Your message dated Sun, 28 Sep 2025 05:35:59 +0000
with message-id <[email protected]>
and subject line Bug#1110947: fixed in golang-1.24 1.24.7-1
has caused the Debian Bug report #1110947,
regarding golang-1.24: CVE-2025-47906
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110947: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110947
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-1.24
Version: 1.24.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/74466
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: reassign -2 src:golang-1.23 1.23.10-1
Control: retitle -2 golang-1.23: CVE-2025-47906
Hi,
The following vulnerability was published for golang-1.24.
CVE-2025-47906[0].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47906
https://www.cve.org/CVERecord?id=CVE-2025-47906
[1] https://github.com/golang/go/issues/74466
[2] https://groups.google.com/g/golang-announce/c/x5MKroML2yM/m/5_v-oMjUAgAJ
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-1.24
Source-Version: 1.24.7-1
Done: Tianon Gravi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-1.24, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tianon Gravi <[email protected]> (supplier of updated golang-1.24 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Sep 2025 22:07:23 -0700
Source: golang-1.24
Architecture: source
Version: 1.24.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <[email protected]>
Changed-By: Tianon Gravi <[email protected]>
Closes: 1109109 1110947 1110949
Changes:
golang-1.24 (1.24.7-1) unstable; urgency=medium
.
* Update to 1.24.7 upstream release
- 1.24.5
- cmd/go: unexpected command execution in untrusted VCS repositories
(CVE-2025-4674; https://go.dev/issue/74380; Closes: #1109109)
- 1.24.6
- os/exec: LookPath may return unexpected paths
(CVE-2025-47906; https://go.dev/issue/74466; Closes: #1110947)
- database/sql: incorrect results returned from Rows.Scan
(CVE-2025-47907; https://go.dev/issue/74831; Closes: #1110949)
- 1.24.7
- net/http: CrossOriginProtection bypass patterns are over-broad
(CVE-2025-47910; https://go.dev/issue/75054)
Checksums-Sha1:
7df94a825460e95ead369e31c2579709c367aade 2923 golang-1.24_1.24.7-1.dsc
fc43f73e0343e0ac236690d30cdf38ce1ecae2ee 30794506
golang-1.24_1.24.7.orig.tar.gz
7fd3c6f78bb9786c16f29c38297f0338af54f444 833 golang-1.24_1.24.7.orig.tar.gz.asc
cd4a97f07820fa4a70a33e5bcd18ce841880ae64 45472
golang-1.24_1.24.7-1.debian.tar.xz
c9f5bc1270e1fa75a3e626cf20f7951b7057507c 5460
golang-1.24_1.24.7-1_source.buildinfo
Checksums-Sha256:
83fa3b22041e5d1aac047a04d7353ff8c51fba33a0cc59b77cb9c42fe25c1a7e 2923
golang-1.24_1.24.7-1.dsc
2a8f50db0f88803607c50d7ea8834dcb7bd483c6b428a91e360fdf8624b46464 30794506
golang-1.24_1.24.7.orig.tar.gz
4babc1e7edd02f3b4277bdd9e6a9321a1461f926ee01c7386657dfe0cef1d68b 833
golang-1.24_1.24.7.orig.tar.gz.asc
b6fdf71572dc8c1538425cb6c6a49efa94b0c100ec036c4b835c40d63efc43eb 45472
golang-1.24_1.24.7-1.debian.tar.xz
c57b9f4c4aed85ae3d445c8273554e7bddfc681cde4bd469dd5127004bb8a754 5460
golang-1.24_1.24.7-1_source.buildinfo
Files:
87d845890720810ba1880095d94c5ba1 2923 golang optional golang-1.24_1.24.7-1.dsc
52eea261435dcd9fe447ce092f156519 30794506 golang optional
golang-1.24_1.24.7.orig.tar.gz
6fafb26d00bd94c3c04e197af354605a 833 golang optional
golang-1.24_1.24.7.orig.tar.gz.asc
3af0a8b2ddb08cfb6933ccfd32b8899c 45472 golang optional
golang-1.24_1.24.7-1.debian.tar.xz
cb0b63b0803cb720cf4e271f9836de22 5460 golang optional
golang-1.24_1.24.7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEtC9oGQB/APiONk/UA2qcJb81fdQFAmjYxI4SHHRpYW5vbkBk
ZWJpYW4ub3JnAAoJEANqnCW/NX3UzVcQAKzVG85+fRyX1sAHWfnSFSgs4DgSGa0V
phq/j83gFzW6pNjXp397Nx5o3Y4GM56y1B40GdWdxLvxvaFBJr7CaLFMX1JseBKt
kwGFNvezsoPMr6Ovw7Xycfn05/nHtSEVVRf7n4bIcaoCnyoYvCa3WVvYsiVtRwq7
foCTDtHBHSvNJupWtbE0efnf30YzMWCveyMP0XZfgmMnaA7UL0Qnfftn7rXaBABx
9DoL++O9hNz2cVIz5XQNhWxLhxNEb9OeXIrs1hCs6nCUuvjHdTmOAcToym/aBuq9
haJJVj64xWhHyz3LYUSAspkku4vMdmxlne3ooJkZNfBOJRqufDS2d8zLBlu3A3jf
ne7ojVz6fUpXtrviiiyx/WmDBBvt1tzSBoLMOf9HNXyHO5EEjsUw7ASlownYOV6e
BhTd1o4jwgEiG0FN5c6ygbvalZ05mgHC0qADONosAEe3UKGHCq/T8W4o24189+q6
uBpIjjNhzmCwZ4gN9ijxHDrbWlBl27EJ+v/6UmuJRqLO58dfGdj7F9OmfSRn4KTs
X5Fax2nneJOFaNMSEWoSZidyu/JviHpVp7FS8w8ThuY4vbkZ6tuBLZW8U5tQ11LC
c4C9glQJoAQEF3l1axzYj5euHj3+cCUJ6xNh6wrjLItgQ+Di54yVLSF60PgvyXAX
B+YnP5CjOr4h
=AhRA
-----END PGP SIGNATURE-----
pgpivKEQ4my4h.pgp
Description: PGP signature
--- End Message ---
