On 2025-06-30 16:43:13 +0530, Anshul Singh wrote: > Package: release.debian.org > Severity: normal > Tags: trixie security > X-Debbugs-Cc: utka...@debian.org > Control: affects -1 + src:golang-1.24 > User: release.debian....@packages.debian.org > Usertags: unblock > > Please pre-approve unblocking of package golang-1.24/1.24.4-1
This is not a pre-approval since golang-1.24 1.24.4-1 was already uploaded to unstable before that. Be aware that golang-1.24 is part of the toolchain and thus affected by the toolchain and transition freeze since 2025-03-15. Next time, please coordinate uploads of golang-1.24 before pushing them to unstable. See also https://release.debian.org/testing/freeze_policy.html#transition Cheers > > [ Reason ] > The upstream stable branch got a few fixes since the last upload > and this update pulls them into the debian package. These include some > crucial CVE fixes. From the changelog: > > * New upstream version 1.24.1 > + CVE-2025-4673: net/http: sensitive headers not cleared on > cross-origin redirect (Closes: #1107364) > + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix > and Windows > + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy > validation (Closes: #1107364) > + CVE-2025-22873: os: Root permits access to parent directory (Closes: > #1104816) > > I also wanted to point out that the 1.24.1 in the changelog is a typo, it > should be 1.24.4. Apologies for that. > > See > https://github.com/golang/go/issues?q=milestone%3AGo1.24.3+label%3ACherryPickApproved > See > https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved > > [ Impact ] > If the unblock isn't granted, packages built with 1.24.2 will be vulnerable > to CVEs: > + CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin > redirect (Closes: #1107364) > + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and > Windows > + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy > validation (Closes: #1107364) > + CVE-2025-22873: os: Root permits access to parent directory (Closes: > #1104816) > > I think including these fixes in trixie is important. > > [ Tests ] > The fixes and feature additions all have associated tests also updated > including arch-specific tests. > Overall tests represent a major part of the debdiff. > > [ Risks ] > I believe the risks are quite low, as these are micro releases which > consist majorly of CVE fixes. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock golang-1.24/1.24.4-1 -- Sebastian Ramacher
