[Git][security-tracker-team/security-tracker][master] Update status for CVE-2026-25679/go

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
181d0857 by Salvatore Bonaccorso at 2026-03-18T23:18:58+01:00
Update status for CVE-2026-25679/go

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5139,14 +5139,17 @@ CVE-2026-27139 (On Unix platforms, when listing the contents of a directory usin
 CVE-2026-25679 (url.Parse insufficiently validated the host/authority component and ac ...)
 	- golang-1.26 1.26.1-1
 	- golang-1.25 1.25.8-1
-	- golang-1.24 <unfixed>
-	- golang-1.19 <removed>
+	- golang-1.24 <not-affected> (Vulnerable code introduced later)
+	- golang-1.19 <not-affected> (Vulnerable code introduced later)
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/golang/go/issues/77578
 	NOTE: Introduced with: https://github.com/golang/go/commit/f6f4e8b3ef21299db1ea3a343c3e55e91365a7fd (go1.26rc1)
+	NOTE: Intorduced with: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
+	NOTE: Introduced with: https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8)
 	NOTE: Fixed by: https://github.com/golang/go/commit/65c7d7a9fb3a9d1fbf1e702a211b8cc3a7bedb53 (go1.26.1)
-	NOTE: fixed by: https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 (go1.25.8)
+	NOTE: Fixed by: https://github.com/golang/go/commit/d8174a9500d53784594b198f6195d1fae8dfe803 (go1.25.8)
+	NOTE: Fix for CVE-2026-25679 depends on the fix for CVE-2025-47912
 CVE-2026-27142 (Actions which insert URLs into the content attribute of HTML meta tags ...)
 	- golang-1.26 1.26.1-1
 	- golang-1.25 1.25.8-1
@@ -62189,6 +62192,7 @@ CVE-2025-47912 (The Parse function permits values other than IPv6 addresses to b
 	NOTE: https://github.com/golang/go/issues/75678
 	NOTE: https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)
 	NOTE: https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8)
+	NOTE: The fix for this issue introduces/uncovers CVE-2026-25679
 CVE-2025-61723 (The processing time for parsing some invalid inputs scales non-linearl ...)
 	- golang-1.25 1.25.2-1
 	- golang-1.24 1.24.8-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/181d085706df829f13953bf11a2e63b74696938a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/181d085706df829f13953bf11a2e63b74696938a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260318/dbcf38f3/attachment.htm>