[Bug 2103997] [NEW] [SRU] backport golang-1.23/1.23.7-1 to oracular/noble/jammy/focal

Shengjing Zhu 2103997 at bugs.launchpad.net
Mon Mar 24 09:39:50 UTC 2025 

Public bug reported:

[Impact]

 * Current golang-1.22 version oracular/noble/jammy FTBFS due to tests using expired certifications (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091497 https://github.com/golang/go/issues/71077 upstream fixed in golang 1.23.5).
 * MAAS Agent needs newer micro version of golang-1.23 because one of its dependency lxd library bumps the required version to 1.23.3 https://github.com/canonical/lxd/commit/7ce9339693ed949c62fc1a193c040b0c51aa0043
 * golang 1.23.3 - 1.23.7 contain several CVE (not high impact) fixes.
   + CVE-2024-45341: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
   + CVE-2024-45336: net/http: sensitive headers incorrectly sent after cross-domain redirect
   + CVE-2025-22866: crypto/elliptic: timing sidechannel for P-256 on ppc64le
   + CVE-2025-22870: net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs


[Test Plan]

 * Install golang-1.23, and run `/usr/lib/go-1.23/bin/go version` to check the output. it should contains 1.23.7
 * For oracular, the golang-defaults is 1.23. We should rebuild parts of archive in PPA to check if they can still build. We can use all packages in main that build-deps on golang-1.23 or golang-defaults.
 * For noble, jammy, very few packages build-deps on golang-1.23, we should just rebuild them all in PPA to check if they can still build.
 * For focal, it's a new package. We can upload a new package to use golang-1.23 in PPA.

[Where problems could occur]

 * The micro releases of golang-1.23 may contain regressions and cause packages to FTBFS. But no regression reported so far in upstream issue tracker.
 * For focal, it's a new package, so it doesn't have impact on existing packages.

[Other Info]

 * upstream issue tracker for golang 1.23.3 to 1.23.7
   + 1.23.3 https://github.com/golang/go/milestone/375?closed=1
   + 1.23.4 https://github.com/golang/go/milestone/376?closed=1
   + 1.23.5 https://github.com/golang/go/milestone/379?closed=1
   + 1.23.6 https://github.com/golang/go/milestone/384?closed=1
   + 1.23.7 https://github.com/golang/go/milestone/386?closed=1

** Affects: golang-1.23 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: golang-1.23 (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Affects: golang-1.23 (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: golang-1.23 (Ubuntu Noble)
     Importance: Undecided
         Status: New

** Affects: golang-1.23 (Ubuntu Oracular)
     Importance: Undecided
         Status: New

** Also affects: golang-1.23 (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: golang-1.23 (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Also affects: golang-1.23 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: golang-1.23 (Ubuntu Noble)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to golang-1.23 in Ubuntu.
https://bugs.launchpad.net/bugs/2103997

Title:
  [SRU] backport golang-1.23/1.23.7-1 to oracular/noble/jammy/focal

Status in golang-1.23 package in Ubuntu:
  New
Status in golang-1.23 source package in Focal:
  New
Status in golang-1.23 source package in Jammy:
  New
Status in golang-1.23 source package in Noble:
  New
Status in golang-1.23 source package in Oracular:
  New

Bug description:
  [Impact]

   * Current golang-1.22 version oracular/noble/jammy FTBFS due to tests using expired certifications (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091497 https://github.com/golang/go/issues/71077 upstream fixed in golang 1.23.5).
   * MAAS Agent needs newer micro version of golang-1.23 because one of its dependency lxd library bumps the required version to 1.23.3 https://github.com/canonical/lxd/commit/7ce9339693ed949c62fc1a193c040b0c51aa0043
   * golang 1.23.3 - 1.23.7 contain several CVE (not high impact) fixes.
     + CVE-2024-45341: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
     + CVE-2024-45336: net/http: sensitive headers incorrectly sent after cross-domain redirect
     + CVE-2025-22866: crypto/elliptic: timing sidechannel for P-256 on ppc64le
     + CVE-2025-22870: net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

  
  [Test Plan]

   * Install golang-1.23, and run `/usr/lib/go-1.23/bin/go version` to check the output. it should contains 1.23.7
   * For oracular, the golang-defaults is 1.23. We should rebuild parts of archive in PPA to check if they can still build. We can use all packages in main that build-deps on golang-1.23 or golang-defaults.
   * For noble, jammy, very few packages build-deps on golang-1.23, we should just rebuild them all in PPA to check if they can still build.
   * For focal, it's a new package. We can upload a new package to use golang-1.23 in PPA.

  [Where problems could occur]

   * The micro releases of golang-1.23 may contain regressions and cause packages to FTBFS. But no regression reported so far in upstream issue tracker.
   * For focal, it's a new package, so it doesn't have impact on existing packages.

  [Other Info]

   * upstream issue tracker for golang 1.23.3 to 1.23.7
     + 1.23.3 https://github.com/golang/go/milestone/375?closed=1
     + 1.23.4 https://github.com/golang/go/milestone/376?closed=1
     + 1.23.5 https://github.com/golang/go/milestone/379?closed=1
     + 1.23.6 https://github.com/golang/go/milestone/384?closed=1
     + 1.23.7 https://github.com/golang/go/milestone/386?closed=1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.23/+bug/2103997/+subscriptions

More information about the foundations-bugs mailing list