Debian Golang-1.24 vulnerabilities

CVE-2025-22874 [HIGH] CVE-2025-22874: golang-1.15 - Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unint... Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. Scope: local bullseye: resolved

CVE-2025-22865 [HIGH] CVE-2025-22865: golang-1.15 - Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values wou... Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed. Scope: local bullseye: resolved

CVE-2025-0913 [MEDIUM] CVE-2025-0913: golang-1.15 - os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows sy... os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an

CVE-2025-22873 [LOW] CVE-2025-22873: golang-1.15 - It was possible to improperly access the parent directory of an os.Root by openi... It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Scope: local bullseye: resolved

CVE-2025-61728 [MEDIUM] CVE-2025-61728: golang-1.15 - archive/zip uses a super-linear file name indexing algorithm that is invoked the... archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Scope: local bullseye: resolved

CVE-2025-22867 [HIGH] CVE-2025-22867: golang-1.24 - On Darwin, building a Go module which contains CGO can trigger arbitrary code ex... On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2. Scope: local forky: resolved sid: resolved trixie: resolved

CVE-2025-47910 [MEDIUM] CVE-2025-47910: golang-1.15 - When using http.CrossOriginProtection, the AddInsecureBypassPattern method can u... When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. Scope: local bullseye: resolved

CVE-2024-45340 [HIGH] CVE-2024-45340: golang-1.24 - Credentials provided via the new GOAUTH feature were not being properly segmente... Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file. Scope: local forky: resolved (fixed in 1.24~rc2-1) sid: resolved (fixed in 1.24~rc2-1) tri

CVE-2024-45341 [MEDIUM] CVE-2024-45341: golang-1.15 - A certificate with a URI which has a IPv6 address with a zone ID may incorrectly... A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Scope: local bullseye: open

CVE-2024-45336 [MEDIUM] CVE-2024-45336: golang-1.15 - The HTTP client drops sensitive headers after following a cross-domain redirect.... The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of

CVE-2024-8244 [LOW] CVE-2024-8244: golang-1.15 - The filepath.Walk and filepath.WalkDir functions are documented as not following... The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress. Scope: local bullseye: open