Overview

File _patchinfo of Package patchinfo.38164

<patchinfo incident="38164">
  <issue tracker="bnc" id="1229122">go1.23 release tracking</issue>
  <issue tracker="bnc" id="1240550">VUL-0: CVE-2025-22871: go1.23,go1.24: net/http: request smuggling through invalid chunked data</issue>
  <issue tracker="cve" id="2025-22871"/>
  <packager>jfkw</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for go1.23</summary>
  <description>This update for go1.23 fixes the following issues:

- go1.23.8 (released 2025-04-01) includes security fixes to the
  net/http package, as well as bug fixes to the runtime and the go
  command.
  Refs bsc#1229122 go1.23 release tracking
  CVE-2025-22871
  * go#72010 go#71988 bsc#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
  * go#72114 runtime: process hangs for mips hardware
  * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
  * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22

  net/http package, as well as bug fixes to cgo, the compiler, and
  the reflect, runtime, and syscall packages.</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places