INFSA-2025:22668: go-toolset:rhel8 security update
Information about definition
Identificator: INFSA-2025:22668
Type: security
Release date: 2025-12-07 21:48:46 UTC
Information about package
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang.
Vulnerabilities description
- CVE-2025-58183
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
- CVE-2025-47906
If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-47906
|
no information | 6.5 | no information |
|
NIST — CVE-2025-58183
|
no information | 7.5 | no information |
Updated packages
Preparing to download...