Your message dated Tue, 07 Oct 2025 17:04:48 +0000
with message-id <[email protected]>
and subject line Bug#1098968: fixed in golang-go.crypto 1:0.42.0-4
has caused the Debian Bug report #1098968,
regarding golang-go.crypto: CVE-2025-22869
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098968: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098968
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.25.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/71931
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-go.crypto.
CVE-2025-22869[0]:
| SSH servers which implement file transfer protocols are vulnerable
| to a denial of service attack from clients which complete the key
| exchange slowly, or not at all, causing pending content to be read
| into memory, but never transmitted.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-22869
https://www.cve.org/CVERecord?id=CVE-2025-22869
[1] https://github.com/golang/go/issues/71931
[2] https://go-review.googlesource.com/c/crypto/+/652135
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-go.crypto
Source-Version: 1:0.42.0-4
Done: Simon Josefsson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Josefsson <[email protected]> (supplier of updated golang-go.crypto
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Oct 2025 18:13:55 +0200
Source: golang-go.crypto
Architecture: source
Version: 1:0.42.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Simon Josefsson <[email protected]>
Closes: 1098968
Changes:
golang-go.crypto (1:0.42.0-4) unstable; urgency=medium
.
* Team upload.
* Ignore failing TestMarshalUnmarshal on s390x.
* Fix CVE-2025-22869: SSH servers which implement file transfer
protocols are vulnerable to a denial of service attack from
clients which complete the key exchange slowly, or not at all,
causing pending content to be read into memory, but never
transmitted. Resolved already in 0.35.0. Closes: #1098968.
Checksums-Sha1:
faa5598845285c91e022de35c72e59b9ffcffc98 2645 golang-go.crypto_0.42.0-4.dsc
b44af801039798576738c7c6f779a6061d65546b 92848
golang-go.crypto_0.42.0-4.debian.tar.xz
c9a64f143fd9209cae9d1636605ec64a3026cf96 3124588
golang-go.crypto_0.42.0-4.git.tar.xz
6fb80986f7cc5846e270447ec030dee446b870a6 18260
golang-go.crypto_0.42.0-4_source.buildinfo
Checksums-Sha256:
76166328d31e1e70341ec4815bce3b432883f0c0d793b0111ec99c03da6d63f6 2645
golang-go.crypto_0.42.0-4.dsc
0e33b63ef4bade274c2c99710eaf6699336073201aeb160c1351f9f8daa30e1a 92848
golang-go.crypto_0.42.0-4.debian.tar.xz
f09b127febe232b1b89f66eb6e6660ccac0dd2a46fe69de1411d75a6e656bcbb 3124588
golang-go.crypto_0.42.0-4.git.tar.xz
f9e71a39b661eaf7953a8734ae9d2efe7596e2a29eb804b219561d5f7d94226a 18260
golang-go.crypto_0.42.0-4_source.buildinfo
Files:
450736ec12783f46ac1f5ed00e757289 2645 golang optional
golang-go.crypto_0.42.0-4.dsc
83312361cc84e9263d0a260685c8713a 92848 golang optional
golang-go.crypto_0.42.0-4.debian.tar.xz
8f6ee5ebb9061f6e06db1538125aacef 3124588 golang optional
golang-go.crypto_0.42.0-4.git.tar.xz
054d7cd9bb4e77ea95d7498d7da02fda 18260 golang optional
golang-go.crypto_0.42.0-4_source.buildinfo
Git-Tag-Info: tag=8a7487a6979a3a2cec73c0da3ca42789364def5b
fp=a3cc9c870b9d310abad4cf2f51722b08fe4745a2
Git-Tag-Tagger: Simon Josefsson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmjlQvUACgkQYG0ITkaD
wHn86RAAyyzSF8cgzEeq27JSpMDztRs/GWET3cvo5J3mFmwRkNkw8DPWSQLGihQT
K62QjIbeI/sG9GctAbOLwRsJCwP8E7u7DvrZv5LbM6qZiho17EbABAk7mZZhBEkz
33fRbV3GKEjfoFH6BcCyocWR1mWvQkgIcy+4TuUCI7Z922c9aGbUGZsj0nb7lE2g
TD9NkYb3lawAw2e7aDla6PXZvuiI4IJoggOiLgt9ulCt2mRYDCCrpXGyQDeYeNjf
YFbmHplggA4cTLvapRPLEqsx1qFXNw8v+V58qCy7MKLjMf6KEjjeV/i/x6TSswnZ
klYqsvDiTOBDNH2WbrPf/KHgpT72GBd+Czt9+x/GSdaKUYCHyTT/ZfHGQGmhAK8w
2+cyYS/E+cZro67KgqI73M+sW3cEWHZlRxoaaQ6y5Pm0N47FhD/TsNCkbvrgsl1b
GrIn+RI8hvNc7siZtF96sbd+6lVq4rUSB7svcKrDPfB6HpHfItx/Fm7NSO3EzlZC
siWSjAMznSxPVhULid6qpcboRuBEv6ebnLsrZK/QLXUyJvt5s5Gek6UnV9yA3DFn
E43ufU0Tm8aS72Z1cZ20XcTJefa2+bxEsCK8JWPeJdH25I8/WZxKAhN6Z1Hws0hE
E6oCdiLL5reU/cm+7bYkBKd/MLAjdIFBJHaaiOJ9Hw6dNOnN+VQ=
=lhv0
-----END PGP SIGNATURE-----
pgpdkKWZbuy0a.pgp
Description: PGP signature
--- End Message ---
