Source: golang-1.25 Version: 1.25.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: clone -1 -2 Control: reassign -2 src:golang-1.24 1.24.9-1 Control: retitle -2 golang-1.24: CVE-2025-61727 CVE-2025-61729
Hi, The following vulnerabilities were published for golang-1.25. CVE-2025-61727[0]: | crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN CVE-2025-61729[1]: | Within HostnameError.Error(), when constructing an error string, | there is no limit to the number of hosts that will be printed out. | Furthermore, the error string is constructed by repeated string | concatenation, leading to quadratic runtime. Therefore, a | certificate provided by a malicious actor can result in excessive | resource consumption. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61727 https://www.cve.org/CVERecord?id=CVE-2025-61727 [1] https://security-tracker.debian.org/tracker/CVE-2025-61729 https://www.cve.org/CVERecord?id=CVE-2025-61729 [2] https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
