rpm package
almalinux/delve
pkg:rpm/almalinux/delve
Vulnerabilities (67)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27137 | Hig | 7.5 | < 1.25.2-3.el10_1 | 1.25.2-3.el10_1 | Mar 6, 2026 | When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered. | |
| CVE-2026-25679 | Hig | 7.5 | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-61728 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61731 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Jan 28, 2026 | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can | ||
| CVE-2025-61729 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-58183 | Med | 4.3 | < 1.25.2-1.el9_7 | 1.25.2-1.el9_7 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-47906 | — | < 1.25.2-1.module_el8.10.0+4074+24330916 | 1.25.2-1.module_el8.10.0+4074+24330916 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | ||
| CVE-2025-4674 | — | < 1.24.1-1.module_el8.10.0+3977+66935a26 | 1.24.1-1.module_el8.10.0+3977+66935a26 | Jul 29, 2025 | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V | ||
| CVE-2025-4673 | Med | 6.8 | < 1.24.1-1.module_el8.10.0+3977+66935a26 | 1.24.1-1.module_el8.10.0+3977+66935a26 | Jun 11, 2025 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. | |
| CVE-2025-22871 | Cri | 9.1 | < 1.24.1-1.module_el8.10.0+3977+66935a26 | 1.24.1-1.module_el8.10.0+3977+66935a26 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-22866 | Med | 4.0 | < 1.24.1-1.el10_0 | 1.24.1-1.el10_0 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2024-45341 | Med | 6.1 | < 1.24.1-1.module_el8.10.0+3977+66935a26 | 1.24.1-1.module_el8.10.0+3977+66935a26 | Jan 28, 2025 | A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. | |
| CVE-2024-45336 | Med | 6.1 | < 1.24.1-1.module_el8.10.0+3977+66935a26 | 1.24.1-1.module_el8.10.0+3977+66935a26 | Jan 28, 2025 | The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re | |
| CVE-2024-9355 | Med | 6.5 | < 1.21.2-4.module_el8.10.0+3895+92d465e0 | 1.21.2-4.module_el8.10.0+3895+92d465e0 | Oct 1, 2024 | A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co | |
| CVE-2024-34158 | Hig | 7.5 | < 1.21.2-4.module_el8.10.0+3895+92d465e0 | 1.21.2-4.module_el8.10.0+3895+92d465e0 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 1.21.2-4.module_el8.10.0+3895+92d465e0 | 1.21.2-4.module_el8.10.0+3895+92d465e0 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 1.21.2-4.module_el8.10.0+3895+92d465e0 | 1.21.2-4.module_el8.10.0+3895+92d465e0 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. |
- affected < 1.25.2-3.el10_1fixed 1.25.2-3.el10_1
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
- affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-61728Jan 28, 2026affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61731Jan 28, 2026affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
- CVE-2025-61729Dec 2, 2025affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 1.25.2-1.el9_7fixed 1.25.2-1.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- CVE-2025-47906Sep 18, 2025affected < 1.25.2-1.module_el8.10.0+4074+24330916fixed 1.25.2-1.module_el8.10.0+4074+24330916
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- CVE-2025-4674Jul 29, 2025affected < 1.24.1-1.module_el8.10.0+3977+66935a26fixed 1.24.1-1.module_el8.10.0+3977+66935a26
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
- affected < 1.24.1-1.module_el8.10.0+3977+66935a26fixed 1.24.1-1.module_el8.10.0+3977+66935a26
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
- affected < 1.24.1-1.module_el8.10.0+3977+66935a26fixed 1.24.1-1.module_el8.10.0+3977+66935a26
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 1.24.1-1.el10_0fixed 1.24.1-1.el10_0
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 1.24.1-1.module_el8.10.0+3977+66935a26fixed 1.24.1-1.module_el8.10.0+3977+66935a26
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
- affected < 1.24.1-1.module_el8.10.0+3977+66935a26fixed 1.24.1-1.module_el8.10.0+3977+66935a26
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
- affected < 1.21.2-4.module_el8.10.0+3895+92d465e0fixed 1.21.2-4.module_el8.10.0+3895+92d465e0
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
- affected < 1.21.2-4.module_el8.10.0+3895+92d465e0fixed 1.21.2-4.module_el8.10.0+3895+92d465e0
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 1.21.2-4.module_el8.10.0+3895+92d465e0fixed 1.21.2-4.module_el8.10.0+3895+92d465e0
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 1.21.2-4.module_el8.10.0+3895+92d465e0fixed 1.21.2-4.module_el8.10.0+3895+92d465e0
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
Page 1 of 4