Security Alert: Go 1.24 with OpenSSL Patch Released

This security update for Go 1.24 addresses three distinct vulnerabilities, including a critical code smuggling flaw and a high-severity authentication bypass. The patch is specifically for builds of Go that are linked against OpenSSL, a common practice in enterprise environments like Red Hat Enterprise Linux to meet FIPS compliance for cryptographic modules. One of the most severe issues fixed is CVE-2025-61732, a flaw in how the cgo tool parses comments. This discrepancy between Go and C/C++ comment parsing could allow an attacker to smuggle malicious code into a compiled binary, leading to arbitrary code execution. This type of vulnerability represents a significant supply chain risk, as code that appears benign during a review could contain hidden executable payloads. Another patched vulnerability, CVE-2025-68119, involves the Go toolchain's handling of version control systems like Git and Mercurial. By crafting malicious version strings for a Go module, an attacker could achieve local code execution or write to arbitrary files on a developer's machine during the module download and build process. The update also resolves CVE-2025-68121, a vulnerability in the crypto/tls package. This flaw could allow an authentication bypass during TLS session resumption if certificate authority configurations were changed between the initial connection and the resumption, potentially allowing a client to reconnect without satisfying updated, stricter security policies.