FERRAMENTAS LINUX: Critical Security Update for Go 1.24: Patch CVE-2025-22873 Vulnerability Now

quinta-feira, 15 de maio de 2025

Critical Security Update for Go 1.24: Patch CVE-2025-22873 Vulnerability Now

 

SUSE


SUSE releases a critical Go 1.24.3 security update patching CVE-2025-22873, a directory traversal flaw. Learn how to secure SUSE Linux, SAP, and HPC systems now. Includes patch commands for openSUSE Leap 15.6, SLE 15 SP6, and Enterprise Storage 7.1.

Key Security Fixes in Go 1.24.3

A newly released security patch for Go 1.24 addresses a critical vulnerability (CVE-2025-22873) that could allow unauthorized directory traversal via os.Root. This update also includes multiple stability and performance improvements for enterprise environments.

Vulnerability Details

  • CVE-2025-22873: A security flaw in os.Root permits unintended access to parent directories (Bug #1242715).

    • CVSS v4.0 Score: 2.0 (Low)

    • CVSS v3.1 Score: 4.4 (Medium)

  • Impacted Products:

    • SUSE Linux Enterprise Server 15 SP3-SP6

    • SUSE Linux Enterprise High Performance Computing (LTSS/ESPOS)

    • SUSE Enterprise Storage 7.1

    • openSUSE Leap 15.6

🔴 Why This Matters for Enterprises:

  • Directory traversal flaws can lead to data leaks or privilege escalation.

  • SAP and HPC environments are particularly at risk due to sensitive workloads.

How to Apply the Patch

Recommended Update Methods

  1. Via YaST Online Update (GUI)

  2. Command Line (zypper):


bash
Copy
Download
zypper in -t patch [Your-Product-Patch-Code]

(See full patch list below for exact commands.)




Affected Packages

ProductPatch Command
openSUSE Leap 15.6zypper in -t patch openSUSE-SLE-15.6-2025-1551=1
SUSE Linux Enterprise Server 15 SP6zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-2025-1551=1
SUSE Enterprise Storage 7.1zypper in -t patch SUSE-Storage-7.1-2025-1551=1

Additional Fixes in Go 1.24.3

This update also resolves:

  • Runtime crashes (runtime.growslice segmentation faults).

  • TLS/ECH handshake failures (GREASE value compatibility).

  • WASM compilation errors (integer overflow fixes).

📌 For Developers:

  • linkname directive fixes prevent runtime variable overrides.

  • crypto/tls now correctly processes ECH ClientHello messages.

FAQ: Go 1.24 Security Update

Q: Is this update mandatory for all SUSE systems?

AYes, if you use Go 1.24 in production—especially in SAP or HPC workloads.

Q: What’s the risk of not patching?

A: Potential directory traversal exploits, though the attack complexity is moderate.

Q: Are containers affected?

A: Yes, if they use Go 1.24. Rebuild images after updating.

Cezar Henrique at
Marcadores: Linux, Android, Segurança , , ,

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)