[SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
From: Andrej Shadura <andrewsh@debian.org>
Date: Thu, 1 May 2025 11:37:25 +0200
Message-id: <[🔎] 20250501093727.941388-1-andrewsh@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- --------------------------------------------------------------------------
Debian LTS Advisory DLA-4151-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
May 01, 2025                                  https://wiki.debian.org/LTS
- --------------------------------------------------------------------------

Package        : golang-github-gorilla-csrf
Version        : 1.6.2-2+deb11u1
CVE ID         : CVE-2025-24358
Debian Bug     : 1103584

The following vulnerability has been discovered in the gorilla/csrf package for Go:

    Prior to 1.7.3, gorilla/csrf did not validate the Origin header against
    an allowlist. It executed its validation of the Referer header for
    cross-origin requests only when it believed the request was being
    served over TLS. It determined this by inspecting the r.URL.Scheme
    value. However, this value was never populated for "server" requests
    per the Go spec, and so this check did not run in practice. This
    vulnerability allowed an attacker who has gained XSS on a subdomain
    or top level domain to perform authenticated form submissions against
    gorilla/csrf protected targets that shared the same top level domain.

For Debian 11 bullseye, this problem has been fixed in version
1.6.2-2+deb11u1.

The following Go packages have been rebuilt in order to fix this
issue:

golang-chroma
golang-github-alecthomas-chroma-dev
golang-github-niklasfasching-go-org-dev
golang-github-yuin-goldmark-highlighting-dev
go-org
hugo

We recommend that you upgrade these packages.

For the detailed security status of golang-github-gorilla-csrf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/golang-github-gorilla-csrf

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCaBNA0QAKCRDoRGtKyMdy
YbSFAQD9PSQFsBYhWGbddHFKhaNeNwe8Ip/eH63C4L4lHrcMCgD/RFgNgiZAcR5x
cZtJcYUPh875WiX8pqmm9MN6SaLh2gM=
=cuoA
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4150-1] u-boot security update
Next by Date: [SECURITY] [DLA 4152-1] nodejs security update
Previous by thread: [SECURITY] [DLA 4150-1] u-boot security update
Next by thread: [SECURITY] [DLA 4152-1] nodejs security update
Index(es):
- Date
- Thread