MGASA-2025-0256 Updated golang packages fix security vulnerabilities

Insufficient validation of bracketed IPv6 hostnames in net/url. CVE-2025-47912 Unbounded allocation when parsing GNU sparse map in archive/tar. CVE-2025-58183 Parsing DER payload can cause memory exhaustion in encoding/asn1. CVE-2025-58185 Lack of limit when parsing cookies can cause memory...

Astra Linux – Vulnerability in Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: ceph parselongname: strrchr expects a NUL-terminated string … And parselongname does not guarantee this. That’s why it uses kmemdupnul to create an NUL-terminated string for the argument passed to kstrtou64; The problem is that...

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerabilities have been resolved: smb3: fixed an issue where a slab out-of-bounds condition could occur during mount to ksmbd. With KASAN enabled, it is possible to encounter a slab out-of-bounds condition during mount to ksmbd due to a missing check in the...

Astra Linux – Vulnerability in audit

The vulnerability of the ausearch-parse.c component, a storage and search tool for audit records in Linux Audit, relates to reading data from the buffer beyond its allowable limits. Exploiting this vulnerability allows an attacker to cause service failures...

Eval Injection

Overview litdb is an A literature database tool with GPT integration. Affected versions of this package are vulnerable to Eval Injection via the parseschemadsl function in the extract.py file, which unsafely uses the eval function. This allows an attacker to execute arbitrary Python code on the...

ksmbd: fix out-of-bounds in parse_sec_desc()

...

CLSA-2025-1761902260 Fix CVE(s): CVE-2024-45490

SECURITY UPDATE: Improper restriction of XML External Entity Reference - debian/patches/CVE-2024-45490.patch: Reject negative len for XMLParseBuffer - CVE-2024-45490...

CLSA-2025-1761847256 Fix CVE(s): CVE-2022-47673, CVE-2023-25584

SECURITY UPDATE: multiple vulnerabilities in vms-alpha.c parsemodule - debian/patches/CVE-2022-47673CVE-2023-25584-.patch: fix null pointer dereference in parsemodule by adding return value checking for bfdzalloc calls, fix potential out of bounds memory access in DST record parsing loop -...

CVE-2025-40099

In the Linux kernel, the following vulnerability has been resolved: cifs: parsedfsreferrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTLDFSGETREFERRALS - reply smaller than sizeofstruct getdfsreferralrsp - reply with number of referrals smaller than...

EUVD-2025-36739

The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption...

EUVD-2025-36735

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...

CVE-2025-61725

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption...

AZL-69290 CVE-2025-61725 affecting package golang 1.26.0-1

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption...

CVE-2025-47912

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...

AZL-78905 CVE-2025-47912 affecting package golang 1.25.7-1

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...

UBUNTU-CVE-2025-61725

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption...

CVE-2025-47912 Insufficient validation of bracketed IPv6 hostnames in net/url

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...

CVE-2025-61725 Excessive CPU consumption in ParseAddress in net/mail

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption...

Allocation of Resources Without Limits or Throttling

Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report:The ParseAddress function constructs domain-literal address components through repeated string...

Google Go 安全漏洞

Google Go is a static strongly-typed, compiled, concatenated, and garbage-collected programming language from Google, Inc USA. A security vulnerability exists in Google Go that stems from the Parse function not properly validating the IPv6 address format within square brackets in the URL host...