Your message dated Tue, 17 Jun 2025 02:38:00 +0000
with message-id <e1urmd2-00acky...@fasolo.debian.org>
and subject line Bug#1107390: fixed in golang-1.23 1.23.10-1
has caused the Debian Bug report #1107390,
regarding golang-1.23: CVE-2025-4673
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107390
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-1.23
Version: 1.23.8-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/golang/go/issues/73816
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-1.23.
CVE-2025-4673[0].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4673
https://www.cve.org/CVERecord?id=CVE-2025-4673
[1] https://github.com/golang/go/issues/73816
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-1.23
Source-Version: 1.23.10-1
Done: Anshul Singh <anshul.si...@canonical.com>
We believe that the bug you reported is fixed in the latest version of
golang-1.23, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anshul Singh <anshul.si...@canonical.com> (supplier of updated golang-1.23
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jun 2025 13:10:51 +0200
Source: golang-1.23
Built-For-Profiles: noudeb
Architecture: source
Version: 1.23.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <team+go-compi...@tracker.debian.org>
Changed-By: Anshul Singh <anshul.si...@canonical.com>
Closes: 1104816 1107390
Changes:
golang-1.23 (1.23.10-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.23.10
+ CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
redirect (Closes: #1107390)
+ CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
Windows
+ CVE-2025-22873: os: Root permits access to parent directory (Closes:
#1104816)
Checksums-Sha1:
2e9582990ddcf6fa37786e71ada8057dd33c6777 2904 golang-1.23_1.23.10-1.dsc
62d5ccb6f7db603bfd65de7382a0a9c99b81b837 28183775
golang-1.23_1.23.10.orig.tar.gz
7e5e308eb2fcbd052af4d625131dd92f71f278d8 833
golang-1.23_1.23.10.orig.tar.gz.asc
625b18ec08f234b38feac6bf2e04c45448054918 42076
golang-1.23_1.23.10-1.debian.tar.xz
142e6a44d42a6945905316731a94beb20a5c61f4 7584
golang-1.23_1.23.10-1_source.buildinfo
Checksums-Sha256:
fe19e67cde602585b08e1f1f5e77bb53dcc2ec1a9950efafffd36d55bd305c68 2904
golang-1.23_1.23.10-1.dsc
800a7ae1bff179a227b653a2f644517c800443b8b4abf3273af5e1cb7113de59 28183775
golang-1.23_1.23.10.orig.tar.gz
ad61283800f9fdaa3d71bf608a074cac19cc5b5b44fe383d2a452216d3efbf78 833
golang-1.23_1.23.10.orig.tar.gz.asc
d89501956a9a640767fb92082424c5b1fc674f2aa6982c84c1e192ddd1d8a302 42076
golang-1.23_1.23.10-1.debian.tar.xz
4f8a5aed00955c4f11019a0a6d2b73c47accab7354020ae9ed13a449907cd09f 7584
golang-1.23_1.23.10-1_source.buildinfo
Files:
76431bc65a78a92f2a092e78a542d4ff 2904 golang optional golang-1.23_1.23.10-1.dsc
4aa33824a01bd8f852086ce5907a414b 28183775 golang optional
golang-1.23_1.23.10.orig.tar.gz
c71a73cdfc4d9f5a89c14892881518e0 833 golang optional
golang-1.23_1.23.10.orig.tar.gz.asc
241dba32534f9ab177b5d515b726e096 42076 golang optional
golang-1.23_1.23.10-1.debian.tar.xz
5d028049d5178cf53b441f42feeb6610 7584 golang optional
golang-1.23_1.23.10-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEiiBE+E9xaoW3f/djEd9ClMyjmJMFAmhQyzMACgkQEd9ClMyj
mJMUDhAAkdI7ImbIb5E12cxz079ea/Sik7VyoBMcGWnxH/2ZhGMScipPZjfWh69m
nFuS/cweri98L8TKTexUIuTZby+Q8YoKzVuVTmhFAxuSAWn8tkvxTanLfVs+pV3e
q4oy67hKlVYOsFGZwSWo15QZPuMyZNVyAepk57S2DjzMvCm55aYyLYUlMVz8jksy
XPj9YUa7gBMTd6N13RQDCWqfw3YvuvcFOvfHsnovC9QAMbkPG9O6KlA4/V2xEStN
vEdBy5JZaRhSJwYp7F0CZwtOJRhLED19XZpB7SmKQRjnHnX0WCs4lG5Ri/f3lqub
F10SqjwKl77a4cssB7x7XCwsV0wc/kCfJxX4GiPIQPHviLKwN/hQHMHj3ckhjUwm
vdYn/0d+E9frDJjlb3Oar/CtdORg/s3DZEQje6YvTD7tH04h4B+OshpSU5YMzvrk
pJB0MRFSSPz8KKqt+c9J83PDs/P0dbXhqWnEUY+Nbk6t8fLSbAUUU0vaa4xx6VCs
i6Rmas5xIvNi+yTYFpcMzXORSsdbGqzKG0BdO0/Lxq1SsAi2yO5f4RHTSuNsloU6
+sxQ8WjQZ3cQHplhKa7FZp6PrVoZ0nyVe3wiIrFGCrJUPwQxwtMbZDYE1uYVbo/g
hRKjV8PKeT/P/V0xYYmyNHwK/ioEGPY6wakXGmGF/bzZP8t2FYU=
=f0j0
-----END PGP SIGNATURE-----
pgpEWca7tfjTp.pgp
Description: PGP signature
--- End Message ---
