From: Peter Korsgaard via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Christian Stewart <christian@aperture.us>,
Thomas Perale <thomas.perale@mind.be>
Subject: Re: [Buildroot] [PATCH] package/go: security bump to version 1.23.10
Date: Sat, 07 Jun 2025 17:34:14 +0200 [thread overview]
Message-ID: <87plffbm6h.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20250607121948.2175315-1-peter@korsgaard.com> (Peter Korsgaard's message of "Sat, 7 Jun 2025 14:19:47 +0200")
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
> go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
> os packages, as well as bug fixes to the linker.
> Fixes the following security vulnerabilities:
> - CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
> redirect
> Proxy-Authorization and Proxy-Authenticate headers persisted on
> cross-origin redirects potentially leaking sensitive information
> - CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
> Windows
> os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
> Windows systems when the target path was a dangling symlink. On Unix
> systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
> On Windows, when the target path was a symlink to a nonexistent location,
> OpenFile would create a file in that location.
> - CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation
> Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
> unintentionally disabled policy validation. This only affected
> certificate chains which contain policy graphs, which are rather uncommon.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-06-07 15:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-07 12:19 [Buildroot] [PATCH] package/go: security bump to version 1.23.10 Peter Korsgaard via buildroot
2025-06-07 15:34 ` Peter Korsgaard via buildroot [this message]
2025-06-12 20:09 ` Arnout Vandecappelle via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87plffbm6h.fsf@dell.be.48ers.dk \
--to=buildroot@buildroot.org \
--cc=christian@aperture.us \
--cc=peter@korsgaard.com \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox