[Bug 2103780] Re: [SRU] backport golang-1.24 to jammy, noble, oracular and plucky

Launchpad Bug Tracker 2103780 at bugs.launchpad.net
Wed Mar 11 19:42:01 UTC 2026 

This bug was fixed in the package golang-1.24 - 1.24.4-1ubuntu1~22.04.1

---------------
golang-1.24 (1.24.4-1ubuntu1~22.04.1) jammy; urgency=medium

  * Backport to Jammy (LP: #2103780)

golang-1.24 (1.24.4-1) unstable; urgency=medium

  * Team upload
  * New upstream version 1.24.1
    + CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (Closes: #1107364)
    + CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
    + CVE 2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation (Closes: #1107364)
    + CVE-2025-22873: os: Root permits access to parent directory (Closes: #1104816)
  * d/patches: Removed patch 0003 as it's already applied upstream now

 -- Anshul Singh <anshul.singh at canonical.com>  Thu, 26 Jun 2025 13:16:04
+0530

** Changed in: golang-1.24 (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to golang-1.24 in Ubuntu.
https://bugs.launchpad.net/bugs/2103780

Title:
  [SRU] backport golang-1.24 to jammy, noble, oracular and plucky

Status in golang-1.24 package in Ubuntu:
  Fix Released
Status in golang-1.24 source package in Jammy:
  Fix Released
Status in golang-1.24 source package in Noble:
  Fix Released
Status in golang-1.24 source package in Plucky:
  Won't Fix

Bug description:
  [Impact]

  * containers stack (runc-app, containerd-app, docker.io-app) is going to update in all supported
     releases, which requires new version of golang compiler. The containers stack will be updated in
     focal, jammy, noble and oracular so we need golang-1.24 as well.
  * It will also be easier to meet minimum bootstrapping requirements for later releases
  * For Plucky, the current version is 1.24.2, upgrading to a newer microrelease will bring in the beneficial CVE fixes which can be seen in detail at https://go.dev/doc/devel/release.

  [Test Plan]

   * Install golang-1.24 in affected version
   * Add /usr/lib/go-1.24/bin to PATH
   * Build a Go package, for example the runc-app. The result should be successful.
     + git-ubuntu clone runc-app
     + replace golang-1.23-go with golang-1.24-go in d/control file
     + replace /usr/lib/go-1.23/bin with /usr/lib/go-1.24/bin in d/rules file

  [ Where problems could occur ]

   * For Plucky, since the current default go version is 1.24 so upgrading the default to a newer microrelease might cause build failures in reverse deps for plucky but since the microrelease updates contain majorly CVE fixes it should not be too big of an issue. 
   * This is a new package in archive for other targets, which doesn't have impact on existing packages.

  [Other Info]

   * No

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.24/+bug/2103780/+subscriptions

More information about the foundations-bugs mailing list