[ubuntu/resolute-proposed] golang-1.25 1.25.7-2 (Accepted)

Matthias Klose m1 at klose.in-berlin.de
Mon Mar 2 08:49:31 UTC 2026 

golang-1.25 (1.25.7-2) unstable; urgency=medium

  * Team upload.
  * Skip TestTSAN test on s390x.
    The test consistently fails, and is probably a real bug.
    It's currently being investigated, but until that is
    resolved, we disable the test to be able to build the
    golang package, so it can migrate to testing and
    fix lots of other bugs and CVEs.
    See https://github.com/golang/go/issues/77289
  * Remove golang-1.25-go:native from Build-Depends.
    This is hopefully a temporary measure to allow the buildds
    to use golang-1.24 for building this package. The build on
    loong64 is not possible due to a missing golang-1.25-go:loong64
    package. After this package has been built on loong64,
    golang-1.25 could be re-added to Build-Depends.

golang-1.25 (1.25.7-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.25.7
    - Refresh patches
    - New patch: Replace localhostCert and localhostKey. New they are
      valid until 2084, so that this package will not FTBFS during
      the forky release. (Closes: #1127117)
    - CVE-2025-61732: https://go.dev/issue/76697
      cmd/go: potential code smuggling using doc comments

golang-1.25 (1.25.6-1) unstable; urgency=medium

  [ Anshul Singh ]
  * Update to 1.25.5 upstream release
    https://go.dev/doc/devel/release#go1.25.5
    - crypto/x509: excessive resource consumption in printing error string for host certificate validation
    - crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

  [ Tianon Gravi ]
  * Update to 1.25.6 upstream release

    1.25.6: (Closes: #1125916)
    - https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc/m/pQP7Bk0aCQAJ

    - CVE-2025-61728: https://go.dev/issue/77102
      archive/zip: denial of service when parsing arbitrary ZIP archives

    - CVE-2025-61726: https://go.dev/issue/77101
      net/http: memory exhaustion in Request.ParseForm

    - CVE-2025-68121: https://go.dev/issue/77113
      crypto/tls: Config.Clone copies automatically generated session ticket
      keys, session resumption does not account for the expiration of full
      certificate chain

    - CVE-2025-61731: https://go.dev/issue/77100
      cmd/go: bypass of flag sanitization can lead to arbitrary code
      execution

    - CVE-2025-68119: https://go.dev/issue/77099
      cmd/go: unexpected code execution when invoking toolchain

    - CVE-2025-61730: https://go.dev/issue/76443
      crypto/tls: handshake messages may be processed at the incorrect
      encryption level

    - os: allow direntries to have zero inodes on Linux (Closes: #1115301)

    1.25.5: (Closes: #1121847)
    - https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ

    - CVE-2025-61729: https://go.dev/issue/76445
      crypto/x509: excessive resource consumption in printing error string for
      host certificate validation

    - CVE-2025-61727: https://go.dev/issue/76442
      crypto/x509: excluded subdomain constraint does not restrict wildcard
      SANs

    1.25.4:
    - https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ

  * Fix build with DEB_BUILD_OPTIONS=terse (Closes: #1125464)
    (solution borrowed from xz-utils debian/rules)

golang-1.25 (1.25.3-1) unstable; urgency=medium

  * Update to 1.25.3 upstream release
    https://go.dev/doc/devel/release#go1.25.3
    - fixes to the crypto/x509 package (https://go.dev/issue/75828)

golang-1.25 (1.25.2-1) unstable; urgency=medium

  * Add Go 1.25 to acceptable bootstrap versions (Build-Depends)
  * Update upstream signing key
  * Update to 1.25.2 upstream release
    https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ
    - CVE-2025-61725: net/mail: excessive CPU consumption in ParseAddress
    - CVE-2025-58187: crypto/x509: quadratic complexity when checking name constraints
    - CVE-2025-58189: crypto/tls: ALPN negotiation errors can contain arbitrary text
    - CVE-2025-61723: encoding/pem: quadratic complexity when parsing some invalid inputs
    - CVE-2025-47912: net/url: insufficient validation of bracketed IPv6 hostnames
    - CVE-2025-58185: encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
    - CVE-2025-58186: net/http: lack of limit when parsing cookies can cause memory exhaustion
    - CVE-2025-58188: crypto/x509: panic when validating certificates with DSA public keys
    - CVE-2025-58183: archive/tar: unbounded allocation when parsing GNU sparse map
    - CVE-2025-61724: net/textproto: excessive CPU consumption in Reader.ReadResponse

golang-1.25 (1.25.1-1) unstable; urgency=medium

  * Update to 1.25.1 upstream release
    - net/http: CrossOriginProtection bypass patterns are over-broad
      (CVE-2025-47910; https://go.dev/issue/75054; Closes: #1116341)

golang-1.25 (1.25.0-2) unstable; urgency=medium

  [ Tianon Gravi ]
  * Add support for cross-building natively (Closes: #1100436)
    - https://salsa.debian.org/go-team/compiler/golang/-/merge_requests/21
  * Clean up debian/helpers/goenv.sh (notably no more go1.16 support)

  [ Bo YU ]
  * Skip failing TSAN tests on riscv64 (Closes: #1115478)

golang-1.25 (1.25.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 1.25.0.

Date: 2026-02-10 04:38:32.388990+00:00
Signed-By: Matthias Klose <m1 at klose.in-berlin.de>
https://launchpad.net/ubuntu/+source/golang-1.25/1.25.7-2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Resolute-changes mailing list