Your message dated Fri, 04 Jul 2025 07:30:33 +0000 with message-id <E1uXasT-006qdm-0A@respighi.debian.org> and subject line unblock golang-1.24 has caused the Debian Bug report #1108517, regarding unblock: golang-1.24/1.24.4-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1108517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108517 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: golang-1.24/1.24.4-1 (pre-approval)
- From: Anshul Singh <anshul.singh@canonical.com>
- Date: Mon, 30 Jun 2025 16:43:13 +0530
- Message-id: <CANQ6=o2JVg_UU3OvRs5sRxcBZkZLtnevVVOg-DFmh+HXYVd+aQ@mail.gmail.com>
Package: release.debian.org
Severity: normal
Tags: trixie security
X-Debbugs-Cc: utkarsh@debian.org
Control: affects -1 + src:golang-1.24
User: release.debian.org@packages.debian.org
Usertags: unblockPlease pre-approve unblocking of package golang-1.24/1.24.4-1
[ Reason ]
The upstream stable branch got a few fixes since the last upload
and this update pulls them into the debian package. These include some crucial CVE fixes. From the changelog:
* New upstream version 1.24.1
+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)
I also wanted to point out that the 1.24.1 in the changelog is a typo, it should be 1.24.4. Apologies for that.
See https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
See https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
[ Impact ]
If the unblock isn't granted, packages built with 1.24.2 will be vulnerable to CVEs:+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
+ CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
+ CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)I think including these fixes in trixie is important.
[ Tests ]
The fixes and feature additions all have associated tests also updated including arch-specific tests.Overall tests represent a major part of the debdiff.
[ Risks ]
I believe the risks are quite low, as these are micro releases which consist majorly of CVE fixes.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock golang-1.24/1.24.4-1Attachment: golang-1.24.debdiff
Description: Binary data
--- End Message ---
--- Begin Message ---
- To: 1108517-done@bugs.debian.org
- Subject: unblock golang-1.24
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Fri, 04 Jul 2025 07:30:33 +0000
- Message-id: <E1uXasT-006qdm-0A@respighi.debian.org>
Unblocked.
--- End Message ---