HCE2-SA-2026-0013 Important HCE 2.0 Security Fix(es): Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. (CVE-2025-61729) Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. (CVE-2025-58187) Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. (CVE-2025-58185) When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. (CVE-2025-58189) HCE 2.0 golang-1.17.3-1.r44.hce2.x86_64.rpm golang-devel-1.17.3-1.r44.hce2.noarch.rpm golang-help-1.17.3-1.r44.hce2.noarch.rpm golang-1.17.3-1.r44.hce2.aarch64.rpm