Debian Golang-1.19 vulnerabilities

CVE-2025-22874 [HIGH] CVE-2025-22874: golang-1.15 - Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unint... Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. Scope: local bullseye: resolved

CVE-2025-22865 [HIGH] CVE-2025-22865: golang-1.15 - Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values wou... Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed. Scope: local bullseye: resolved

CVE-2025-0913 [MEDIUM] CVE-2025-0913: golang-1.15 - os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows sy... os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an

CVE-2025-22873 [LOW] CVE-2025-22873: golang-1.15 - It was possible to improperly access the parent directory of an os.Root by openi... It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Scope: local bullseye: resolved

CVE-2025-61728 [MEDIUM] CVE-2025-61728: golang-1.15 - archive/zip uses a super-linear file name indexing algorithm that is invoked the... archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Scope: local bullseye: resolved

CVE-2025-47910 [MEDIUM] CVE-2025-47910: golang-1.15 - When using http.CrossOriginProtection, the AddInsecureBypassPattern method can u... When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. Scope: local bullseye: resolved

CVE-2024-24790 [CRITICAL] CVE-2024-24790: golang-1.15 - The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for... The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Scope: local bullseye: open

CVE-2024-34158 [HIGH] CVE-2024-34158: golang-1.15 - Calling Parse on a "// +build" build tag line with deeply nested expressions can... Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Scope: local bullseye: open

CVE-2024-24791 [HIGH] CVE-2024-24791: golang-1.15 - The net/http HTTP/1.1 client mishandled the case where a server responds to a re... The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProx

CVE-2024-24784 [HIGH] CVE-2024-24784: golang-1.15 - The ParseAddressList function incorrectly handles comments (text within parenthe... The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Scope: local bullseye: open

CVE-2024-34156 [HIGH] CVE-2024-34156: golang-1.15 - Calling Decoder.Decode on a message which contains deeply nested structures can ... Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Scope: local bullseye: open

CVE-2024-45341 [MEDIUM] CVE-2024-45341: golang-1.15 - A certificate with a URI which has a IPv6 address with a zone ID may incorrectly... A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Scope: local bullseye: open

CVE-2024-24783 [MEDIUM] CVE-2024-24783: golang-1.15 - Verifying a certificate chain which contains a certificate with an unknown publi... Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Scope: local bull

CVE-2024-45336 [MEDIUM] CVE-2024-45336: golang-1.15 - The HTTP client drops sensitive headers after following a cross-domain redirect.... The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of

CVE-2024-24789 [MEDIUM] CVE-2024-24789: golang-1.15 - The archive/zip package's handling of certain types of invalid zip files differs... The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Scope: local bullseye: open

CVE-2024-34155 [MEDIUM] CVE-2024-34155: golang-1.15 - Calling any of the Parse functions on Go source code which contains deeply neste... Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Scope: local bullseye: open

CVE-2024-24785 [MEDIUM] CVE-2024-24785: golang-1.15 - If errors returned from MarshalJSON methods contain user controlled data, they m... If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Scope: local bullseye: open

CVE-2024-24787 [MEDIUM] CVE-2024-24787: golang-1.15 - On Darwin, building a Go module which contains CGO can trigger arbitrary code ex... On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. Scope: local bullseye: resolved

CVE-2024-8244 [LOW] CVE-2024-8244: golang-1.15 - The filepath.Walk and filepath.WalkDir functions are documented as not following... The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress. Scope: local bullseye: open

CVE-2024-24788 [MEDIUM] CVE-2024-24788: golang-1.15 - A malformed DNS message in response to a query can cause the Lookup functions to... A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. Scope: local bullseye: resolved