Amazon Linux 2 Security Advisory: ALAS2-2025-3042
Advisory Released Date: 2025-10-27
Advisory Updated Date: 2025-10-27
FAQs regarding Amazon Linux ALAS/CVE Severity
net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75678
NOTE: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
NOTE: https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8) (CVE-2025-47912)
archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75677
NOTE: https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 (go1.25.2)
NOTE: https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 (go1.24.8) (CVE-2025-58183)
encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75671
NOTE: https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca (go1.25.2)
NOTE: https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 (go1.24.8) (CVE-2025-58185)
net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75672
NOTE: https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833 (go1.25.2)
NOTE: https://github.com/golang/go/commit/c6b04dd33b0215f5deb83724661921842bf67607 (go1.24.8) (CVE-2025-58186)
crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scales non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75681
NOTE: https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5 (go1.25.2)
NOTE: https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c (go1.24.8) (CVE-2025-58187)
crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate chains.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75675
NOTE: https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 (go1.25.2)
NOTE: https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401 (go1.24.8) (CVE-2025-58188)
crypto/tls: ALPN negotiation errors can contain arbitrary text
The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped.
This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75652
NOTE: https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2)
NOTE: https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9 (go1.24.8) (CVE-2025-58189)
encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75676
NOTE: https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2)
NOTE: https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2 (go1.24.8) (CVE-2025-61723)
net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75716
NOTE: https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8 (go1.25.2)
NOTE: https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a (go1.24.8) (CVE-2025-61724)
net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
NOTE: https://github.com/golang/go/issues/75680
NOTE: https://github.com/golang/go/commit/6a057327cf9a405e6388593dd4aedc0d0da77092 (go1.25.2)
NOTE: https://github.com/golang/go/commit/bc6981fd74024098185a23ba3a83a81ed68a06c9 (go1.24.8) (CVE-2025-61725)
Affected Packages:
golang
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update golang or yum update --advisory ALAS2-2025-3042 to update your system.
aarch64:
golang-1.24.8-1.amzn2.0.1.aarch64
golang-bin-1.24.8-1.amzn2.0.1.aarch64
golang-shared-1.24.8-1.amzn2.0.1.aarch64
noarch:
golang-docs-1.24.8-1.amzn2.0.1.noarch
golang-misc-1.24.8-1.amzn2.0.1.noarch
golang-tests-1.24.8-1.amzn2.0.1.noarch
golang-src-1.24.8-1.amzn2.0.1.noarch
src:
golang-1.24.8-1.amzn2.0.1.src
x86_64:
golang-1.24.8-1.amzn2.0.1.x86_64
golang-bin-1.24.8-1.amzn2.0.1.x86_64
golang-shared-1.24.8-1.amzn2.0.1.x86_64