Your message dated Sun, 28 Sep 2025 04:35:23 +0000
with message-id <[email protected]>
and subject line Bug#1116341: fixed in golang-1.25 1.25.1-1
has caused the Debian Bug report #1116341,
regarding golang-1.25: CVE-2025-47910
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-1.25
Version: 1.25.0-2
Severity: grave
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/75054
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-1.25.
CVE-2025-47910[0]:
| When using http.CrossOriginProtection, the AddInsecureBypassPattern
| method can unexpectedly bypass more requests than intended.
| CrossOriginProtection then skips validation, but forwards the
| original request path, which may be served by a different handler
| without the intended security protections.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-47910
https://www.cve.org/CVERecord?id=CVE-2025-47910
[1] https://github.com/golang/go/issues/75054
[2] https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-1.25
Source-Version: 1.25.1-1
Done: Tianon Gravi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-1.25, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tianon Gravi <[email protected]> (supplier of updated golang-1.25 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Sep 2025 21:09:25 -0700
Source: golang-1.25
Architecture: source
Version: 1.25.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <[email protected]>
Changed-By: Tianon Gravi <[email protected]>
Closes: 1116341
Changes:
golang-1.25 (1.25.1-1) unstable; urgency=medium
.
* Update to 1.25.1 upstream release
- net/http: CrossOriginProtection bypass patterns are over-broad
(CVE-2025-47910; https://go.dev/issue/75054; Closes: #1116341)
Checksums-Sha1:
51bb96a7a84bb7d120df7115512442d7e8e3ddc3 2923 golang-1.25_1.25.1-1.dsc
7dd8ecd150ff48f8a4bd444487e9c377df0932a1 31974863
golang-1.25_1.25.1.orig.tar.gz
e24df1b53d2b85d1ea540ceec53370259ec05031 833 golang-1.25_1.25.1.orig.tar.gz.asc
07c5d8509414a6dd0a879020d79047613b7d81db 43904
golang-1.25_1.25.1-1.debian.tar.xz
a4abb2f799ab2e967691c19d75709f9f569f1b0f 5460
golang-1.25_1.25.1-1_source.buildinfo
Checksums-Sha256:
3d7e823024846921c270afb82599fe781dbbda4ff57f4518c4be197f6580f95f 2923
golang-1.25_1.25.1-1.dsc
d010c109cee94d80efe681eab46bdea491ac906bf46583c32e9f0dbb0bd1a594 31974863
golang-1.25_1.25.1.orig.tar.gz
476334dd70e778635e84e4d38b2299a9608f876826cdea7b666dedac1c711544 833
golang-1.25_1.25.1.orig.tar.gz.asc
428ba19ec5f5fa290bb4f125b4fdbbdead37fb73160e8f5a7ecad21bdbcbc9a4 43904
golang-1.25_1.25.1-1.debian.tar.xz
d0536479c4428ad43594fe524ba23a212b7db790afeec6ba462838b5a0dff517 5460
golang-1.25_1.25.1-1_source.buildinfo
Files:
e5e453a41ef6b98069f6985675985600 2923 golang optional golang-1.25_1.25.1-1.dsc
86ac635cc05683ae97c77bbeae5bd884 31974863 golang optional
golang-1.25_1.25.1.orig.tar.gz
049bf3cd92e9395f16234a6993124bcc 833 golang optional
golang-1.25_1.25.1.orig.tar.gz.asc
75bd6178b2d3e2674a874453a7ddaee3 43904 golang optional
golang-1.25_1.25.1-1.debian.tar.xz
446ae0157adb3be962c1ca85b86489a1 5460 golang optional
golang-1.25_1.25.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEtC9oGQB/APiONk/UA2qcJb81fdQFAmjYtY4SHHRpYW5vbkBk
ZWJpYW4ub3JnAAoJEANqnCW/NX3UMSoP/0k87H+JR/20n4Rky959FGrBBmaUJsXW
vo3eRINqLdPWYvOu8Nl4vKi3aXlKOC+m05k4++tzbkEJAAA8DdX4xeN9lVH8vE1c
f9z6XUDxSgfBHcq79dHYigYwxQ5Ga+JqWTJbteHEiGeVEnGAV9j0fam8j8UfnaVT
iKe1gHdH1cG5HhYYsEZU5IhCMB4JztiYBB5imZcBnB8LLJHNRs54mj995CjRrnDr
YQt4/VJmY586mDT2Aav0jMT0jMqYxn8Df34vqmtusnijaofkmWz2B/5tNNM9FhW8
YOfPJKLuc1rR9wRFFvVDuQKceOhO/l59GkBiRp221RlRYhhJ9S76wpT0bVqTO4zH
6eVZh8M0qNNaDKpbiL23P9bEOcRJmikmUvSRUHeYh7TOqTIEt/gogh/H+KnesMdJ
mLCfnbmqP9f9QXMhPU1u3y3rxOwvilMAWfwCcq/l8Fitp2j0GvZtk5LSZFqllggr
y2uKyLF465TflUF4B4tVlAURHUKjGGnG2AO97+bflDz4vtXZL2pU7OwlGtlMxqZE
wRhWpbM0yC2WqtTTgZw7tkQ6j3IdGoCofYBCgAM3CIrlM2YyF4UffaNX+pkW5mKl
cJ5FC2P0+FupNaSaSEr3zYZoryF7CfRkiyXG1bTiSJqr/GUafEFCk4QLcFy054E0
VgIqqjuttxvz
=b1Qw
-----END PGP SIGNATURE-----
pgpYVQe_WjXTN.pgp
Description: PGP signature
--- End Message ---
