Bug#1108517: unblock: golang-1.24/1.24.4-1 (pre-approval)

To: Anshul Singh <anshul.singh@canonical.com>, 1108517@bugs.debian.org
Subject: Bug#1108517: unblock: golang-1.24/1.24.4-1 (pre-approval)
From: Sebastian Ramacher <sramacher@debian.org>
Date: Fri, 4 Jul 2025 09:29:18 +0200
Message-id: <[🔎] aGeCzpw1GxsT396Y@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1108517@bugs.debian.org
In-reply-to: <CANQ6=o2JVg_UU3OvRs5sRxcBZkZLtnevVVOg-DFmh+HXYVd+aQ@mail.gmail.com>
References: <CANQ6=o2JVg_UU3OvRs5sRxcBZkZLtnevVVOg-DFmh+HXYVd+aQ@mail.gmail.com> <CANQ6=o2JVg_UU3OvRs5sRxcBZkZLtnevVVOg-DFmh+HXYVd+aQ@mail.gmail.com>

On 2025-06-30 16:43:13 +0530, Anshul Singh wrote:
> Package: release.debian.org
> Severity: normal
> Tags: trixie security
> X-Debbugs-Cc: utkarsh@debian.org
> Control: affects -1 + src:golang-1.24
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please pre-approve unblocking of package golang-1.24/1.24.4-1

This is not a pre-approval since golang-1.24 1.24.4-1 was already
uploaded to unstable before that. Be aware that golang-1.24 is part of
the toolchain and thus affected by the toolchain and transition freeze
since 2025-03-15. Next time, please coordinate uploads of golang-1.24
before pushing them to unstable.

See also https://release.debian.org/testing/freeze_policy.html#transition

Cheers

> 
> [ Reason ]
> The upstream stable branch got a few fixes since the last upload
> and this update pulls them into the debian package. These include some
> crucial CVE fixes. From the changelog:
> 
> * New upstream version 1.24.1
>     + CVE-2025-4673: net/http: sensitive headers not cleared on
> cross-origin redirect (Closes: #1107364)
>     + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix
> and Windows
>     + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
> validation (Closes: #1107364)
>     + CVE-2025-22873: os: Root permits access to parent directory (Closes:
> #1104816)
> 
> I also wanted to point out that the 1.24.1 in the changelog is a typo, it
> should be 1.24.4. Apologies for that.
> 
> See
> https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
> See
> https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
> 
> [ Impact ]
> If the unblock isn't granted, packages built with 1.24.2 will be vulnerable
> to CVEs:
> + CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
> redirect (Closes: #1107364)
> + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
> Windows
> + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy
> validation (Closes: #1107364)
> + CVE-2025-22873: os: Root permits access to parent directory (Closes:
> #1104816)
> 
> I think including these fixes in trixie is important.
> 
> [ Tests ]
> The fixes and feature additions all have associated tests also updated
> including arch-specific tests.
> Overall tests represent a major part of the debdiff.
> 
> [ Risks ]
> I believe the risks are quite low, as these are micro releases which
> consist majorly of CVE fixes.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> unblock golang-1.24/1.24.4-1



-- 
Sebastian Ramacher

Reply to:

Prev by Date: Bug#1108720: unblock: gnome-calls/48.2-1
Next by Date: Bug#1108517: marked as done (unblock: golang-1.24/1.24.4-1)
Previous by thread: Bug#1108720: marked as done (unblock: gnome-calls/48.2-1)
Next by thread: Bug#1108517: marked as done (unblock: golang-1.24/1.24.4-1)
Index(es):
- Date
- Thread