Go Language Package Creation Tool Updated for Security Fix

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Go Language Package Creation Tool Updated for Security Fix

ALSA-2026:3668

Summary

A security update is available for a tool used to create Go language packages. This update fixes a bug that can cause a program to run out of memory when parsing certain web links. You should apply this update to ensure the security of your systems.

What to do

Update almalinux go-filesystem to version 3.6.0-13.el9_7.
Update almalinux go-rpm-macros to version 3.6.0-13.el9_7.
Update almalinux go-rpm-templates to version 3.6.0-13.el9_7.
Update almalinux go-srpm-macros to version 3.6.0-13.el9_7.

Affected software

Vendor	Product	Affected versions	Fix available
almalinux	go-filesystem	<= 3.6.0-13.el9_7	3.6.0-13.el9_7
almalinux	go-rpm-macros	<= 3.6.0-13.el9_7	3.6.0-13.el9_7
almalinux	go-rpm-templates	<= 3.6.0-13.el9_7	3.6.0-13.el9_7
almalinux	go-srpm-macros	<= 3.6.0-13.el9_7	3.6.0-13.el9_7

Original title

Important: go-rpm-macros security update

Original description

This package provides build-stage rpm automation to simplify the creation of Go language (golang) packages. It does not need to be included in the default build root: go-srpm-macros will pull it in for Go packages only.

Security Fix(es):

* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

https://access.redhat.com/errata/RHSA-2026:3668 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2025-61726 Third Party Advisory
https://bugzilla.redhat.com/2434432 Third Party Advisory
https://errata.almalinux.org/9/ALSA-2026-3668.html Vendor Advisory

Published: 3 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026