Msrc Azl3 Golang 1.23.12-1 On Azure Linux 3.0 vulnerabilities

CVE-2025-61727 [MEDIUM] Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509 Mariner: Mariner Go: Go Customer Action Required: Yes

CVE-2025-47912 [MEDIUM] Insufficient validation of bracketed IPv6 hostnames in net/url Insufficient validation of bracketed IPv6 hostnames in net/url FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with

CVE-2025-58189 [MEDIUM] ALPN negotiation error contains attacker controlled information in crypto/tls ALPN negotiation error contains attacker controlled information in crypto/tls FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of

CVE-2025-58185 [MEDIUM] Parsing DER payload can cause memory exhaustion in encoding/asn1 Parsing DER payload can cause memory exhaustion in encoding/asn1 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries

CVE-2025-61723 [HIGH] Quadratic complexity when parsing some invalid inputs in encoding/pem Quadratic complexity when parsing some invalid inputs in encoding/pem FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source li

CVE-2025-61725 [HIGH] Excessive CPU consumption in ParseAddress in net/mail Excessive CPU consumption in ParseAddress in net/mail FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is

CVE-2025-58187 [HIGH] Quadratic complexity when checking name constraints in crypto/x509 Quadratic complexity when checking name constraints in crypto/x509 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librarie

CVE-2021-27918 [HIGH] CWE-835 encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode D encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode DecodeElement or Skip method. FAQ: Is Azure Linux the only Microsoft

CVE-2016-3959 [HIGH] CWE-20 The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a d The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program