Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f6cdedb0 by Salvatore Bonaccorso at 2026-01-23T08:36:38+01:00
Track fixed version for golang-1.25 issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2693,7 +2693,7 @@ CVE-2020-36926 (SmarterTrack 7922 contains an information
disclosure vulnerabili
CVE-2011-10041 (Uploadify WordPress plugin versions up to and including
1.0contain an ...)
NOT-FOR-US: WordPress plugin
CVE-2025-61730 [crypto/tls: handshake messages may be processed at the
incorrect encryption level]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
@@ -2702,7 +2702,7 @@ CVE-2025-61730 [crypto/tls: handshake messages may be
processed at the incorrect
NOTE: Fixed by:
https://github.com/golang/go/commit/525dd853633f90d6038719d9a48cba3770ca71ea
(go1.25.6)
NOTE: Fixed by:
https://github.com/golang/go/commit/ad2cd043db66cd36e1f55359638729d2c8ff3d99
(go1.24.12)
CVE-2025-68119 [cmd/go: unexpected code execution when invoking toolchain]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed>
- golang-1.19 <removed>
- golang-1.15 <removed>
@@ -2711,7 +2711,7 @@ CVE-2025-68119 [cmd/go: unexpected code execution when
invoking toolchain]
NOTE: Fixed by:
https://github.com/golang/go/commit/082365aa552a7e2186f79110d5311dce70749cc0
(go1.25.6)
TODO: check, might only affect 1.25 and above
CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code
execution]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
@@ -2720,7 +2720,7 @@ CVE-2025-61731 [cmd/go: bypass of flag sanitization can
lead to arbitrary code e
NOTE: Fixed by:
https://github.com/golang/go/commit/2526187481ee31241b72f491992accbdd66c2655
(go1.25.6)
NOTE: Fixed by:
https://github.com/golang/go/commit/00b7309387a171bcba37382e7ed96b473df04917
(go1.24.12)
CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account for the expiration of
full certificate chain]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed> (bug #1125917)
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
@@ -2731,7 +2731,7 @@ CVE-2025-68121 [crypto/tls: Config.Clone copies
automatically generated session
NOTE: Fixed by:
https://github.com/golang/go/commit/4be38528a68a8b0c4e101576df200c214ad49c26
(go1.25.6)
NOTE: Fixed by:
https://github.com/golang/go/commit/d0754e6242e70e171a888b6c5e0336bbf014e538
(go1.24.12)
CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed> (bug #1125917)
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
@@ -2742,7 +2742,7 @@ CVE-2025-61726 [net/http: memory exhaustion in
Request.ParseForm]
NOTE: Fixed by:
https://github.com/golang/go/commit/afa9b66ac081d3b239d8c1a226b5e884c8435185
(go1.25.6)
NOTE: Fixed by:
https://github.com/golang/go/commit/85c794ddce26a092b0ea68d0fca79028b5069d5a
(go1.24.12)
CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP
archives]
- - golang-1.25 <unfixed> (bug #1125916)
+ - golang-1.25 1.25.6-1 (bug #1125916)
- golang-1.24 <unfixed> (bug #1125917)
- golang-1.19 <removed>
- golang-1.15 <removed>
@@ -23499,7 +23499,7 @@ CVE-2025-64070 (Sourcecodester Student Grades
Management System v1.0 is vulnerab
CVE-2025-63872 (DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability,
which al ...)
NOT-FOR-US: DeepSeek
CVE-2025-61727 (An excluded subdomain constraint in a certificate chain does
not restr ...)
- - golang-1.25 <unfixed> (bug #1121847)
+ - golang-1.25 1.25.6-1 (bug #1121847)
- golang-1.24 <unfixed> (bug #1121848)
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
@@ -23511,7 +23511,7 @@ CVE-2025-61727 (An excluded subdomain constraint in a
certificate chain does not
NOTE: Fixed by:
https://github.com/golang/go/commit/287017acebd27203aa3218abbd11ed65c2280cf8
(go1.25.5)
NOTE: Fixed by:
https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344
(go1.24.11)
CVE-2025-61729 (Within HostnameError.Error(), when constructing an error
string, there ...)
- - golang-1.25 <unfixed> (bug #1121847)
+ - golang-1.25 1.25.6-1 (bug #1121847)
- golang-1.24 <unfixed> (bug #1121848)
[trixie] - golang-1.24 <no-dsa> (Minor issue)
- golang-1.19 <removed>
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6cdedb037150cdcf5400e60b8c7d7aa6c216056
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6cdedb037150cdcf5400e60b8c7d7aa6c216056
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
