Your message dated Mon, 16 Mar 2026 20:25:57 +0100
with message-id <[email protected]>
and subject line Re: Accepted golang-golang-x-net 1:0.47.0-1 (source) into
unstable
has caused the Debian Bug report #1127321,
regarding golang-golang-x-net: CVE-2025-47911
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127321
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-golang-x-net
Version: 1:0.27.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/75682
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-golang-x-net.
CVE-2025-47911[0]:
| The html.Parse function in golang.org/x/net/html has quadratic
| parsing complexity when processing certain inputs, which can lead to
| denial of service (DoS) if an attacker provides specially crafted
| HTML content.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47911
https://www.cve.org/CVERecord?id=CVE-2025-47911
[1] https://github.com/golang/go/issues/75682
[2]
https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 1:0.47.0-1
On Mon, Mar 16, 2026 at 02:34:17PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Tue, 10 Mar 2026 17:15:36 +0100
> Source: golang-golang-x-net
> Architecture: source
> Version: 1:0.47.0-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Go Packaging Team <[email protected]>
> Changed-By: Andrew Lee (李健秋) <[email protected]>
> Closes: 1089192 1091168
> Changes:
> golang-golang-x-net (1:0.47.0-1) unstable; urgency=medium
> .
> [ Maytham Alsudany ]
> * Team upload.
> * New upstream version 0.33.0
> * Contains fix for CVE-2024-45338 (Closes: #1091168)
> * Skip publicsuffix tests TestPublicSuffix, TestSlowPublicSuffix, and
> TestNumICANNRules
> .
> [ Ananthu C V ]
> * Skip more publicsuffix tests (Closes: #1089192)
> .
> [ Andrew Lee (李健秋) ]
> * Team Upload.
> * New upstream version 0.47.0.
> - contains fix for CVE-2025-58190 from version 0.45.0.
> - contains fix for CVE-2025-47911 from version 0.45.0.
> * debian/control: Drop Rules-Requires-Root: no (now the default).
> * debian/control: build-deps and depends on
> golang-golang-x-text-dev (>= 0.31.0).
> * debian/control: build-deps and depends on
> golang-golang-x-term-dev (>= 0.37.0).
> * debian/control: build-deps and depends on
> golang-golang-x-sys-dev (>= 0.38.0).
> * debian/control: build-deps and depends on
> golang-golang-x-crypto-dev (>= 0.44.0).
> * debian/control: build-deps on golang-any (>= 2:1.24~) according
> to go.mod.
> * Drop patches that skip tests. Skip in debian/rules instead.
> * Drop previous patches that already included in new upstream release.
> * debian/rules: skip tests that requires network connections.
> Checksums-Sha1:
> 29b0028d540635ada3b0d9e6616f12443253525d 2444
> golang-golang-x-net_0.47.0-1.dsc
> 6faa47e5d69cc56510f4c828df5d8014507b2d09 1527013
> golang-golang-x-net_0.47.0.orig.tar.gz
> 5ecf48b1b2a48ee1d0fec976a5513b0cdb63e8e5 16204
> golang-golang-x-net_0.47.0-1.debian.tar.xz
> 325e7df2bc358000945b57667ec6944cc47bc475 6091
> golang-golang-x-net_0.47.0-1_source.buildinfo
> Checksums-Sha256:
> 4270c4f0f0a21dfd649f98e6580d412edf0c1b59bed8c52e8710a15bf567a35d 2444
> golang-golang-x-net_0.47.0-1.dsc
> af6568c7d615fb0f637c80fe9fe3edc204c75b4760d3c355511258f0152696cb 1527013
> golang-golang-x-net_0.47.0.orig.tar.gz
> 7a5bc7dc260f8d0f91e55bbfaf595ae0a5390ce2cb3154d9c5351b5ab8edbb6b 16204
> golang-golang-x-net_0.47.0-1.debian.tar.xz
> 5e80345c4157482c4504115a901b2fa8cbd3434ad7dcfc59a6efd6b8b98c2dbe 6091
> golang-golang-x-net_0.47.0-1_source.buildinfo
> Files:
> 9c4eb513130c5e8ab692584c3273cc25 2444 golang optional
> golang-golang-x-net_0.47.0-1.dsc
> b4649338bba0c19db47530bcf973854b 1527013 golang optional
> golang-golang-x-net_0.47.0.orig.tar.gz
> af8fc4bc5ad33a0aa333c9b65495c280 16204 golang optional
> golang-golang-x-net_0.47.0-1.debian.tar.xz
> ba6bdca248aa4901d0becef4f2c3a2be 6091 golang optional
> golang-golang-x-net_0.47.0-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAmm4CzkACgkQ58vhUqwX
> +XPLZRAAiYmY7ZpSsKIE5tRx/200nTq7jFuoUmv4Idm0XNNSFMvUIhBHRJZYAIKr
> VqIJG5fzsOwRnwr5a5r1/MB+IR4DewnhNteDIqyGa/MHTXTPjMHzzXWKtzPkGA8w
> FcAVtbbCOO5jnG8bWabpKs/vFHexUqDNiNajqWQGOxXZN6xWnSkLvk/nRO/TkG0J
> IZXj85xJpJyxxQN4uK5uYA8yYpnBGvjsHN59J2fLGqJdrZKHKIBaEoQgGBItDunJ
> BO0g/dfOxrC6NExwynfzT7vEIU1qDyiR/Q3Cs2lTRu6jnVL3/tYb0h79hY/p+rW/
> WpyckzThUy5M1esLoYq/21ypKuc6gVyUcdQmz0YF+rAXD41r8DEPR0nYo2vspAUD
> Inec+KNUropu9qR3MtaoHOlDwEmIq5mtIy5OzEC2zuKPt1pIr59/ly3gKZh5/xqH
> oowSlZwFUJj8um24uu2ApmNhxKAqWgiEZMMbrmxA0gQtLolP4A5fY7RLZbwZxDMp
> nNBDCY6pq8QFLRVjy89ykypy/L1nkIIspd3qFSk+Iz0MlZ55tbz2dss9MOKVDSn9
> iJgd40GJMQI3gxmG52wBUZbCmJzpRg60MYdsNj35t9RGNfYnlyrEPRN8W2LAJAxl
> 0IV2LEuA6pyQfkrXu4aAKr5SiQWYVZ5viVbCsKAaVSp0L8gl0eQ=
> =G5Mn
> -----END PGP SIGNATURE-----
--- End Message ---
