[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108517: unblock: golang-1.24/1.24.4-1 (pre-approval)

Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: utkarsh@debian.org
Control: affects -1 + src:golang-1.24
User: release.debian.org@packages.debian.org
Usertags: unblock

Please pre-approve unblocking of package golang-1.24/1.24.4-1

[ Reason ]
The upstream stable branch got a few fixes since the last upload
and this update pulls them into the debian package. These include some crucial CVE fixes. From the changelog:

* New upstream version 1.24.1
    + CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
    + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
    + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
    + CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)

I also wanted to point out that the 1.24.1 in the changelog is a typo, it should be 1.24.4. Apologies for that.

See https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
See https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved

[ Impact ]
If the unblock isn't granted, packages built with 1.24.2 will be vulnerable to CVEs:
+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)

I think including these fixes in trixie is important.

[ Tests ]
The fixes and feature additions all have associated tests also updated including arch-specific tests.
Overall tests represent a major part of the debdiff.

[ Risks ]
I believe the risks are quite low, as these are micro releases which consist majorly of CVE fixes.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock golang-1.24/1.24.4-1

Attachment: golang-1.24.debdiff
Description: Binary data

Reply to: