Your message dated Wed, 21 May 2025 12:35:49 +0000
with message-id <e1uhifl-00h2lx...@fasolo.debian.org>
and subject line Bug#1103586: fixed in golang-golang-x-net 1:0.27.0-2
has caused the Debian Bug report #1103586,
regarding golang-golang-x-net: CVE-2025-22872
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-golang-x-net
Version: 1:0.27.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/73070
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-golang-x-net.
CVE-2025-22872[0]:
| The tokenizer incorrectly interprets tags with unquoted attribute
| values that end with a solidus character (/) as self-closing. When
| directly using Tokenizer, this can result in such tags incorrectly
| being marked as self-closing, and when using the Parse functions,
| this can result in content following such tags as being placed in
| the wrong scope during DOM construction, but only when tags are in
| foreign content (e.g. <math>, <svg>, etc contexts).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-22872
https://www.cve.org/CVERecord?id=CVE-2025-22872
[1] https://github.com/golang/go/issues/73070
[2]
https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-golang-x-net
Source-Version: 1:0.27.0-2
Done: Jochen Sprickerhof <jspri...@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-golang-x-net, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Sprickerhof <jspri...@debian.org> (supplier of updated
golang-golang-x-net package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 May 2025 14:16:51 +0200
Source: golang-golang-x-net
Architecture: source
Version: 1:0.27.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Jochen Sprickerhof <jspri...@debian.org>
Closes: 1089192 1091168 1103586
Changes:
golang-golang-x-net (1:0.27.0-2) unstable; urgency=medium
.
* Team upload.
.
[ Ananthu C V ]
* Skip more publicsuffix tests (Closes: #1089192)
.
[ Jochen Sprickerhof ]
* Add patch for CVE-2025-22872 (Closes: #1103586)
* Add patch for CVE-2024-45338 (Closes: #1091168)
Checksums-Sha1:
d83e5cb1fa0e4e1d67c4488d81bb603969675ff4 2569 golang-golang-x-net_0.27.0-2.dsc
72006f1451e3a3c842e08b7042208e5b5018bf00 18820
golang-golang-x-net_0.27.0-2.debian.tar.xz
Checksums-Sha256:
33325f03e12e4fc4ee31d9efe1395700469033886f8800613a8da7d8652ec185 2569
golang-golang-x-net_0.27.0-2.dsc
5be2ffeb69555c142eebf0a38e3f6aa43d74b2dee3259d124851083a5c43b2d2 18820
golang-golang-x-net_0.27.0-2.debian.tar.xz
Files:
89dabb850bbd78e7c81bf214cc57f73b 2569 golang optional
golang-golang-x-net_0.27.0-2.dsc
9e6a656c1f4f4b20c8740e3043b028bd 18820 golang optional
golang-golang-x-net_0.27.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmgtxqYACgkQW//cwljm
lDOKUA/+Ptz5D+bVMCMAzO4a8oGma6e4BuriJuBdaXN8lSztuJZOOmC79pWfnVQM
7ENAvFjzGKAqkAZ9h9tq66/Lz6HIAvAZqhmbXRCwJGbF/FzrCGH3RdamX9lJTLny
BVN7yTs+DR1GLQpk5nmdsqdBiJYexfVPGBnJ4Z+Hdl5H5E26WAZ+9/zt1V24M7jj
GdVO0jq/iZ1Qn4DkoEvdBHb7FJL7P53+AR4eP/GALd6dp4Cqmjdv+anT8JTl8f5f
fnfv+4Hqf7EjHS7SpU3P3wh3VxwYBXmylHKLFSfgoue24nWKC+7smeUXRSlezvS3
JDcKXzcw5YMqGPgMetapdNwU+/TsLzjUgTSQkN8R81m9k/xL8ZYgulU0SD075O4C
mTP0VfYlJh58y991qkcb/gJn9xo5tWZjXIQvrn+7EyUUB1QksiZOjQgqLdDR3Or9
N57tKlb5G06FBL2HvbGICXxmiuoz8KJQcDVqPtaB7cMCuwpGJ9vvWGP1skJQKEhI
rmlaAqV5mC5uwDx9asFBc9XkREJpfs9Hg7SemgSYwVw8FgI8s//XGTlwQo6fzjhQ
V/Gz/R5D3dekyBLYNMy1V/VgXhPJ2/yi3y+I9ZkqYvhYsUQgWEVYxFkpehUmhhPz
0cmL7DMi1YmxV1qJkF4IUv7Y7WULoXGg2wuPEY1CWfAB8SGmfQE=
=Ahy3
-----END PGP SIGNATURE-----
pgpGGDZaFFw7v.pgp
Description: PGP signature
--- End Message ---
