[SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- --------------------------------------------------------------------------
Debian LTS Advisory DLA-4151-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
May 01, 2025 https://wiki.debian.org/LTS
- --------------------------------------------------------------------------
Package : golang-github-gorilla-csrf
Version : 1.6.2-2+deb11u1
CVE ID : CVE-2025-24358
Debian Bug : 1103584
The following vulnerability has been discovered in the gorilla/csrf package for Go:
Prior to 1.7.3, gorilla/csrf did not validate the Origin header against
an allowlist. It executed its validation of the Referer header for
cross-origin requests only when it believed the request was being
served over TLS. It determined this by inspecting the r.URL.Scheme
value. However, this value was never populated for "server" requests
per the Go spec, and so this check did not run in practice. This
vulnerability allowed an attacker who has gained XSS on a subdomain
or top level domain to perform authenticated form submissions against
gorilla/csrf protected targets that shared the same top level domain.
For Debian 11 bullseye, this problem has been fixed in version
1.6.2-2+deb11u1.
The following Go packages have been rebuilt in order to fix this
issue:
golang-chroma
golang-github-alecthomas-chroma-dev
golang-github-niklasfasching-go-org-dev
golang-github-yuin-goldmark-highlighting-dev
go-org
hugo
We recommend that you upgrade these packages.
For the detailed security status of golang-github-gorilla-csrf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-github-gorilla-csrf
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaBNA0QAKCRDoRGtKyMdy
YbSFAQD9PSQFsBYhWGbddHFKhaNeNwe8Ip/eH63C4L4lHrcMCgD/RFgNgiZAcR5x
cZtJcYUPh875WiX8pqmm9MN6SaLh2gM=
=cuoA
-----END PGP SIGNATURE-----
Reply to: