[Git][security-tracker-team/security-tracker][master] Track fixed versions for golang-1.24 issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Jan 24 08:45:01 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
700e389e by Salvatore Bonaccorso at 2026-01-24T09:44:03+01:00
Track fixed versions for golang-1.24 issues

Note that while CVE-2025-68119 impacts as well 1.24, but not yet fully
confirmed, upstream did *not* backport fixes to 1.24 and it is not fixed
in 1.24.12-1.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3543,7 +3543,7 @@ CVE-2011-10041 (Uploadify WordPress plugin versions up to and including 1.0conta
 	NOT-FOR-US: WordPress plugin
 CVE-2025-61730 [crypto/tls: handshake messages may be processed at the incorrect encryption level]
 	- golang-1.25 1.25.6-1 (bug #1125916)
-	- golang-1.24 <unfixed> (bug #1125917)
+	- golang-1.24 1.24.12-1 (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
@@ -3563,7 +3563,7 @@ CVE-2025-68119 [cmd/go: unexpected code execution when invoking toolchain]
 	TODO: check, might only affect 1.25 and above
 CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code execution]
 	- golang-1.25 1.25.6-1 (bug #1125916)
-	- golang-1.24 <unfixed> (bug #1125917)
+	- golang-1.24 1.24.12-1 (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
@@ -3573,7 +3573,7 @@ CVE-2025-61731 [cmd/go: bypass of flag sanitization can lead to arbitrary code e
 	NOTE: Fixed by: https://github.com/golang/go/commit/00b7309387a171bcba37382e7ed96b473df04917 (go1.24.12)
 CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain]
 	- golang-1.25 1.25.6-1 (bug #1125916)
-	- golang-1.24 <unfixed> (bug #1125917)
+	- golang-1.24 1.24.12-1 (bug #1125917)
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
@@ -3585,7 +3585,7 @@ CVE-2025-68121 [crypto/tls: Config.Clone copies automatically generated session
 	NOTE: Fixed by: https://github.com/golang/go/commit/d0754e6242e70e171a888b6c5e0336bbf014e538 (go1.24.12)
 CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm]
 	- golang-1.25 1.25.6-1 (bug #1125916)
-	- golang-1.24 <unfixed> (bug #1125917)
+	- golang-1.24 1.24.12-1 (bug #1125917)
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
@@ -3597,7 +3597,7 @@ CVE-2025-61726 [net/http: memory exhaustion in Request.ParseForm]
 	NOTE: Fixed by: https://github.com/golang/go/commit/85c794ddce26a092b0ea68d0fca79028b5069d5a (go1.24.12)
 CVE-2025-61728 [archive/zip: denial of service when parsing arbitrary ZIP archives]
 	- golang-1.25 1.25.6-1 (bug #1125916)
-	- golang-1.24 <unfixed> (bug #1125917)
+	- golang-1.24 1.24.12-1 (bug #1125917)
 	- golang-1.19 <removed>
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <postponed> (Limited support, DoS, minor issue, follow bookworm DSAs/point-releases)
@@ -24356,7 +24356,7 @@ CVE-2025-63872 (DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, wh
 	NOT-FOR-US: DeepSeek
 CVE-2025-61727 (An excluded subdomain constraint in a certificate chain does not restr ...)
 	- golang-1.25 1.25.6-1 (bug #1121847)
-	- golang-1.24 <unfixed> (bug #1121848)
+	- golang-1.24 1.24.12-1 (bug #1121848)
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
@@ -24368,7 +24368,7 @@ CVE-2025-61727 (An excluded subdomain constraint in a certificate chain does not
 	NOTE: Fixed by: https://github.com/golang/go/commit/04db77a423cac75bb82cc9a6859991ae9c016344 (go1.24.11)
 CVE-2025-61729 (Within HostnameError.Error(), when constructing an error string, there ...)
 	- golang-1.25 1.25.6-1 (bug #1121847)
-	- golang-1.24 <unfixed> (bug #1121848)
+	- golang-1.24 1.24.12-1 (bug #1121848)
 	[trixie] - golang-1.24 <no-dsa> (Minor issue)
 	- golang-1.19 <removed>
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/700e389e1e45c3daf92e2afecd5530055bbcc6d2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/700e389e1e45c3daf92e2afecd5530055bbcc6d2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260124/062d2536/attachment.htm>

More information about the debian-security-tracker-commits mailing list