rpm package

almalinux/golang-tests

pkg:rpm/almalinux/golang-tests

Vulnerabilities (63)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-25679	Hig	7.5	< 1.25.8-1.el10_1.alma.1	1.25.8-1.el10_1.alma.1	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-68121	Cri	10.0	< 1.25.7-1.el10_1.alma.1	1.25.7-1.el10_1.alma.1	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732		—	< 1.25.7-1.el10_1.alma.1	1.25.7-1.el10_1.alma.1	Feb 5, 2026	A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728		—	< 1.25.7-1.el10_1.alma.1	1.25.7-1.el10_1.alma.1	Jan 28, 2026	archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726		—	< 1.25.7-1.el10_1.alma.1	1.25.7-1.el10_1.alma.1	Jan 28, 2026	The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61731		—	< 1.25.8-1.el10_1.alma.1	1.25.8-1.el10_1.alma.1	Jan 28, 2026	Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-61729		—	< 1.25.5-1.module_el8.10.0+4107+b32a33ce	1.25.5-1.module_el8.10.0+4107+b32a33ce	Dec 2, 2025	Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
CVE-2025-58183	Med	4.3	< 1.25.3-1.el9_7	1.25.3-1.el9_7	Oct 29, 2025	tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-47906		—	< 1.25.3-2.module_el8.10.0+4074+24330916	1.25.3-2.module_el8.10.0+4074+24330916	Sep 18, 2025	If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
CVE-2025-4674		—	< 1.24.6-1.el9_6	1.24.6-1.el9_6	Jul 29, 2025	The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
CVE-2025-4673	Med	6.8	< 1.24.4-1.module_el8.10.0+4027+41c6fed2	1.24.4-1.module_el8.10.0+4027+41c6fed2	Jun 11, 2025	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22871	Cri	9.1	< 1.23.9-1.el9_6	1.23.9-1.el9_6	Apr 8, 2025	The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2025-22866	Med	4.0	< 1.23.7-1.el10_0.alma.1	1.23.7-1.el10_0.alma.1	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341	Med	6.1	< 1.23.6-1.module_el8.10.0+3977+66935a26	1.23.6-1.module_el8.10.0+3977+66935a26	Jan 28, 2025	A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336	Med	6.1	< 1.23.6-1.module_el8.10.0+3977+66935a26	1.23.6-1.module_el8.10.0+3977+66935a26	Jan 28, 2025	The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2024-9355	Med	6.5	< 1.21.13-3.module_el8.10.0+3900+bb1e1982	1.21.13-3.module_el8.10.0+3900+bb1e1982	Oct 1, 2024	A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
CVE-2024-34158	Hig	7.5	< 1.21.13-2.module_el8.10.0+3895+92d465e0	1.21.13-2.module_el8.10.0+3895+92d465e0	Sep 6, 2024	Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156	Hig	7.5	< 1.21.13-2.module_el8.10.0+3895+92d465e0	1.21.13-2.module_el8.10.0+3895+92d465e0	Sep 6, 2024	Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155	Med	4.3	< 1.21.13-2.module_el8.10.0+3895+92d465e0	1.21.13-2.module_el8.10.0+3895+92d465e0	Sep 6, 2024	Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-24791	Hig	7.5	< 1.21.13-2.module_el8.10.0+3895+92d465e0	1.21.13-2.module_el8.10.0+3895+92d465e0	Jul 2, 2024	The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

CVE-2026-25679HigMar 6, 2026
affected < 1.25.8-1.el10_1.alma.1fixed 1.25.8-1.el10_1.alma.1
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-68121CriFeb 5, 2026
affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732Feb 5, 2026
affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2025-61728Jan 28, 2026
affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVE-2025-61726Jan 28, 2026
affected < 1.25.7-1.el10_1.alma.1fixed 1.25.7-1.el10_1.alma.1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
CVE-2025-61731Jan 28, 2026
affected < 1.25.8-1.el10_1.alma.1fixed 1.25.8-1.el10_1.alma.1
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can
CVE-2025-61729Dec 2, 2025
affected < 1.25.5-1.module_el8.10.0+4107+b32a33cefixed 1.25.5-1.module_el8.10.0+4107+b32a33ce
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
CVE-2025-58183MedOct 29, 2025
affected < 1.25.3-1.el9_7fixed 1.25.3-1.el9_7
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-47906Sep 18, 2025
affected < 1.25.3-2.module_el8.10.0+4074+24330916fixed 1.25.3-2.module_el8.10.0+4074+24330916
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
CVE-2025-4674Jul 29, 2025
affected < 1.24.6-1.el9_6fixed 1.24.6-1.el9_6
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another V
CVE-2025-4673MedJun 11, 2025
affected < 1.24.4-1.module_el8.10.0+4027+41c6fed2fixed 1.24.4-1.module_el8.10.0+4027+41c6fed2
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22871CriApr 8, 2025
affected < 1.23.9-1.el9_6fixed 1.23.9-1.el9_6
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2025-22866MedFeb 6, 2025
affected < 1.23.7-1.el10_0.alma.1fixed 1.23.7-1.el10_0.alma.1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341MedJan 28, 2025
affected < 1.23.6-1.module_el8.10.0+3977+66935a26fixed 1.23.6-1.module_el8.10.0+3977+66935a26
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336MedJan 28, 2025
affected < 1.23.6-1.module_el8.10.0+3977+66935a26fixed 1.23.6-1.module_el8.10.0+3977+66935a26
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2024-9355MedOct 1, 2024
affected < 1.21.13-3.module_el8.10.0+3900+bb1e1982fixed 1.21.13-3.module_el8.10.0+3900+bb1e1982
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
CVE-2024-34158HigSep 6, 2024
affected < 1.21.13-2.module_el8.10.0+3895+92d465e0fixed 1.21.13-2.module_el8.10.0+3895+92d465e0
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156HigSep 6, 2024
affected < 1.21.13-2.module_el8.10.0+3895+92d465e0fixed 1.21.13-2.module_el8.10.0+3895+92d465e0
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155MedSep 6, 2024
affected < 1.21.13-2.module_el8.10.0+3895+92d465e0fixed 1.21.13-2.module_el8.10.0+3895+92d465e0
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-24791HigJul 2, 2024
affected < 1.21.13-2.module_el8.10.0+3895+92d465e0fixed 1.21.13-2.module_el8.10.0+3895+92d465e0
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

Page 1 of 4