Your message dated Fri, 04 Jul 2025 07:30:33 +0000
with message-id <[email protected]>
and subject line unblock golang-1.24
has caused the Debian Bug report #1108517,
regarding unblock: golang-1.24/1.24.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:golang-1.24
User: [email protected]
Usertags: unblock
Please pre-approve unblocking of package golang-1.24/1.24.4-1
[ Reason ]
The upstream stable branch got a few fixes since the last upload
and this update pulls them into the debian package. These include some
crucial CVE fixes. From the changelog:
* New upstream version 1.24.1
+ CVE-2025-4673: net/http: sensitive headers not cleared on
cross-origin redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix
and Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes:
#1104816)
I also wanted to point out that the 1.24.1 in the changelog is a typo, it
should be 1.24.4. Apologies for that.
See
https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
See
https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
[ Impact ]
If the unblock isn't granted, packages built with 1.24.2 will be vulnerable
to CVEs:
+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes:
#1104816)
I think including these fixes in trixie is important.
[ Tests ]
The fixes and feature additions all have associated tests also updated
including arch-specific tests.
Overall tests represent a major part of the debdiff.
[ Risks ]
I believe the risks are quite low, as these are micro releases which
consist majorly of CVE fixes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock golang-1.24/1.24.4-1
golang-1.24.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
