Source: golang-1.24 Version: 1.24.9-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for golang1.24. CVE-2025-68121[0]: | crypto/tls: Config.Clone copies automatically generated session ticket | keys, session resumption does not account for the expiration of full | certificate chain CVE-2025-61731[1]: | cmd/go: bypass of flag sanitization can lead to arbitrary code | execution CVE-2025-61730[2]: | crypto/tls: handshake messages may be processed at the incorrect | encryption level CVE-2025-61728[3]: | archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61726[4]: | net/http: memory exhaustion in Request.ParseForm If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68121 https://www.cve.org/CVERecord?id=CVE-2025-68121 [1] https://security-tracker.debian.org/tracker/CVE-2025-61731 https://www.cve.org/CVERecord?id=CVE-2025-61731 [2] https://security-tracker.debian.org/tracker/CVE-2025-61730 https://www.cve.org/CVERecord?id=CVE-2025-61730 [3] https://security-tracker.debian.org/tracker/CVE-2025-61728 https://www.cve.org/CVERecord?id=CVE-2025-61728 [4] https://security-tracker.debian.org/tracker/CVE-2025-61726 https://www.cve.org/CVERecord?id=CVE-2025-61726 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
