Bug 34078 - golang new security issue CVE-2025-2287[01]
Summary: golang new security issue CVE-2025-2287[01]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK,MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-10 09:32 CET by Nicolas Salguero
Modified: 2025-06-02 19:56 CEST (History)
2 users (show)

See Also:
Source RPM: golang-1.22.12-1.mga9.src.rpm
CVE: CVE-2025-22870, CVE-2025-22871
Status comment: Fixed upstream in 1.23.8, version 1.22 not fixed for the moment

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-10 09:32:19 CET 
CVE-2025-22870 was announced here:
https://www.openwall.com/lists/oss-security/2025/03/07/2
Nicolas Salguero 2025-03-10 09:33:17 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => golang-1.23.6-1.mga10.src.rpm, golang-1.22.12-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.23.7, version 1.22 not fixed for the moment
CVE: (none) => CVE-2025-22870

Comment 1 Lewis Smith 2025-03-10 20:20:31 CET 
Note:
Fixed upstream in 1.23.7 (Cauldron), version 1.22 5Mageia 9) not fixed for the moment.
Different packagers handle golang, so assigning globally.

Assignee: bugsquad => pkg-bugs

Nicolas Salguero 2025-03-11 17:19:10 CET

Version: Cauldron => 9
Source RPM: golang-1.23.6-1.mga10.src.rpm, golang-1.22.12-1.mga9.src.rpm => golang-1.22.12-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)

Comment 2 Nicolas Salguero 2025-04-07 10:57:17 CEST 
CVE-2025-22871 was announced here:
https://www.openwall.com/lists/oss-security/2025/04/04/4

Whiteboard: (none) => MGA9TOO
Source RPM: golang-1.22.12-1.mga9.src.rpm => golang-1.23.7-1.mga10.src.rpm, golang-1.22.12-1.mga9.src.rpm
Summary: golang new security issue CVE-2025-22870 => golang new security issue CVE-2025-2287[01]
Version: 9 => Cauldron
Status comment: Fixed upstream in 1.23.7, version 1.22 not fixed for the moment => Fixed upstream in 1.23.8, version 1.22 not fixed for the moment
CVE: CVE-2025-22870 => CVE-2025-22870, CVE-2025-22871

Nicolas Salguero 2025-04-07 11:59:52 CEST

Source RPM: golang-1.23.7-1.mga10.src.rpm, golang-1.22.12-1.mga9.src.rpm => golang-1.22.12-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 3 katnatek 2025-04-11 18:44:54 CEST 
Why not build  golang-1.23.7-1 ? 
Build without issues for mageia 9
Comment 4 katnatek 2025-04-11 18:58:43 CEST 
(In reply to katnatek from comment #3)
> Why not build  golang-1.23.7-1 ? 
> Build without issues for mageia 9

1.23.8-1 is the version I build
katnatek 2025-05-31 03:44:07 CEST

Assignee: pkg-bugs => j.alberto.vc
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33973

Comment 6 katnatek 2025-05-31 17:44:27 CEST 
RPMS:

golang-1.23.8-1.mga9
golang-bin-1.23.8-1.mga9
golang-docs-1.23.8-1.mga9
golang-misc-1.23.8-1.mga9
golang-shared-1.23.8-1.mga9
golang-src-1.23.8-1.mga9
golang-tests-1.23.8-1.mga9

SRPM:
golang-1.23.8-1.mga9

Assignee: j.alberto.vc => qa-bugs

Comment 7 katnatek 2025-05-31 18:57:40 CEST 
Used to build docker without issues

Keywords: (none) => advisory
Whiteboard: (none) => MGA9-64-OK

katnatek 2025-06-01 01:19:56 CEST

Whiteboard: MGA9-64-OK => MGA9-64-OK,MGA9-32-OK

Comment 8 Thomas Andrews 2025-06-01 15:25:54 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2025-06-02 19:56:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0175.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.