Your message dated Mon, 28 Apr 2025 10:05:38 +0000
with message-id <e1u9lmo-002ztw...@fasolo.debian.org>
and subject line Bug#1103584: fixed in golang-github-gorilla-csrf 1.7.2+ds1-2
has caused the Debian Bug report #1103584,
regarding golang-github-gorilla-csrf: CVE-2025-24358
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103584: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103584
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-gorilla-csrf
Version: 1.7.2+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-gorilla-csrf.
CVE-2025-24358[0]:
| gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention
| middleware for Go web applications & services. Prior to 1.7.2,
| gorilla/csrf does not validate the Origin header against an
| allowlist. Its executes its validation of the Referer header for
| cross-origin requests only when it believes the request is being
| served over TLS. It determines this by inspecting the r.URL.Scheme
| value. However, this value is never populated for "server" requests
| per the Go spec, and so this check does not run in practice. This
| vulnerability allows an attacker who has gained XSS on a subdomain
| or top level domain to perform authenticated form submissions
| against gorilla/csrf protected targets that share the same top level
| domain. This vulnerability is fixed in 1.7.2.
While the description and the GHSA mention 1.7.2 as beeing fixed I
think this is not correct, given the commit[2]? If you disagree, might
you double check and maybe with upstream?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-24358
https://www.cve.org/CVERecord?id=CVE-2025-24358
[1] https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw
[2]
https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-gorilla-csrf
Source-Version: 1.7.2+ds1-2
Done: Andrej Shadura <andre...@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-github-gorilla-csrf, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <andre...@debian.org> (supplier of updated
golang-github-gorilla-csrf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 28 Apr 2025 11:48:38 +0200
Source: golang-github-gorilla-csrf
Architecture: source
Version: 1.7.2+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Andrej Shadura <andre...@debian.org>
Closes: 1103584
Changes:
golang-github-gorilla-csrf (1.7.2+ds1-2) unstable; urgency=high
.
* Team upload.
* SECURITY UPDATE:
- CVE-2025-24358 / GHSA-rq77-p4h8-4crw:
Fix CSRF via form submission from origins that share a top level
domain with the target origin (Closes: #1103584).
Checksums-Sha1:
3d2dc6c23214656237ebf265eac7c5d906265456 1834
golang-github-gorilla-csrf_1.7.2+ds1-2.dsc
0cb81ad76a15745f6b4e5bb721e2db7febaa6eec 8896
golang-github-gorilla-csrf_1.7.2+ds1-2.debian.tar.xz
Checksums-Sha256:
345727ccd8f84b0bfd573740676fae752a2f0e84d8b0f5a958c0630db949f973 1834
golang-github-gorilla-csrf_1.7.2+ds1-2.dsc
fdeef1dc8b42d47cc7854b9f887c78529a1ab5240564f549e9b793259ac2ee4f 8896
golang-github-gorilla-csrf_1.7.2+ds1-2.debian.tar.xz
Files:
566b2e3595049115930557ec84633b22 1834 golang optional
golang-github-gorilla-csrf_1.7.2+ds1-2.dsc
9df28b9c66067d76873cac0933b6d7fd 8896 golang optional
golang-github-gorilla-csrf_1.7.2+ds1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaA9PdQAKCRDoRGtKyMdy
YV4xAQDmGps7uyr2ldaJvQ8rZLtQlKbGAL7wEvjZGAKPc2uaNwEA/J4s2YwKd0TN
ES7Y2Sf0BMJd5X3N1z0IKTYL8RR3oQ8=
=9Kt/
-----END PGP SIGNATURE-----
pgpmNvAT8pl5A.pgp
Description: PGP signature
--- End Message ---
