Fedora Account System
Red Hat Associate
Red Hat Customer
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
This package is NOT affected by CVE-2025-58189. SUMMARY: ======== CVE-2025-58189 affects Go's crypto/tls package. The Fedora bpfman package is built entirely from Rust code and does not contain or link against Go's crypto/tls package. The bpfman.spec file clearly shows this is a Rust package: 1. Generated by rust2rpm (Fedora's Rust packaging tool) 2. BuildRequires: cargo-rpm-macros (not golang build tools) 3. Build uses Cargo (Rust's build system): - %cargo_prep, %cargo_build, %cargo_test - Sources include Rust vendor tarball - Binaries installed from ./target/release/ (Rust's output directory) 4. Patches only Rust files (.rs files and Cargo.toml) 5. Packages three Rust-compiled binaries: - bpfman, bpfman-ns, bpfman-rpc NOTE: The upstream repository contains some Go code in examples/ and clients/ directories, but these are NOT included in the Fedora RPM package. CONCLUSION: =========== Pure Rust package. CVE-2025-58189 does not apply. Closing as NOTABUG.
Did you close this parent tracker bug by mistake? I think you only meant to close 2408126 and bug 2407847, and hit ETOOMANYTABS. :)
This is fixed in Go versions 1.25.2: https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 ... and 1.24.8: https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
Actually yeah :D let me reopen this, thanks Debarshi xD