Your message dated Mon, 03 Mar 2025 23:06:49 +0000
with message-id <[email protected]>
and subject line Bug#1098967: fixed in golang-golang-x-oauth2 0.27.0-1
has caused the Debian Bug report #1098967,
regarding golang-golang-x-oauth2: CVE-2025-22868
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098967
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-golang-x-oauth2
Version: 0.26.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/71490
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-golang-x-oauth2.
CVE-2025-22868[0]:
| An attacker can pass a malicious malformed token which causes
| unexpected memory to be consumed during parsing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-22868
https://www.cve.org/CVERecord?id=CVE-2025-22868
[1] https://github.com/golang/go/issues/71490
[2] https://go-review.googlesource.com/c/oauth2/+/652155
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-golang-x-oauth2
Source-Version: 0.27.0-1
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-golang-x-oauth2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated golang-golang-x-oauth2
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 03 Mar 2025 23:50:24 +0100
Source: golang-golang-x-oauth2
Architecture: source
Version: 0.27.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 1098967
Changes:
golang-golang-x-oauth2 (0.27.0-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2025-22868. Closes: #1098967
* Update Standards-Version to 4.7.2 (no changes).
* Indent debian/watch continuation lines.
* Place each multi-value for debian/rules make variables on its own line.
* Run wrap-and-sort -ast.
* Add myself to Uploaders.
* Update debian/gbp.conf to follow team workflow.
Checksums-Sha1:
a1a4692bac530153fccc3164452c9af964fe4922 2564
golang-golang-x-oauth2_0.27.0-1.dsc
77c2145b900da6fa2292f55024de38be5e339ae0 77072
golang-golang-x-oauth2_0.27.0.orig.tar.xz
146760c28fc83a7dc28c1ec19ab05b68c0143765 4772
golang-golang-x-oauth2_0.27.0-1.debian.tar.xz
f5e67fa0f3a9cd49fd5349d07cbc0fb1326f6764 6289
golang-golang-x-oauth2_0.27.0-1_amd64.buildinfo
Checksums-Sha256:
b389a99bcd786c182caf1c58ed62b6e585662844599b5437d78bbc056fb33125 2564
golang-golang-x-oauth2_0.27.0-1.dsc
38a136141c3c35101638719a18eb60aa16179fe40d5b66fb807c320438fa4e89 77072
golang-golang-x-oauth2_0.27.0.orig.tar.xz
f6ea4fa0cd6c264a288278ddc4cd436ba65c2f0bcf226147facb7689a5490ba4 4772
golang-golang-x-oauth2_0.27.0-1.debian.tar.xz
fb582a0f0482963a948259f6eeef1798a8a3ebd2cd6f10108393a49669dd672c 6289
golang-golang-x-oauth2_0.27.0-1_amd64.buildinfo
Files:
12fab39424f430e9b7b54edc63902de1 2564 golang optional
golang-golang-x-oauth2_0.27.0-1.dsc
fd6674f85d0afbe5cd39237a5dd555e1 77072 golang optional
golang-golang-x-oauth2_0.27.0.orig.tar.xz
cf0c9b9b25dac8631cc1ea34e3e6fe52 4772 golang optional
golang-golang-x-oauth2_0.27.0-1.debian.tar.xz
f13e4f1d5a41ca0febe5f57fc822a46c 6289 golang optional
golang-golang-x-oauth2_0.27.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJnxjPLCRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmd0UAfmFUTPlJZO4C23wkCAtRilsk9dSGZmVr0Hon7N
XxYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAAAAYQ/6AtHwVyYSe6uyz/a1DwwLmlv+
Ak7U3+fd0rjF811KUZyhSKh0E8xXq7u6jMlAOhH1zHItzbqCwTriOK8gQVuajrzg
Clp4HYnsH3ryDcSBue5JgGLSWrsbECOlsJHfV30tNnD0PG0K54UMDkS7ZMWLHj/y
z0ZszRrBqZP01QKJZZXYMh+hufNvxEt31KrTxDZ72W/3sA8jfjHPXJEGjpE1XSZD
4Py2sGn3GVtgH6lEamfjMyRszWDyccQAYglCnjSikQyEvBGwqkFGtFdVzxpWqxZp
djdWEnmu3sKqPAKT8itdlt5x4YLKaGei2+y78Cnl33Qae6GHg9uVUOwpewYgxm9U
bFE0JBY1s2Uaku8dJN8aWxPDb24Ex4wzWehwyIQMqXBX/h33p6R1qvNVhl3m0NPV
nwTkzyKaqGpwYY2t8TiTbP3QCD3o2UjKH+ps85+tsRYEG0v2tCuPzQnDOnlv8yVe
aBaZX6fCjjYZJp0dyo7KpXklt/7vHVrMHF6CUgNLRjihqW2NGDCFO9elSlQUU6dr
VhTN8Mtn2LeOg/ZTYiQ76bspFVHTWsJCPjDrr2ilfpxvSIbUI2DtzDD0/RJv62/F
2d333njncv2Te5lYDcnBkErfgyjq+SA4cQhBS+5MxYU+tb8s1ywrw12CdWI3qtWt
zScpugHYSh4Us61a0Zg=
=SrAS
-----END PGP SIGNATURE-----
pgpyO5huSqgeo.pgp
Description: PGP signature
--- End Message ---
