Source: golang-1.25 Version: 1.25.3-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for golang1.25. CVE-2025-68121[0]: | crypto/tls: Config.Clone copies automatically generated session ticket | keys, session resumption does not account for the expiration of full | certificate chain CVE-2025-68119[1]: | cmd/go: unexpected code execution when invoking toolchain CVE-2025-61731[2]: | cmd/go: bypass of flag sanitization can lead to arbitrary code | execution CVE-2025-61730[3]: | crypto/tls: handshake messages may be processed at the incorrect | encryption level CVE-2025-61728[4]: | archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61726[5]: | net/http: memory exhaustion in Request.ParseForm If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68121 https://www.cve.org/CVERecord?id=CVE-2025-68121 [1] https://security-tracker.debian.org/tracker/CVE-2025-68119 https://www.cve.org/CVERecord?id=CVE-2025-68119 [2] https://security-tracker.debian.org/tracker/CVE-2025-61731 https://www.cve.org/CVERecord?id=CVE-2025-61731 [3] https://security-tracker.debian.org/tracker/CVE-2025-61730 https://www.cve.org/CVERecord?id=CVE-2025-61730 [4] https://security-tracker.debian.org/tracker/CVE-2025-61728 https://www.cve.org/CVERecord?id=CVE-2025-61728 [5] https://security-tracker.debian.org/tracker/CVE-2025-61726 https://www.cve.org/CVERecord?id=CVE-2025-61726 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
