File _patchinfo of Package patchinfo.39051
<patchinfo incident="39051"> <issue tracker="bnc" id="1242715">VUL-0: CVE-2025-22873: go1.24: os: Root permits access to parent directory</issue> <issue tracker="bnc" id="1244157">VUL-0: CVE-2025-0913: go1.23,go1.24: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows</issue> <issue tracker="bnc" id="1244156">VUL-0: CVE-2025-4673: go1.23,go1.24: net/http: sensitive headers not cleared on cross-origin redirect</issue> <issue tracker="bnc" id="1244158">VUL-0: CVE-2025-22874: go1.24: crypto/x509: usage of ExtKeyUsageAny disables policy validation</issue> <issue tracker="bnc" id="1236217">go1.24 release tracking</issue> <issue tracker="cve" id="2025-22874"/> <issue tracker="cve" id="2025-22873"/> <issue tracker="cve" id="2025-0913"/> <issue tracker="cve" id="2025-4673"/> <packager>jfkw</packager> <rating>important</rating> <category>security</category> <summary>Security update for go1.24</summary> <description>This update for go1.24 fixes the following issues: go1.24.4 (released 2025-06-05) includes security fixes to the crypto/x509, net/http, and os packages, as well as bug fixes to the linker, the go command, and the hash/maphash and os packages. ( bsc#1236217 go1.24 release tracking CVE-2025-22874 CVE-2025-0913 CVE-2025-4673) * CVE-2025-22874: crypto/x509: ExtKeyUsageAny bypasses policy validation (bsc#1244158) * CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows (bsc#1244157) * CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin redirect (bsc#1244156) * os: Root.Mkdir creates directories with zero permissions on OpenBSD * hash/maphash: hashing channels with purego impl. of maphash.Comparable panics * runtime/debug: BuildSetting does not document DefaultGODEBUG * cmd/go: add fips140 module selection mechanism * cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen * CVE-2025-22873: os: Root permits access to parent directory</description> </patchinfo>
