SUSE-SU-2026:21560-1 Security update for distribution

This update for distribution fixes the following issues Security issues: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260283. - CVE-2026-33540: information disclosure via improper validation of authentication real...

OPENSUSE-SU-2026:20686-1 Security update for distribution

This update for distribution fixes the following issues Security issues: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260283. - CVE-2026-33540: information disclosure via improper validation of authentication real...

PT-2026-26773

Name of the Vulnerable Software and Affected Versions goxmlsig versions prior to 1.6.0 goxmlsig versions prior to 1.22 when using older Go versions or go.mod versions Description The validateSignature function in validate.go has a loop variable capture issue in Go versions before 1.22, or when...

CVE-2025-66630

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may...

CVE-2025-66630

Fiber is a Go web framework. Before 2.52.11 and on Go

Security update for coredns (important)

openSUSE Security Update: Security update for coredns Announcement ID: openSUSE-SU-2026:0032-1 Rating: important References: 1255345 Cross-References: CVE-2025-61726 CVE-2025-61728 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68156 CVSS scores: CVE-2025-61726 SUSE: 6.9...

AZL-75719 CVE-2025-61728 affecting package golang for versions less than 1.25.6-1

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive...

EUVD-2021-22841

Malware in sbrugna...

EUVD-2021-26466

Malware in sbrugna...

EUVD-2019-5938

Malware in sbrugna...

EUVD-2022-28708

Malicious code in bioql PyPI...

EUVD-2022-28709

Malicious code in bioql PyPI...

EUVD-2022-52465

Malicious code in bioql PyPI...

EUVD-2022-52429

Malicious code in bioql PyPI...

Golang 1.24.x < 1.24.7 / 1.25.x < 1.25.1 Insecure Bypass (75054)

The version of Golang running on the remote host is 1.24.x prior to 1.24.7, 1.25.x prior to 1.25.1. It is, therefore, affected by a vulnerability as referenced in 75054 advisory. - When passing patterns to CrossOriginProtection.AddInsecureBypassPattern, requests that would have redirected to thos...

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

...

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

...

Linux Distros Unpatched Vulnerability : CVE-2015-5741

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request...

Linux Distros Unpatched Vulnerability : CVE-2017-15042

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on...

Linux Distros Unpatched Vulnerability : CVE-2022-30634

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 32...