Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 541aaab8 by Salvatore Bonaccorso at 2026-01-16T08:55:14+01:00 Add new golang issues - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,57 @@ +CVE-2025-61730 [crypto/tls: handshake messages may be processed at the incorrect encryption level] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/76443 + NOTE: Fixed by: https://github.com/golang/go/commit/525dd853633f90d6038719d9a48cba3770ca71ea (go1.25.6) + NOTE: Fixed by: https://github.com/golang/go/commit/ad2cd043db66cd36e1f55359638729d2c8ff3d99 (go1.24.12) +CVE-2025-68119 [cmd/go: unexpected code execution when invoking toolchain] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/77099 + NOTE: Fixed by: https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0 (go1.25.6) + TODO: check, might only affect 1.25 and above +CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code execution] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/77100 + NOTE: Fixed by: https://github.com/golang/go/commit/2526187481ee31241b72f491992accbdd66c2655 (go1.25.6) + NOTE: Fixed by: https://github.com/golang/go/commit/00b7309387a171bcba37382e7ed96b473df04917 (go1.24.12) +CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/77113 + NOTE: Fixed by: https://github.com/golang/go/commit/4be38528a68a8b0c4e101576df200c214ad49c26 (go1.25.6) + NOTE: Fixed by: https://github.com/golang/go/commit/d0754e6242e70e171a888b6c5e0336bbf014e538 (go1.24.12) +CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/77101 + NOTE: Fixed by: https://github.com/golang/go/commit/afa9b66ac081d3b239d8c1a226b5e884c8435185 (go1.25.6) + NOTE: Fixed by: https://github.com/golang/go/commit/85c794ddce26a092b0ea68d0fca79028b5069d5a (go1.24.12) +CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP archives] + - golang-1.25 <unfixed> + - golang-1.24 <unfixed> + - golang-1.19 <removed> + - golang-1.15 <removed> + NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc + NOTE: https://github.com/golang/go/issues/77102 + NOTE: Fixed by: https://github.com/golang/go/commit/9d497df196d66553ae844c22a53fb86cd422e80c (go1.25.6) + NOTE: Fixed by: https://github.com/golang/go/commit/3235ef3db85c2d7e797b976822a7addaf6d5ca2a (go1.24.12) CVE-2025-68675 - airflow <itp> (bug #819700) CVE-2025-68438 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/541aaab8b23955787f62c20a310dab2f35c4cb95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/541aaab8b23955787f62c20a310dab2f35c4cb95 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
