12.el9_4.aarch64",
"product": {
"name": "golang-0:1.21.13-12.el9_4.aarch64",
"product_id": "golang-0:1.21.13-12.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-12.el9_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-12.el9_4.aarch64",
"product": {
"name": "golang-bin-0:1.21.13-12.el9_4.aarch64",
"product_id": "golang-bin-0:1.21.13-12.el9_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-12.el9_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-12.el9_4.ppc64le",
"product": {
"name": "go-toolset-0:1.21.13-12.el9_4.ppc64le",
"product_id": "go-toolset-0:1.21.13-12.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-12.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-12.el9_4.ppc64le",
"product": {
"name": "golang-0:1.21.13-12.el9_4.ppc64le",
"product_id": "golang-0:1.21.13-12.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-12.el9_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-12.el9_4.ppc64le",
"product": {
"name": "golang-bin-0:1.21.13-12.el9_4.ppc64le",
"product_id": "golang-bin-0:1.21.13-12.el9_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-12.el9_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-12.el9_4.x86_64",
"product": {
"name": "go-toolset-0:1.21.13-12.el9_4.x86_64",
"product_id": "go-toolset-0:1.21.13-12.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-12.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-12.el9_4.x86_64",
"product": {
"name": "golang-0:1.21.13-12.el9_4.x86_64",
"product_id": "golang-0:1.21.13-12.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-12.el9_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-12.el9_4.x86_64",
"product": {
"name": "golang-bin-0:1.21.13-12.el9_4.x86_64",
"product_id": "golang-bin-0:1.21.13-12.el9_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-12.el9_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.21.13-12.el9_4.s390x",
"product": {
"name": "go-toolset-0:1.21.13-12.el9_4.s390x",
"product_id": "go-toolset-0:1.21.13-12.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.21.13-12.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.21.13-12.el9_4.s390x",
"product": {
"name": "golang-0:1.21.13-12.el9_4.s390x",
"product_id": "golang-0:1.21.13-12.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-12.el9_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.21.13-12.el9_4.s390x",
"product": {
"name": "golang-bin-0:1.21.13-12.el9_4.s390x",
"product_id": "golang-bin-0:1.21.13-12.el9_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.21.13-12.el9_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.21.13-12.el9_4.src",
"product": {
"name": "golang-0:1.21.13-12.el9_4.src",
"product_id": "golang-0:1.21.13-12.el9_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.21.13-12.el9_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.21.13-12.el9_4.noarch",
"product": {
"name": "golang-docs-0:1.21.13-12.el9_4.noarch",
"product_id": "golang-docs-0:1.21.13-12.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.21.13-12.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.21.13-12.el9_4.noarch",
"product": {
"name": "golang-misc-0:1.21.13-12.el9_4.noarch",
"product_id": "golang-misc-0:1.21.13-12.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.21.13-12.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.21.13-12.el9_4.noarch",
"product": {
"name": "golang-src-0:1.21.13-12.el9_4.noarch",
"product_id": "golang-src-0:1.21.13-12.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.21.13-12.el9_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.21.13-12.el9_4.noarch",
"product": {
"name": "golang-tests-0:1.21.13-12.el9_4.noarch",
"product_id": "golang-tests-0:1.21.13-12.el9_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.21.13-12.el9_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-12.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64"
},
"product_reference": "go-toolset-0:1.21.13-12.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-12.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le"
},
"product_reference": "go-toolset-0:1.21.13-12.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-12.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x"
},
"product_reference": "go-toolset-0:1.21.13-12.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.21.13-12.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64"
},
"product_reference": "go-toolset-0:1.21.13-12.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-12.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64"
},
"product_reference": "golang-0:1.21.13-12.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-12.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le"
},
"product_reference": "golang-0:1.21.13-12.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-12.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x"
},
"product_reference": "golang-0:1.21.13-12.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-12.el9_4.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src"
},
"product_reference": "golang-0:1.21.13-12.el9_4.src",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.21.13-12.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64"
},
"product_reference": "golang-0:1.21.13-12.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-12.el9_4.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64"
},
"product_reference": "golang-bin-0:1.21.13-12.el9_4.aarch64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-12.el9_4.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le"
},
"product_reference": "golang-bin-0:1.21.13-12.el9_4.ppc64le",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-12.el9_4.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x"
},
"product_reference": "golang-bin-0:1.21.13-12.el9_4.s390x",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.21.13-12.el9_4.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64"
},
"product_reference": "golang-bin-0:1.21.13-12.el9_4.x86_64",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.21.13-12.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch"
},
"product_reference": "golang-docs-0:1.21.13-12.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.21.13-12.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch"
},
"product_reference": "golang-misc-0:1.21.13-12.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.21.13-12.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch"
},
"product_reference": "golang-src-0:1.21.13-12.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.21.13-12.el9_4.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"product_id": "AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
},
"product_reference": "golang-tests-0:1.21.13-12.el9_4.noarch",
"relates_to_product_reference": "AppStream-9.4.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T15:48:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21856"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-20T15:48:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:21856"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:go-toolset-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.src",
"AppStream-9.4.0.Z.EUS:golang-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.aarch64",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.ppc64le",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.s390x",
"AppStream-9.4.0.Z.EUS:golang-bin-0:1.21.13-12.el9_4.x86_64",
"AppStream-9.4.0.Z.EUS:golang-docs-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-misc-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-src-0:1.21.13-12.el9_4.noarch",
"AppStream-9.4.0.Z.EUS:golang-tests-0:1.21.13-12.el9_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:22004
Vulnerability from csaf_redhat - Published: 2025-11-25 01:11 - Updated: 2026-04-30 13:33Summary
Red Hat Security Advisory: go-rpm-macros security update
Severity
Moderate
Notes
Topic: An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22004",
"url": "https://access.redhat.com/errata/RHSA-2025:22004"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22004.json"
}
],
"title": "Red Hat Security Advisory: go-rpm-macros security update",
"tracking": {
"current_release_date": "2026-04-30T13:33:13+00:00",
"generator": {
"date": "2026-04-30T13:33:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:22004",
"initial_release_date": "2025-11-25T01:11:08+00:00",
"revision_history": [
{
"date": "2025-11-25T01:11:08+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T01:11:08+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:33:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:9.6::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-11.el9_6.aarch64",
"product": {
"name": "go-filesystem-0:3.6.0-11.el9_6.aarch64",
"product_id": "go-filesystem-0:3.6.0-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-11.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"product": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"product_id": "go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-11.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-11.el9_6?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-11.el9_6?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"product": {
"name": "go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"product_id": "go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-11.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"product": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"product_id": "go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-11.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-11.el9_6?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-11.el9_6?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-11.el9_6.x86_64",
"product": {
"name": "go-filesystem-0:3.6.0-11.el9_6.x86_64",
"product_id": "go-filesystem-0:3.6.0-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-11.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"product": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"product_id": "go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-11.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-11.el9_6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-11.el9_6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-11.el9_6.s390x",
"product": {
"name": "go-filesystem-0:3.6.0-11.el9_6.s390x",
"product_id": "go-filesystem-0:3.6.0-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-11.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"product": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"product_id": "go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-11.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-11.el9_6?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-11.el9_6?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-11.el9_6.src",
"product": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.src",
"product_id": "go-rpm-macros-0:3.6.0-11.el9_6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-11.el9_6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"product": {
"name": "go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"product_id": "go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-templates@3.6.0-11.el9_6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "go-srpm-macros-0:3.6.0-11.el9_6.noarch",
"product": {
"name": "go-srpm-macros-0:3.6.0-11.el9_6.noarch",
"product_id": "go-srpm-macros-0:3.6.0-11.el9_6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-srpm-macros@3.6.0-11.el9_6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64"
},
"product_reference": "go-filesystem-0:3.6.0-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le"
},
"product_reference": "go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x"
},
"product_reference": "go-filesystem-0:3.6.0-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64"
},
"product_reference": "go-filesystem-0:3.6.0-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64"
},
"product_reference": "go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le"
},
"product_reference": "go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x"
},
"product_reference": "go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.src as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src"
},
"product_reference": "go-rpm-macros-0:3.6.0-11.el9_6.src",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64"
},
"product_reference": "go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-templates-0:3.6.0-11.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch"
},
"product_reference": "go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-srpm-macros-0:3.6.0-11.el9_6.noarch as a component of Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"product_id": "AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch"
},
"product_reference": "go-srpm-macros-0:3.6.0-11.el9_6.noarch",
"relates_to_product_reference": "AppStream-9.6.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T01:11:08+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22004"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-filesystem-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.src",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debuginfo-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.aarch64",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.ppc64le",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.s390x",
"AppStream-9.6.0.Z.EUS:go-rpm-macros-debugsource-0:3.6.0-11.el9_6.x86_64",
"AppStream-9.6.0.Z.EUS:go-rpm-templates-0:3.6.0-11.el9_6.noarch",
"AppStream-9.6.0.Z.EUS:go-srpm-macros-0:3.6.0-11.el9_6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
}
]
}
RHSA-2025:22005
Vulnerability from csaf_redhat - Published: 2025-11-25 01:21 - Updated: 2026-04-30 13:33Summary
Red Hat Security Advisory: go-rpm-macros security update
Severity
Moderate
Notes
Topic: An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for go-rpm-macros is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22005",
"url": "https://access.redhat.com/errata/RHSA-2025:22005"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22005.json"
}
],
"title": "Red Hat Security Advisory: go-rpm-macros security update",
"tracking": {
"current_release_date": "2026-04-30T13:33:13+00:00",
"generator": {
"date": "2026-04-30T13:33:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:22005",
"initial_release_date": "2025-11-25T01:21:20+00:00",
"revision_history": [
{
"date": "2025-11-25T01:21:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-25T01:21:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:33:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-12.el9_7.aarch64",
"product": {
"name": "go-filesystem-0:3.6.0-12.el9_7.aarch64",
"product_id": "go-filesystem-0:3.6.0-12.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-12.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"product": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"product_id": "go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-12.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-12.el9_7?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-12.el9_7?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"product": {
"name": "go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"product_id": "go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-12.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"product": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"product_id": "go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-12.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-12.el9_7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-12.el9_7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-12.el9_7.x86_64",
"product": {
"name": "go-filesystem-0:3.6.0-12.el9_7.x86_64",
"product_id": "go-filesystem-0:3.6.0-12.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-12.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"product": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"product_id": "go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-12.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-12.el9_7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-12.el9_7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-filesystem-0:3.6.0-12.el9_7.s390x",
"product": {
"name": "go-filesystem-0:3.6.0-12.el9_7.s390x",
"product_id": "go-filesystem-0:3.6.0-12.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-filesystem@3.6.0-12.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"product": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"product_id": "go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-12.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"product": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"product_id": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debugsource@3.6.0-12.el9_7?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"product": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"product_id": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros-debuginfo@3.6.0-12.el9_7?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-macros-0:3.6.0-12.el9_7.src",
"product": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.src",
"product_id": "go-rpm-macros-0:3.6.0-12.el9_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-macros@3.6.0-12.el9_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"product": {
"name": "go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"product_id": "go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-rpm-templates@3.6.0-12.el9_7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "go-srpm-macros-0:3.6.0-12.el9_7.noarch",
"product": {
"name": "go-srpm-macros-0:3.6.0-12.el9_7.noarch",
"product_id": "go-srpm-macros-0:3.6.0-12.el9_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-srpm-macros@3.6.0-12.el9_7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-12.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64"
},
"product_reference": "go-filesystem-0:3.6.0-12.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-12.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le"
},
"product_reference": "go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-12.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x"
},
"product_reference": "go-filesystem-0:3.6.0-12.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-filesystem-0:3.6.0-12.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64"
},
"product_reference": "go-filesystem-0:3.6.0-12.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64"
},
"product_reference": "go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le"
},
"product_reference": "go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x"
},
"product_reference": "go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src"
},
"product_reference": "go-rpm-macros-0:3.6.0-12.el9_7.src",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-0:3.6.0-12.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64"
},
"product_reference": "go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64"
},
"product_reference": "go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64"
},
"product_reference": "go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-rpm-templates-0:3.6.0-12.el9_7.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch"
},
"product_reference": "go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-srpm-macros-0:3.6.0-12.el9_7.noarch as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch"
},
"product_reference": "go-srpm-macros-0:3.6.0-12.el9_7.noarch",
"relates_to_product_reference": "AppStream-9.7.0.Z.MAIN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-25T01:21:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22005"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-filesystem-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.src",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debuginfo-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.aarch64",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.ppc64le",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.s390x",
"AppStream-9.7.0.Z.MAIN:go-rpm-macros-debugsource-0:3.6.0-12.el9_7.x86_64",
"AppStream-9.7.0.Z.MAIN:go-rpm-templates-0:3.6.0-12.el9_7.noarch",
"AppStream-9.7.0.Z.MAIN:go-srpm-macros-0:3.6.0-12.el9_7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
}
]
}
RHSA-2025:22181
Vulnerability from csaf_redhat - Published: 2025-11-26 15:05 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22181",
"url": "https://access.redhat.com/errata/RHSA-2025:22181"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22181.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:21+00:00",
"generator": {
"date": "2026-06-07T15:33:21+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:22181",
"initial_release_date": "2025-11-26T15:05:54+00:00",
"revision_history": [
{
"date": "2025-11-26T15:05:54+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-11-26T15:05:54+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:21+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-20.el9_2.src",
"product": {
"name": "golang-0:1.19.13-20.el9_2.src",
"product_id": "golang-0:1.19.13-20.el9_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-20.el9_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-20.el9_2.aarch64",
"product": {
"name": "golang-0:1.19.13-20.el9_2.aarch64",
"product_id": "golang-0:1.19.13-20.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-20.el9_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-20.el9_2.aarch64",
"product": {
"name": "golang-bin-0:1.19.13-20.el9_2.aarch64",
"product_id": "golang-bin-0:1.19.13-20.el9_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-20.el9_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-20.el9_2.ppc64le",
"product": {
"name": "golang-0:1.19.13-20.el9_2.ppc64le",
"product_id": "golang-0:1.19.13-20.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-20.el9_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-20.el9_2.ppc64le",
"product": {
"name": "golang-bin-0:1.19.13-20.el9_2.ppc64le",
"product_id": "golang-bin-0:1.19.13-20.el9_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-20.el9_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-20.el9_2.x86_64",
"product": {
"name": "golang-0:1.19.13-20.el9_2.x86_64",
"product_id": "golang-0:1.19.13-20.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-20.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-20.el9_2.x86_64",
"product": {
"name": "golang-bin-0:1.19.13-20.el9_2.x86_64",
"product_id": "golang-bin-0:1.19.13-20.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-20.el9_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.19.13-20.el9_2.x86_64",
"product": {
"name": "golang-race-0:1.19.13-20.el9_2.x86_64",
"product_id": "golang-race-0:1.19.13-20.el9_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.19.13-20.el9_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.19.13-20.el9_2.s390x",
"product": {
"name": "golang-0:1.19.13-20.el9_2.s390x",
"product_id": "golang-0:1.19.13-20.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.19.13-20.el9_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.19.13-20.el9_2.s390x",
"product": {
"name": "golang-bin-0:1.19.13-20.el9_2.s390x",
"product_id": "golang-bin-0:1.19.13-20.el9_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.19.13-20.el9_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.19.13-20.el9_2.noarch",
"product": {
"name": "golang-docs-0:1.19.13-20.el9_2.noarch",
"product_id": "golang-docs-0:1.19.13-20.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.19.13-20.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.19.13-20.el9_2.noarch",
"product": {
"name": "golang-misc-0:1.19.13-20.el9_2.noarch",
"product_id": "golang-misc-0:1.19.13-20.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.19.13-20.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.19.13-20.el9_2.noarch",
"product": {
"name": "golang-src-0:1.19.13-20.el9_2.noarch",
"product_id": "golang-src-0:1.19.13-20.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.19.13-20.el9_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.19.13-20.el9_2.noarch",
"product": {
"name": "golang-tests-0:1.19.13-20.el9_2.noarch",
"product_id": "golang-tests-0:1.19.13-20.el9_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.19.13-20.el9_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-20.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64"
},
"product_reference": "golang-0:1.19.13-20.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-20.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le"
},
"product_reference": "golang-0:1.19.13-20.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-20.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x"
},
"product_reference": "golang-0:1.19.13-20.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-20.el9_2.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src"
},
"product_reference": "golang-0:1.19.13-20.el9_2.src",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.19.13-20.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64"
},
"product_reference": "golang-0:1.19.13-20.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-20.el9_2.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64"
},
"product_reference": "golang-bin-0:1.19.13-20.el9_2.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-20.el9_2.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le"
},
"product_reference": "golang-bin-0:1.19.13-20.el9_2.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-20.el9_2.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x"
},
"product_reference": "golang-bin-0:1.19.13-20.el9_2.s390x",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.19.13-20.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64"
},
"product_reference": "golang-bin-0:1.19.13-20.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.19.13-20.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch"
},
"product_reference": "golang-docs-0:1.19.13-20.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.19.13-20.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch"
},
"product_reference": "golang-misc-0:1.19.13-20.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.19.13-20.el9_2.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64"
},
"product_reference": "golang-race-0:1.19.13-20.el9_2.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.19.13-20.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch"
},
"product_reference": "golang-src-0:1.19.13-20.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.19.13-20.el9_2.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"product_id": "AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
},
"product_reference": "golang-tests-0:1.19.13-20.el9_2.noarch",
"relates_to_product_reference": "AppStream-9.2.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-26T15:05:54+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-11-26T15:05:54+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22181"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.src",
"AppStream-9.2.0.Z.E4S:golang-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.aarch64",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.ppc64le",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.s390x",
"AppStream-9.2.0.Z.E4S:golang-bin-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-docs-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-misc-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-race-0:1.19.13-20.el9_2.x86_64",
"AppStream-9.2.0.Z.E4S:golang-src-0:1.19.13-20.el9_2.noarch",
"AppStream-9.2.0.Z.E4S:golang-tests-0:1.19.13-20.el9_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:22668
Vulnerability from csaf_redhat - Published: 2025-12-03 14:58 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: go-toolset:rhel8 security update
Severity
Moderate
Notes
Topic: An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
31 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. \n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22668",
"url": "https://access.redhat.com/errata/RHSA-2025:22668"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22668.json"
}
],
"title": "Red Hat Security Advisory: go-toolset:rhel8 security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:22+00:00",
"generator": {
"date": "2026-06-07T15:33:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:22668",
"initial_release_date": "2025-12-03T14:58:33+00:00",
"revision_history": [
{
"date": "2025-12-03T14:58:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-03T14:58:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"product": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src (go-toolset:rhel8)",
"product_id": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=src\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"product": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src (go-toolset:rhel8)",
"product_id": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=src\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8)",
"product_id": "golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8)",
"product_id": "golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8)",
"product_id": "golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product": {
"name": "golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8)",
"product_id": "golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=noarch\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=aarch64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8)",
"product_id": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=ppc64le\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debuginfo@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/delve-debugsource@1.25.2-1.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8)",
"product_id": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=x86_64\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8)",
"product_id": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/go-toolset@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=s390x\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8)",
"product_id": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=s390x\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8)",
"product_id": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=s390x\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8)",
"product_id": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.25.3-2.module%2Bel8.10.0%2B23746%2B9db33b5e?arch=s390x\u0026rpmmod=go-toolset:rhel8:8100020251201162956:a3795dee"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8"
},
"product_reference": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8"
},
"product_reference": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8"
},
"product_reference": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64 (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8"
},
"product_reference": "golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch (go-toolset:rhel8) as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
},
"product_reference": "golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"relates_to_product_reference": "AppStream-8.10.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-03T14:58:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22668"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-03T14:58:33+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22668"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debuginfo-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:delve-debugsource-0:1.25.2-1.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:go-toolset-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.src::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-bin-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-docs-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-misc-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.aarch64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.ppc64le::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.s390x::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-race-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.x86_64::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-src-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8",
"AppStream-8.10.0.Z.MAIN.EUS:golang-tests-0:1.25.3-2.module+el8.10.0+23746+9db33b5e.noarch::go-toolset:rhel8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
RHSA-2025:22899
Vulnerability from csaf_redhat - Published: 2025-12-09 08:03 - Updated: 2026-06-07 15:33Summary
Red Hat Security Advisory: golang security update
Severity
Moderate
Notes
Topic: An update for golang is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The golang packages provide the Go programming language compiler.
Security Fix(es):
* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)
* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for golang is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* os/exec: Unexpected paths returned from LookPath in os/exec (CVE-2025-47906)\n\n* golang: archive/tar: Unbounded allocation when parsing GNU sparse map (CVE-2025-58183)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22899",
"url": "https://access.redhat.com/errata/RHSA-2025:22899"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22899.json"
}
],
"title": "Red Hat Security Advisory: golang security update",
"tracking": {
"current_release_date": "2026-06-07T15:33:23+00:00",
"generator": {
"date": "2026-06-07T15:33:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2025:22899",
"initial_release_date": "2025-12-09T08:03:20+00:00",
"revision_history": [
{
"date": "2025-12-09T08:03:20+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-09T08:03:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-07T15:33:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:9.0::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-8.el9_0.src",
"product": {
"name": "golang-0:1.17.13-8.el9_0.src",
"product_id": "golang-0:1.17.13-8.el9_0.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-8.el9_0?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-8.el9_0.aarch64",
"product": {
"name": "golang-0:1.17.13-8.el9_0.aarch64",
"product_id": "golang-0:1.17.13-8.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-8.el9_0?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-8.el9_0.aarch64",
"product": {
"name": "golang-bin-0:1.17.13-8.el9_0.aarch64",
"product_id": "golang-bin-0:1.17.13-8.el9_0.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-8.el9_0?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-8.el9_0.ppc64le",
"product": {
"name": "golang-0:1.17.13-8.el9_0.ppc64le",
"product_id": "golang-0:1.17.13-8.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-8.el9_0?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-8.el9_0.ppc64le",
"product": {
"name": "golang-bin-0:1.17.13-8.el9_0.ppc64le",
"product_id": "golang-bin-0:1.17.13-8.el9_0.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-8.el9_0?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-8.el9_0.x86_64",
"product": {
"name": "golang-0:1.17.13-8.el9_0.x86_64",
"product_id": "golang-0:1.17.13-8.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-8.el9_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-8.el9_0.x86_64",
"product": {
"name": "golang-bin-0:1.17.13-8.el9_0.x86_64",
"product_id": "golang-bin-0:1.17.13-8.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-8.el9_0?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "golang-race-0:1.17.13-8.el9_0.x86_64",
"product": {
"name": "golang-race-0:1.17.13-8.el9_0.x86_64",
"product_id": "golang-race-0:1.17.13-8.el9_0.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-race@1.17.13-8.el9_0?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-0:1.17.13-8.el9_0.s390x",
"product": {
"name": "golang-0:1.17.13-8.el9_0.s390x",
"product_id": "golang-0:1.17.13-8.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang@1.17.13-8.el9_0?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "golang-bin-0:1.17.13-8.el9_0.s390x",
"product": {
"name": "golang-bin-0:1.17.13-8.el9_0.s390x",
"product_id": "golang-bin-0:1.17.13-8.el9_0.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-bin@1.17.13-8.el9_0?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "golang-docs-0:1.17.13-8.el9_0.noarch",
"product": {
"name": "golang-docs-0:1.17.13-8.el9_0.noarch",
"product_id": "golang-docs-0:1.17.13-8.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-docs@1.17.13-8.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-misc-0:1.17.13-8.el9_0.noarch",
"product": {
"name": "golang-misc-0:1.17.13-8.el9_0.noarch",
"product_id": "golang-misc-0:1.17.13-8.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-misc@1.17.13-8.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-src-0:1.17.13-8.el9_0.noarch",
"product": {
"name": "golang-src-0:1.17.13-8.el9_0.noarch",
"product_id": "golang-src-0:1.17.13-8.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-src@1.17.13-8.el9_0?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "golang-tests-0:1.17.13-8.el9_0.noarch",
"product": {
"name": "golang-tests-0:1.17.13-8.el9_0.noarch",
"product_id": "golang-tests-0:1.17.13-8.el9_0.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/golang-tests@1.17.13-8.el9_0?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-8.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64"
},
"product_reference": "golang-0:1.17.13-8.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-8.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le"
},
"product_reference": "golang-0:1.17.13-8.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-8.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x"
},
"product_reference": "golang-0:1.17.13-8.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-8.el9_0.src as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src"
},
"product_reference": "golang-0:1.17.13-8.el9_0.src",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-0:1.17.13-8.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64"
},
"product_reference": "golang-0:1.17.13-8.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-8.el9_0.aarch64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64"
},
"product_reference": "golang-bin-0:1.17.13-8.el9_0.aarch64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-8.el9_0.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le"
},
"product_reference": "golang-bin-0:1.17.13-8.el9_0.ppc64le",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-8.el9_0.s390x as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x"
},
"product_reference": "golang-bin-0:1.17.13-8.el9_0.s390x",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-bin-0:1.17.13-8.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64"
},
"product_reference": "golang-bin-0:1.17.13-8.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-docs-0:1.17.13-8.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch"
},
"product_reference": "golang-docs-0:1.17.13-8.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-misc-0:1.17.13-8.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch"
},
"product_reference": "golang-misc-0:1.17.13-8.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-race-0:1.17.13-8.el9_0.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64"
},
"product_reference": "golang-race-0:1.17.13-8.el9_0.x86_64",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-src-0:1.17.13-8.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch"
},
"product_reference": "golang-src-0:1.17.13-8.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-tests-0:1.17.13-8.el9_0.noarch as a component of Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"product_id": "AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
},
"product_reference": "golang-tests-0:1.17.13-8.el9_0.noarch",
"relates_to_product_reference": "AppStream-9.0.0.Z.E4S"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47906",
"cwe": {
"id": "CWE-440",
"name": "Expected Behavior Violation"
},
"discovery_date": "2025-09-18T19:00:47.541046+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2396546"
}
],
"notes": [
{
"category": "description",
"text": "A path handling flaw has been discovered in the os/exec go package. If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath (\"\", \".\", and \"..\"), can result in the binaries listed in the PATH being unexpectedly returned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "os/exec: Unexpected paths returned from LookPath in os/exec",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47906"
},
{
"category": "external",
"summary": "RHBZ#2396546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2396546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47906"
},
{
"category": "external",
"summary": "https://go.dev/cl/691775",
"url": "https://go.dev/cl/691775"
},
{
"category": "external",
"summary": "https://go.dev/issue/74466",
"url": "https://go.dev/issue/74466"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
"url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-3956",
"url": "https://pkg.go.dev/vuln/GO-2025-3956"
}
],
"release_date": "2025-09-18T18:41:11.847000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T08:03:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22899"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "os/exec: Unexpected paths returned from LookPath in os/exec"
},
{
"cve": "CVE-2025-58183",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-10-29T23:01:50.573951+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2407258"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this issue, an attacker needs to be able to process a specially crafted GNU tar pax 1.0 archive with the application using the archive/tar package. Additionally, this issue can cause the Go application to allocate a large amount of memory, eventually leading to an out-of-memory condition and resulting in a denial of service with no other security impact. Due to these reasons, this flaw has been rated with a moderate severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58183"
},
{
"category": "external",
"summary": "RHBZ#2407258",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2407258"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58183"
},
{
"category": "external",
"summary": "https://go.dev/cl/709861",
"url": "https://go.dev/cl/709861"
},
{
"category": "external",
"summary": "https://go.dev/issue/75677",
"url": "https://go.dev/issue/75677"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI",
"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2025-4014",
"url": "https://pkg.go.dev/vuln/GO-2025-4014"
}
],
"release_date": "2025-10-29T22:10:14.376000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-09T08:03:20+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22899"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.src",
"AppStream-9.0.0.Z.E4S:golang-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.aarch64",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.ppc64le",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.s390x",
"AppStream-9.0.0.Z.E4S:golang-bin-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-docs-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-misc-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-race-0:1.17.13-8.el9_0.x86_64",
"AppStream-9.0.0.Z.E4S:golang-src-0:1.17.13-8.el9_0.noarch",
"AppStream-9.0.0.Z.E4S:golang-tests-0:1.17.13-8.el9_0.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: archive/tar: Unbounded allocation when parsing GNU sparse map"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…