VYPR

rpm package

almalinux/golang-race

pkg:rpm/almalinux/golang-race

Vulnerabilities (47)

  • CVE-2026-42507MedJun 2, 2026
    affected < 1.26.4-1.el10_2.alma.1fixed 1.26.4-1.el10_2.alma.1

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-27137HigMar 6, 2026
    affected < 1.26.2-2.el10_2.alma.1fixed 1.26.2-2.el10_2.alma.1

    When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

  • CVE-2026-25679HigMar 6, 2026
    affected < 1.26.2-2.el10_2.alma.1fixed 1.26.2-2.el10_2.alma.1

    url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

  • CVE-2025-68121CriFeb 5, 2026
    affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9

    During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and

  • CVE-2025-61732Feb 5, 2026
    affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9

    A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.

  • CVE-2025-61728Jan 28, 2026
    affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9

    archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

  • CVE-2025-61726Jan 28, 2026
    affected < 1.25.7-1.module_el8.10.0+4117+b694c6c9fixed 1.25.7-1.module_el8.10.0+4117+b694c6c9

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-61731Jan 28, 2026
    affected < 1.25.8-1.el9_7fixed 1.25.8-1.el9_7

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can

  • CVE-2025-61729Dec 2, 2025
    affected < 1.25.5-1.module_el8.10.0+4107+b32a33cefixed 1.25.5-1.module_el8.10.0+4107+b32a33ce

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

  • CVE-2025-58183MedOct 29, 2025
    affected < 1.25.3-1.el9_7fixed 1.25.3-1.el9_7

    tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r

  • CVE-2025-47906Sep 18, 2025
    affected < 1.25.3-2.module_el8.10.0+4074+24330916fixed 1.25.3-2.module_el8.10.0+4074+24330916

    If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

  • CVE-2025-4674Jul 29, 2025
    affected < 1.24.6-1.el9_6fixed 1.24.6-1.el9_6

    The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V

  • CVE-2025-4673MedJun 11, 2025
    affected < 1.24.4-1.el9_6fixed 1.24.4-1.el9_6

    Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

  • CVE-2025-22871CriApr 8, 2025
    affected < 1.23.9-1.el9_6fixed 1.23.9-1.el9_6

    The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

  • CVE-2024-34156HigSep 6, 2024
    affected < 1.23.6-2.el9_5fixed 1.23.6-2.el9_5

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2023-39325Oct 11, 2023
    affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2023-29409Aug 2, 2023
    affected < 1.19.13-1.el9_2fixed 1.19.13-1.el9_2

    Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr

  • CVE-2023-29405Jun 8, 2023
    affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0

    The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F

  • CVE-2023-29404Jun 8, 2023
    affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0

    The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T

Page 1 of 3