rpm package
almalinux/golang-race
pkg:rpm/almalinux/golang-race
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25679 | Hig | 7.5 | < 1.25.8-1.el10_1.alma.1 | 1.25.8-1.el10_1.alma.1 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 1.25.7-1.el10_1.alma.1 | 1.25.7-1.el10_1.alma.1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 1.25.7-1.el10_1.alma.1 | 1.25.7-1.el10_1.alma.1 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-61728 | — | < 1.25.7-1.el10_1.alma.1 | 1.25.7-1.el10_1.alma.1 | Jan 28, 2026 | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | ||
| CVE-2025-61726 | — | < 1.25.7-1.el10_1.alma.1 | 1.25.7-1.el10_1.alma.1 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61731 | — | < 1.25.8-1.el10_1.alma.1 | 1.25.8-1.el10_1.alma.1 | Jan 28, 2026 | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can | ||
| CVE-2025-61729 | — | < 1.25.5-1.module_el8.10.0+4107+b32a33ce | 1.25.5-1.module_el8.10.0+4107+b32a33ce | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-58183 | Med | 4.3 | < 1.25.3-1.el9_7 | 1.25.3-1.el9_7 | Oct 29, 2025 | tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r | |
| CVE-2025-47906 | — | < 1.25.3-2.module_el8.10.0+4074+24330916 | 1.25.3-2.module_el8.10.0+4074+24330916 | Sep 18, 2025 | If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. | ||
| CVE-2025-4674 | — | < 1.24.6-1.el9_6 | 1.24.6-1.el9_6 | Jul 29, 2025 | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V | ||
| CVE-2025-4673 | Med | 6.8 | < 1.24.4-1.el9_6 | 1.24.4-1.el9_6 | Jun 11, 2025 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. | |
| CVE-2025-22871 | Cri | 9.1 | < 1.23.9-1.el9_6 | 1.23.9-1.el9_6 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2024-34156 | Hig | 7.5 | < 1.23.6-2.el9_5 | 1.23.6-2.el9_5 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2023-39325 | — | < 1.19.13-1.module_el8.8.0+3625+a06035cf | 1.19.13-1.module_el8.8.0+3625+a06035cf | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.19.13-1.module_el8.8.0+3625+a06035cf | 1.19.13-1.module_el8.8.0+3625+a06035cf | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-29409 | — | < 1.19.13-1.el9_2 | 1.19.13-1.el9_2 | Aug 2, 2023 | Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr | ||
| CVE-2023-29405 | — | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F | ||
| CVE-2023-29404 | — | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T | ||
| CVE-2023-29403 | — | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is execute | ||
| CVE-2023-29402 | — | < 1.19.10-1.module_el8.8.0+3571+89db2ae0 | 1.19.10-1.module_el8.8.0+3571+89db2ae0 | Jun 8, 2023 | The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules wh |
- affected < 1.25.8-1.el10_1.alma.1fixed 1.25.8-1.el10_1.alma.1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-61728Jan 28, 2026affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726Jan 28, 2026affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61731Jan 28, 2026affected < 1.25.8-1.el10_1.alma.1fixed 1.25.8-1.el10_1.alma.1
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
- CVE-2025-61729Dec 2, 2025affected < 1.25.5-1.module_el8.10.0+4107+b32a33cefixed 1.25.5-1.module_el8.10.0+4107+b32a33ce
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 1.25.3-1.el9_7fixed 1.25.3-1.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
- CVE-2025-47906Sep 18, 2025affected < 1.25.3-2.module_el8.10.0+4074+24330916fixed 1.25.3-2.module_el8.10.0+4074+24330916
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
- CVE-2025-4674Jul 29, 2025affected < 1.24.6-1.el9_6fixed 1.24.6-1.el9_6
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
- affected < 1.24.4-1.el9_6fixed 1.24.4-1.el9_6
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
- affected < 1.23.9-1.el9_6fixed 1.23.9-1.el9_6
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 1.23.6-2.el9_5fixed 1.23.6-2.el9_5
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- CVE-2023-39325Oct 11, 2023affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.19.13-1.module_el8.8.0+3625+a06035cffixed 1.19.13-1.module_el8.8.0+3625+a06035cf
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-29409Aug 2, 2023affected < 1.19.13-1.el9_2fixed 1.19.13-1.el9_2
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr
- CVE-2023-29405Jun 8, 2023affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. F
- CVE-2023-29404Jun 8, 2023affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. T
- CVE-2023-29403Jun 8, 2023affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is execute
- CVE-2023-29402Jun 8, 2023affected < 1.19.10-1.module_el8.8.0+3571+89db2ae0fixed 1.19.10-1.module_el8.8.0+3571+89db2ae0
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules wh
Page 1 of 3