Bug#1108517: unblock: golang-1.24/1.24.4-1 (pre-approval)

Mon, 30 Jun 2025 04:15:58 -0700 

Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:golang-1.24
User: [email protected]
Usertags: unblock

Please pre-approve unblocking of package golang-1.24/1.24.4-1

[ Reason ]
The upstream stable branch got a few fixes since the last upload
and this update pulls them into the debian package. These include some
crucial CVE fixes. From the changelog:

* New upstream version 1.24.1
    + CVE-2025-4673: net/http: sensitive headers not cleared on
cross-origin redirect (Closes: #1107364)
    + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix
and Windows
    + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
validation (Closes: #1107364)
    + CVE-2025-22873: os: Root permits access to parent directory (Closes:
#1104816)

I also wanted to point out that the 1.24.1 in the changelog is a typo, it
should be 1.24.4. Apologies for that.

See
https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
See
https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved

[ Impact ]
If the unblock isn't granted, packages built with 1.24.2 will be vulnerable
to CVEs:
+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes:
#1104816)

I think including these fixes in trixie is important.

[ Tests ]
The fixes and feature additions all have associated tests also updated
including arch-specific tests.
Overall tests represent a major part of the debdiff.

[ Risks ]
I believe the risks are quite low, as these are micro releases which
consist majorly of CVE fixes.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock golang-1.24/1.24.4-1

Attachment: golang-1.24.debdiff
Description: Binary data

Reply via email to