[Git][security-tracker-team/security-tracker][master] Add Debian bug references for golang issues

Salvatore Bonaccorso (@carnil) Sun, 18 Jan 2026 12:10:46 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
05b7c38a by Salvatore Bonaccorso at 2026-01-18T21:07:40+01:00
Add Debian bug references for golang issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -610,8 +610,8 @@ CVE-2020-36926 (SmarterTrack 7922 contains an information 
disclosure vulnerabili
 CVE-2011-10041 (Uploadify WordPress plugin versions up to and including 
1.0contain an  ...)
        NOT-FOR-US: WordPress plugin
 CVE-2025-61730 [crypto/tls: handshake messages may be processed at the 
incorrect encryption level]
-       - golang-1.25 <unfixed>
-       - golang-1.24 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
+       - golang-1.24 <unfixed> (bug #1125917)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -619,7 +619,7 @@ CVE-2025-61730 [crypto/tls: handshake messages may be 
processed at the incorrect
        NOTE: Fixed by: 
https://github.com/golang/go/commit/525dd853633f90d6038719d9a48cba3770ca71ea 
(go1.25.6)
        NOTE: Fixed by: 
https://github.com/golang/go/commit/ad2cd043db66cd36e1f55359638729d2c8ff3d99 
(go1.24.12)
 CVE-2025-68119 [cmd/go: unexpected code execution when invoking toolchain]
-       - golang-1.25 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
        - golang-1.24 <unfixed>
        - golang-1.19 <removed>
        - golang-1.15 <removed>
@@ -628,8 +628,8 @@ CVE-2025-68119 [cmd/go: unexpected code execution when 
invoking toolchain]
        NOTE: Fixed by: 
https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0 
(go1.25.6)
        TODO: check, might only affect 1.25 and above
 CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code 
execution]
-       - golang-1.25 <unfixed>
-       - golang-1.24 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
+       - golang-1.24 <unfixed> (bug #1125917)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -637,8 +637,8 @@ CVE-2025-61731 [cmd/go: bypass of flag sanitization can 
lead to arbitrary code e
        NOTE: Fixed by: 
https://github.com/golang/go/commit/2526187481ee31241b72f491992accbdd66c2655 
(go1.25.6)
        NOTE: Fixed by: 
https://github.com/golang/go/commit/00b7309387a171bcba37382e7ed96b473df04917 
(go1.24.12)
 CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated 
session ticket keys, session resumption does not account for the expiration of 
full certificate chain]
-       - golang-1.25 <unfixed>
-       - golang-1.24 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
+       - golang-1.24 <unfixed> (bug #1125917)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -646,8 +646,8 @@ CVE-2025-68121 [crypto/tls: Config.Clone copies 
automatically generated session
        NOTE: Fixed by: 
https://github.com/golang/go/commit/4be38528a68a8b0c4e101576df200c214ad49c26 
(go1.25.6)
        NOTE: Fixed by: 
https://github.com/golang/go/commit/d0754e6242e70e171a888b6c5e0336bbf014e538 
(go1.24.12)
 CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm]
-       - golang-1.25 <unfixed>
-       - golang-1.24 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
+       - golang-1.24 <unfixed> (bug #1125917)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
@@ -655,8 +655,8 @@ CVE-2025-61726 [net/http: memory exhaustion in 
Request.ParseForm]
        NOTE: Fixed by: 
https://github.com/golang/go/commit/afa9b66ac081d3b239d8c1a226b5e884c8435185 
(go1.25.6)
        NOTE: Fixed by: 
https://github.com/golang/go/commit/85c794ddce26a092b0ea68d0fca79028b5069d5a 
(go1.24.12)
 CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP 
archives]
-       - golang-1.25 <unfixed>
-       - golang-1.24 <unfixed>
+       - golang-1.25 <unfixed> (bug #1125916)
+       - golang-1.24 <unfixed> (bug #1125917)
        - golang-1.19 <removed>
        - golang-1.15 <removed>
        NOTE: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b7c38adab9b718aa2219482740c754f5ba1b4f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05b7c38adab9b718aa2219482740c754f5ba1b4f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug references for golang issues

Reply via email to