摘要:
golang security update
安全等级: High
公告ID: KylinSec-SA-2025-2901
发布日期: 2025年9月28日
.
Security Fix(es):
The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via 'go get', are not affected.(CVE-2025-4674)
A vulnerability was found in Google Go up to 1.23.11/1.24.5 (Programming Language Software). It has been declared as problematic.The manipulation of the argument PATH with an unknown input leads to a unknown weakness.As an impact it is known to affect integrity.Upgrading to version 1.23.12 or 1.24.6 eliminates this vulnerability.(CVE-2025-47906)
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.(CVE-2025-47907)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2025-47907 | V6 | golang | Fixed |
| CVE-2025-47906 | V6 | golang | Fixed |
| CVE-2025-4674 | V6 | golang | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| golang-devel | noarch | 1.21.4-35.ks6 |
| golang-help | noarch | 1.21.4-35.ks6 |
| golang | x86_64 | 1.21.4-35.ks6 |
| golang | aarch64 | 1.21.4-35.ks6 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
