[oss-security] Go 1.24.5 & 1.23.11 fix CVE-2025-4674

Tue, 08 Jul 2025 14:33:55 -0700 

https://groups.google.com/g/golang-announce/c/gTNJnDXmn34 announces:


Hello gophers,

We have just released Go versions 1.24.5 and 1.23.11, minor point releases.

These minor releases include 1 security fixes following the security policy:

    cmd/go: unexpected command execution in untrusted VCS repositories

    Various uses of the Go toolchain in untrusted VCS repositories can result in
    unexpected code execution. When using the Go toolchain in directories 
fetched
    using various VCS tools (such as directly cloning Git or Mercurial 
repositories)
    can cause the toolchain to execute unexpected commands, if said directory
    contains multiple VCS configuration metadata (such as a '.hg' directory in 
a Git
    repository). This is due to how the Go toolchain attempts to resolve which 
VCS
    is being used in order to embed build information in binaries and determine
    module versions.

    The toolchain will now abort attempting to resolve which VCS is being used 
if it
    detects multiple VCS configuration metadata in a module directory or nested 
VCS
    configuration metadata (such as a '.git' directoy in a parent directory and 
a
    '.hg' directory in a child directory). This will not prevent the toolchain 
from
    building modules, but will result in binaries omitting VCS related build
    information.

    If this behavior is expected by the user, the old behavior can be 
re-enabled by
    setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
    repositories.

    Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for 
reporting
    this issue.

    This is CVE-2025-4674 and https://go.dev/issue/74380.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.5

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.24.5 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Carlos and David for the Go team



--
        -Alan Coopersmith-                 alan.coopersm...@oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Reply via email to