Your message dated Sat, 06 Dec 2025 23:19:47 +0000
with message-id <[email protected]>
and subject line Bug#1121091: fixed in golang-go.crypto 1:0.45.0-1
has caused the Debian Bug report #1121091,
regarding golang-go.crypto: CVE-2025-47914
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121091: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121091
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.43.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/76364
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-go.crypto.
CVE-2025-47914[0]:
| SSH Agent servers do not validate the size of messages when
| processing new identity requests, which may cause the program to
| panic if the message is malformed due to an out of bounds read.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47914
https://www.cve.org/CVERecord?id=CVE-2025-47914
[1] https://github.com/golang/go/issues/76364
[2]
https://github.com/golang/crypto/commit/f91f7a7c31bf90b39c1de895ad116a2bacc88748
[3] https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA?pli=1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-go.crypto
Source-Version: 1:0.45.0-1
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated golang-go.crypto
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Dec 2025 22:45:30 +0100
Source: golang-go.crypto
Architecture: source
Version: 1:0.45.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1121091 1121092
Changes:
golang-go.crypto (1:0.45.0-1) unstable; urgency=medium
.
* Team upload.
* Drop s390x SHA3 workaround
* New upstream version 0.45.0
- Fix SSH Agent CVE-2025-47914 (Closes: #1121091)
- Fix SSH GSSAPI CVE-2025-58181 (Closes: #1121092)
Checksums-Sha1:
d127c5c578f13b814243a2d49c14602ffbe0cc36 2645 golang-go.crypto_0.45.0-1.dsc
8c661e8d32412105c66962c741f356a2c8ff20bb 1848960
golang-go.crypto_0.45.0.orig.tar.xz
f47c647afebe0ebfeb1a5f01c0580862fb9fad98 93924
golang-go.crypto_0.45.0-1.debian.tar.xz
8ca50c1d12aecc93bf00f87f7bde324d68078c13 3275096
golang-go.crypto_0.45.0-1.git.tar.xz
d9b2a0975157ea144a8cb06fd6cc31b62734fffe 18260
golang-go.crypto_0.45.0-1_source.buildinfo
Checksums-Sha256:
52daef5d9da070c0100e0976f11806b42d57ce7343e3320df0957ecf323fcce0 2645
golang-go.crypto_0.45.0-1.dsc
ac00edb2a325a4639b2a7d60ccc7cd58b6c31245f4632c8fdb0bf884a9faca38 1848960
golang-go.crypto_0.45.0.orig.tar.xz
cfeba09c82e47b9bfbfc724a91885905e3242cec3b7072800feaab0417224594 93924
golang-go.crypto_0.45.0-1.debian.tar.xz
8d8b51d9a95b6536760cc01d544eb4b0520537f716de3b3bc63f858a86bf9eef 3275096
golang-go.crypto_0.45.0-1.git.tar.xz
d583fe5572476e6f0f87ca8f3eef7d421771957a7fb96fa9c13d45c39c24b5e2 18260
golang-go.crypto_0.45.0-1_source.buildinfo
Files:
5a0780ec36584daf93d2c022cc9f29ce 2645 golang optional
golang-go.crypto_0.45.0-1.dsc
0b09e0d2b09a44279c51c2d19fa0854d 1848960 golang optional
golang-go.crypto_0.45.0.orig.tar.xz
3656100ce555b90730ea407d38b68972 93924 golang optional
golang-go.crypto_0.45.0-1.debian.tar.xz
46abbd03534ab381941680a04171c885 3275096 golang optional
golang-go.crypto_0.45.0-1.git.tar.xz
ef774273c43b654e24f6a1cf28a0c9b9 18260 golang optional
golang-go.crypto_0.45.0-1_source.buildinfo
Git-Tag-Info: tag=6a6f4f5d79c2123b760f04cc0bae1cbef2d24fd5
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmk0tvkACgkQYG0ITkaD
wHkutRAA3k8mre2IgKjClm2Q/Hg7L85vLxHGLi8brgGg1RInQZgGnNGBcUu1jmIO
N4N5LKggqvk67V99j8ribfdTgY6hvfLhI9I4n9bdjxCWkyEd2bYYzuGrIVjnW7ee
HuFd7gRLhevx2W3pra8l0dk+5ET+PRB3hq2qYpXy05sDRkATIc8WgoPKQ/jAyPJz
wEr0dzOvQw6zIKDgGpcAKxUZaFbTtWArhJXBDgn8gefOUWWLZt/vh7J63G+UWCJ9
Bj1k8nM2mXL5E/T4RVcjfnv6KMan68TysSzb0b7zHNDd3E7TaYq+TvKZSEewqpJK
lND58udabaqEfZu1ugXOIDsT18GzqiMjHviE1+u6SM6ZJYNLs8Qv0RwWu48a9z4v
m9v09Sbg3PTWF7g/gHt6RbwjZPhZpd8ISqxWJAYfpmnnCehrY9TAoxRz56Kqa9k2
46wLM16HETIdJ1TIZ/m9MEr46+vOR/hEMb/CA8a3l7WEWFUQm+JfJJQO45SAyiiq
VxIuu5i5pOpDoKFNMaHvQYB9sQRMO1HV2zBBL+Qv8zIByZTIkx47fwbtXJjpDjg0
Myodv5uRkQa0cXA7VeEz+bX81jHnIBt5igaCSYc3X2JsGpPyCSWSCkfMed9g+eXU
h6IJ8QCU/eWdklRoLFu/+TsZ/yyDihaFkplATozOSlqVykzwCuA=
=DjRk
-----END PGP SIGNATURE-----
pgpJ9IpYiQQYy.pgp
Description: PGP signature
--- End Message ---
