Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
This CVE does not affect the bpfman package in Fedora. CVE-2025-58188 is a vulnerability in Go's crypto/x509 package related to DSA public key certificate validation. The Fedora bpfman package does not build, ship, or use any Go code. Evidence from the spec file (bpfman.spec): Source0 (line 47): https://github.com/bpfman/bpfman/archive/refs/tags/v0.5.4.tar.gz - Yes, this source tarball DOES contain Go code (visible in license breakdown line 38: "examples/go-xdp-counter/bpf/xdp_counter.c" and "examples/**/bpf/*.c") - These are example applications showing how to use bpfman from Go programs - The tarball also contains clients/gobpfman/ (Go gRPC client library) and go.mod/go.sum However, NONE of this Go code is built or packaged by the Fedora bpfman RPM: 1. Generated by rust2rpm (line 1) - exclusively Rust packaging 2. BuildRequires (lines 60-70): NO Go toolchain - only cargo-rpm-macros, openssl-devel, zlib, gcc, cmake, clang-devel 3. %build section (line 99): Uses %cargo_build (Rust only) 4. %install section (lines 105-119): Only installs three Rust binaries from ./target/release/: - bpfman - bpfman-ns - bpfman-rpc 5. %files section (lines 130-141): Only packages the three Rust binaries above - no examples/, no clients/, no Go code
Reopening as I only wanted to close it for my component
This is fixed in Go versions 1.25.2: https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 ... and 1.24.8: https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401