1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108517: unblock: golang-1.24/1.24.4-1 (pre-approval)

    From Sebastian Ramacher@21:1/5 to Anshul Singh on Fri Jul 4 09:40:01 2025
    XPost: linux.debian.devel.release

    On 2025-06-30 16:43:13 +0530, Anshul Singh wrote:
    Package: release.debian.org
    Severity: normal
    Tags: trixie security
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:golang-1.24
    User: [email protected]
    Usertags: unblock

    Please pre-approve unblocking of package golang-1.24/1.24.4-1

    This is not a pre-approval since golang-1.24 1.24.4-1 was already
    uploaded to unstable before that. Be aware that golang-1.24 is part of
    the toolchain and thus affected by the toolchain and transition freeze
    since 2025-03-15. Next time, please coordinate uploads of golang-1.24
    before pushing them to unstable.

    See also https://release.debian.org/testing/freeze_policy.html#transition

    Cheers


    [ Reason ]
    The upstream stable branch got a few fixes since the last upload
    and this update pulls them into the debian package. These include some crucial CVE fixes. From the changelog:

    * New upstream version 1.24.1
    + CVE-2025-4673: net/http: sensitive headers not cleared on
    cross-origin redirect (Closes: #1107364)
    + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix
    and Windows
    + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
    + CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)

    I also wanted to point out that the 1.24.1 in the changelog is a typo, it should be 1.24.4. Apologies for that.

    See https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved
    See https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved

    [ Impact ]
    If the unblock isn't granted, packages built with 1.24.2 will be vulnerable to CVEs:
    + CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
    + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
    + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
    + CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)

    I think including these fixes in trixie is important.

    [ Tests ]
    The fixes and feature additions all have associated tests also updated including arch-specific tests.
    Overall tests represent a major part of the debdiff.

    [ Risks ]
    I believe the risks are quite low, as these are micro releases which
    consist majorly of CVE fixes.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock golang-1.24/1.24.4-1



    --
    Sebastian Ramacher

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)