Your message dated Mon, 02 Mar 2026 21:53:07 +0000
with message-id <[email protected]>
and subject line Bug#1122814: fixed in golang-github-lucas-clemente-quic-go
0.59.0-1
has caused the Debian Bug report #1122814,
regarding golang-github-lucas-clemente-quic-go: CVE-2025-64702
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122814: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122814
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-lucas-clemente-quic-go
Version: 0.55.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for
golang-github-lucas-clemente-quic-go.
CVE-2025-64702[0]:
| quic-go is an implementation of the QUIC protocol in Go. Versions
| 0.56.0 and below are vulnerable to excessive memory allocation
| through quic-go's HTTP/3 client and server implementations by
| sending a QPACK-encoded HEADERS frame that decodes into a large
| header field section (many unique header names and/or large values).
| The implementation builds an http.Header (used on the http.Request
| and http.Response, respectively), while only enforcing limits on the
| size of the (QPACK-compressed) HEADERS frame, but not on the decoded
| header, leading to memory exhaustion. This issue is fixed in version
| 0.57.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-64702
https://www.cve.org/CVERecord?id=CVE-2025-64702
[1] https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6
[2]
https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-lucas-clemente-quic-go
Source-Version: 0.59.0-1
Done: Dr. Tobias Quathamer <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-lucas-clemente-quic-go, which is due to be installed in the
Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <[email protected]> (supplier of updated
golang-github-lucas-clemente-quic-go package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Mar 2026 22:11:11 +0100
Source: golang-github-lucas-clemente-quic-go
Architecture: source
Version: 0.59.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Dr. Tobias Quathamer <[email protected]>
Closes: 1122814 1129117
Changes:
golang-github-lucas-clemente-quic-go (0.59.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 0.59.0
- Refresh patch
- New patch: Disable testing of postquantum handshake.
The tests currently fail due to a wrong CurveID, specifying
a TLS identifier for a key exchange mechanism.
The postQuantum tests expect X25519MLKEM768, but the used
curve is X25519.
- New patch: Disable TestHandshakePacketBuffering for now
- Remove unneeded build dependencies
- Use versioned Build-Depends on golang-github-quic-go-qpack-dev
- Use actual package name of golang-github-marten-seemann-qpack-dev
- Fixes CVE-2025-64702 (Closes: #1122814)
Versions 0.56.0 and below are vulnerable to excessive memory
allocation through quic-go's HTTP/3 client and server
implementations by sending a QPACK-encoded HEADERS frame that
decodes into a large header field section (many unique header
names and/or large values). The implementation builds an
http.Header (used on the http.Request and http.Response,
respectively), while only enforcing limits on the size of the
(QPACK-compressed) HEADERS frame, but not on the decoded header,
leading to memory exhaustion.
This issue is fixed in version 0.57.0.
* Only use GOEXPERIMENT=synctest on Go 1.24 (Closes: #1129117)
* Remove Priority: optional from d/control
* Remove Rules-Requires-Root from d/control
* Update Standards-Version to 4.7.3
Checksums-Sha1:
cd12726b6603c3c6e59c8ca288e03bcd44bba688 2754
golang-github-lucas-clemente-quic-go_0.59.0-1.dsc
c721d95aeee0742fcde67d6bd5a80f8a754d2cc3 719476
golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz
370e071277df0e6a9a3e9a74689d0ed2f182e83f 6992
golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz
395e62ca12af07e1c0b95abd2d5464bdfec44e38 11840
golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo
Checksums-Sha256:
0888b6553491725de1511f0d8ca59b352693097186ef498ab31faf4c44117065 2754
golang-github-lucas-clemente-quic-go_0.59.0-1.dsc
4718236fab95f7dd6544ba411e68a66fc97fc2a12aad3da7c342e6e789343026 719476
golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz
4bd7fb85f771cf39369899f859c55feec80076ae7751bd1d874a6e123879263b 6992
golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz
eb1a9fbdbe4166929f63b02256c28bc08c4182fdd37e6f873f1a05bfc7fbf08f 11840
golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo
Files:
68ffaea94f3069367b269c1144ddc951 2754 golang optional
golang-github-lucas-clemente-quic-go_0.59.0-1.dsc
cacb1f32fb716a871730f54a77d5523a 719476 golang optional
golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz
61f3d621ab17d7dc5867ae2062498297 6992 golang optional
golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz
7438efdce3736d3499d758bfbc301a1f 11840 golang optional
golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmml/Y4ACgkQEwLx8Dbr
6xmuTg/6AvByLVSGTbYClX2/dE3LRLSIlp7DR/p11+kHus4VMVmrmegytZHqK89T
CQnjPuibQcCHlqp18wh79oaluun0CAkGl6iW9USNiBr664KqR/Y0R7zP+Due4bJ8
G0Bmyw89pjgHl5+pQ19HRvtGa7x9XrVW6ksQEuqCGgi7yUIbv0/fxA8QxkH6V2pR
YCKckjUVmRrtJfv28psZMNnW9wUbF/D24A7UrwBWz/BKwNz12/gYUB9aTBf72WGu
+XyNmE0vOhwv8xNsJcFb4ddyFVIPu/Q5TVG6yy0QIpdiIkMgQGzXt57hOVpJcHrI
vjhNsXK+V5e3tsrvm36JT6pO7Wi8TBnb1BUekY8GNZnWX6eGuKjCrCFz9jNvOBEI
emkROX9bBm1EnT4LYNJ5hMUVaZ6QS+LKeb3/ThUiEMQwruBjC1Ezwq8sK4NE0+nZ
zR/1cU88EY/L8lsRZa5GmsvjyJ81p1wVjscPjudXMHXbEOppbQxTqTKtxfDU1I1W
rDViEKgJbxNdd8PJvQqeSh7b4n0CMNcFY4wuBkF0s9KwV8gjIlx0FsSSWBF0v45H
Ia9l0RFsb/8fnz5S64sY78cI541WG09l5rVC+evasc5KS369XoeSJuqxkKxgtPtg
wJbnJv0JP5jYt9FbLOEDs8VgN84IX+EKiuQGYZVQeRP3PDWkqCI=
=58uB
-----END PGP SIGNATURE-----
pgpSleaAcp6Q6.pgp
Description: PGP signature
--- End Message ---
