Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted golang-1.25 1.25.10-1 (source) into unstable
Date: Thu, 07 May 2026 22:24:16 +0000
Signed by: Dr. Tobias Quathamer <toddy@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 May 2026 22:22:32 +0200
Source: golang-1.25
Architecture: source
Version: 1.25.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Changes:
 golang-1.25 (1.25.10-1) unstable; urgency=medium
 .
   * New upstream version 1.25.10
     - CVE-2026-42501
       cmd/go: malicious module proxy can bypass checksum database
     - CVE-2026-39820
       Well-crafted inputs reaching ParseAddress, ParseAddressList, and
       ParseDate were able to trigger excessive CPU exhaustion and memory
       allocations.
     - CVE-2026-39823
       Vulnerability in which URLs were not correctly escaped inside of a
       <meta> tag's <content> attribute.
     - CVE-2026-33811
       When using LookupCNAME with the cgo DNS resolver, a very long
       CNAME response can trigger a double-free of C memory and a crash.
     - CVE-2026-39826
       If a trusted template author were to write a <script> tag
       containing an empty 'type' attribute or a 'type' attribute with an
       ASCII whitespace, the execution of the template would incorrectly
       escape any data passed into the <script> block.
     - CVE-2026-39817
       The "go tool pack" subcommand (usually used only by the compiler
       as an internal tool with known-good inputs) does not sanitize
       output filenames. Extracting a malicious archive file with the
       "pack" subcommand can write files to arbitrary locations on the
       filesystem.
     - CVE-2026-39819
       The "go bug" command writes to two files with predictable names in
       the system temporary directory (for example, "/tmp"). An attacker
       with access to the temporary directory can create a symlink in one
       of these names, causing "go bug" to overwrite the target of the
       symlink.
     - CVE-2026-42499
       Pathological inputs could cause DoS through consumePhrase when
       parsing an email address according to RFC 5322.
     - CVE-2026-39825
       ReverseProxy can forward queries containing parameters not visible
       to Rewrite functions.
   * Remove superfluous file pattern from d/copyright
   * Update lintian overrides
Checksums-Sha1:
 deff57b553794c62ed43efcf0de988ce0fea8ad2 2925 golang-1.25_1.25.10-1.dsc
 cae682217c92aef333e46d67779f43b9e3774140 32000721 golang-1.25_1.25.10.orig.tar.gz
 e768d96e2ca751f4257e9a256a541bb779855871 833 golang-1.25_1.25.10.orig.tar.gz.asc
 26943fc2d1a90da61ec1174901869eed4606a97b 46748 golang-1.25_1.25.10-1.debian.tar.xz
 ece512e67ecd2ccb8128e60757d78656f83544d2 6702 golang-1.25_1.25.10-1_amd64.buildinfo
Checksums-Sha256:
 a4d4daf8944cf84c16cef2afdd327a1204a3bfc9aa99607c8ea5414f7f28befc 2925 golang-1.25_1.25.10-1.dsc
 20cf04a92e5af99748e341bc8996fa28090c9ac98765fa115ec5ddf41d7af41d 32000721 golang-1.25_1.25.10.orig.tar.gz
 81570752ae2fe13a9328632dbbc93755d9554d1de920f83c8c54ff8fbf513bf0 833 golang-1.25_1.25.10.orig.tar.gz.asc
 a856c50d9619317f7a6c653d94140f07c135a253dffd6acfeaaf6abb5df25ac9 46748 golang-1.25_1.25.10-1.debian.tar.xz
 d25a2c4ffd32a5dcb5dff6bf8b3254ad9ea64aeed456c1fc11e5fefba9d9ff8c 6702 golang-1.25_1.25.10-1_amd64.buildinfo
Files:
 dc1ab34fbcb84283d7f7e27e4d37ee3c 2925 golang optional golang-1.25_1.25.10-1.dsc
 52360fc5adfa7069fec55a7b089828b7 32000721 golang optional golang-1.25_1.25.10.orig.tar.gz
 d0c2fb853bd81e4ac6e6850c60fa5211 833 golang optional golang-1.25_1.25.10.orig.tar.gz.asc
 ea1cfdd37a1bbaaec8d1b30ff5e697f4 46748 golang optional golang-1.25_1.25.10-1.debian.tar.xz
 41c518060190d324a398a3c020d4e36e 6702 golang optional golang-1.25_1.25.10-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmn8+asACgkQEwLx8Dbr
6xl4gQ//eveYDFOvla20gl24gksv3iaRmHhBhhtvbxzxNXl8Pae1RhNQuhsMPBxw
C/T32DJvHNw7cElbCN3pGbHQPKnCCKvr64Yyd/cWzkTYi5WWwIbPEIRxIuzqG/uu
DAFSb20qEgoze41lVfD4P5dGzo7y9a7tcoatSwMratXeydOv+2RxktBArhIbt0zC
bxU4KLl0zHtBk/7GI8nLc5oeJ6GgiOQYnc2HcyacsACoNbcUSrRqAZBJnloMV/v5
aapowLVSvCX8D+cfp2vxrRUT26TGSFTORl5QP8IYzSA4GdjRekzGvvZMgTYVunaf
ofIcgXxGKb1PL8cKB7wFM7rXvXQMpZQwW6sWSKd9D7k4SzrlcmnpGqt5YEY269He
Hch8/42+UokN3yWW8ZVzwbyJU1+MpjvvQ7KdO81rKpIY6hqNxv69I97R1RHEI3kh
P2cBojxqZ3h9/4s9ViceBgvHgFCajEs2DqpQ1g3TWWKWJ2KyOmXR/aiae37/S924
iH9xKCAapXC1XnwWrApcZvJifAVEWQbUyqgxJKmztKmwiYgeZlDkBh+ubnagkTq0
XQOjuk6jQ8vvW8tYltohTV5ZfBc77iTEzWUIhR+stj/oy04I9yMPr2w74k9omhbS
jxwIR6FDWEbCz//djd0nTVke3srFG/a+2/ZcTF6VazEsR0k6fa8=
=tyJo
-----END PGP SIGNATURE-----
News for package golang-1.25
