Source: golang-1.24 Version: 1.24.12-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-1.24. Mostly filling for tracking, issue discussed with Tianon. CVE-2025-68119[0]: | Downloading and building modules with malicious version strings can | cause local code execution. On systems with Mercurial (hg) | installed, downloading modules from non-standard sources (e.g., | custom domains) can cause unexpected code execution due to how | external VCS commands are constructed. This issue can also be | triggered by providing a malicious version string to the toolchain. | On systems with Git installed, downloading and building modules with | malicious version strings can allow an attacker to write to | arbitrary files on the filesystem. This can only be triggered by | explicitly providing the malicious version strings to the toolchain | and does not affect usage of @latest or bare module paths. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68119 https://www.cve.org/CVERecord?id=CVE-2025-68119 [1] https://github.com/golang/go/issues/77099 [2] https://github.com/golang/go/commit/73fe85f0ea1bf2cec8e9a89bf5645de06ecaa0a6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
