OPENSUSE-SU-2026:20496-1

Advisory lineage Upstream: 3 Downstream: 0
Published: 16 Apr 2026, 07:24
Last modified:22 Apr 2026, 18:26

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Apr 2026, 07:24
Published
Vulnerability first disclosed
22 Apr 2026, 18:26
Last Modified
Vulnerability information updated

Description

Security update for go1.25 This update for go1.25 fixes the following issues: Update to go1.25.8 (bsc#1244485): - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264). - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268). - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265). Changelog: * go#77253 cmd/compile: miscompile of global array initialization * go#77406 os: Go 1.25.x regression on RemoveAll for windows * go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd * go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config * go#77531 net/smtp: expiry date of localhostCert for testing is too short

Affected Systems

  • opensusego1.25&distro=openSUSE Leap 16.0

    < 1.25.8-160000.1.1

References (7)