Public bug reported: [Impact]
* Current golang-1.22 version oracular/noble/jammy FTBFS due to tests using expired certifications (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091497 https://github.com/golang/go/issues/71077 upstream fixed in golang 1.23.5). * MAAS Agent needs newer micro version of golang-1.23 because one of its dependency lxd library bumps the required version to 1.23.3 https://github.com/canonical/lxd/commit/7ce9339693ed949c62fc1a193c040b0c51aa0043 * golang 1.23.3 - 1.23.7 contain several CVE (not high impact) fixes. + CVE-2024-45341: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints + CVE-2024-45336: net/http: sensitive headers incorrectly sent after cross-domain redirect + CVE-2025-22866: crypto/elliptic: timing sidechannel for P-256 on ppc64le + CVE-2025-22870: net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs [Test Plan] * Install golang-1.23, and run `/usr/lib/go-1.23/bin/go version` to check the output. it should contains 1.23.7 * For oracular, the golang-defaults is 1.23. We should rebuild parts of archive in PPA to check if they can still build. We can use all packages in main that build-deps on golang-1.23 or golang-defaults. * For noble, jammy, very few packages build-deps on golang-1.23, we should just rebuild them all in PPA to check if they can still build. * For focal, it's a new package. We can upload a new package to use golang-1.23 in PPA. [Where problems could occur] * The micro releases of golang-1.23 may contain regressions and cause packages to FTBFS. But no regression reported so far in upstream issue tracker. * For focal, it's a new package, so it doesn't have impact on existing packages. [Other Info] * upstream issue tracker for golang 1.23.3 to 1.23.7 + 1.23.3 https://github.com/golang/go/milestone/375?closed=1 + 1.23.4 https://github.com/golang/go/milestone/376?closed=1 + 1.23.5 https://github.com/golang/go/milestone/379?closed=1 + 1.23.6 https://github.com/golang/go/milestone/384?closed=1 + 1.23.7 https://github.com/golang/go/milestone/386?closed=1 ** Affects: golang-1.23 (Ubuntu) Importance: Undecided Status: New ** Affects: golang-1.23 (Ubuntu Focal) Importance: Undecided Status: New ** Affects: golang-1.23 (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: golang-1.23 (Ubuntu Noble) Importance: Undecided Status: New ** Affects: golang-1.23 (Ubuntu Oracular) Importance: Undecided Status: New ** Also affects: golang-1.23 (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: golang-1.23 (Ubuntu Oracular) Importance: Undecided Status: New ** Also affects: golang-1.23 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: golang-1.23 (Ubuntu Noble) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103997 Title: [SRU] backport golang-1.23/1.23.7-1 to oracular/noble/jammy/focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-1.23/+bug/2103997/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
