34353 – golang new security issues CVE-2025-4673, CVE-2025-0913, CVE-2025-22874

Bug 34353 - golang new security issues CVE-2025-4673, CVE-2025-0913, CVE-2025-22874

Summary: golang new security issues CVE-2025-4673, CVE-2025-0913, CVE-2025-22874

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK,MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-06 08:10 CEST by Nicolas Salguero
Modified:	2025-06-09 20:16 CEST (History)
CC List:	3 users (show)

See Also:	33870
Source RPM:	golang-1.23.8-1.mga10.src.rpm, golang-1.23.8-1.mga9.src.rpm
CVE:	CVE-2025-4673, CVE-2025-0913, CVE-2025-22874
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-06 08:10:53 CEST

Those issues were announced here:
https://www.openwall.com/lists/oss-security/2025/06/05/5

Nicolas Salguero 2025-06-06 08:11:41 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 1.23.10
CVE: (none) => CVE-2025-4673, CVE-2025-0913, CVE-2025-22874
Source RPM: (none) => golang-1.23.8-1.mga10.src.rpm, golang-1.23.8-1.mga9.src.rpm

katnatek 2025-06-06 23:59:08 CEST

Assignee: bugsquad => j.alberto.vc

Comment 1 katnatek 2025-06-07 03:26:18 CEST

@joequant I get ready 1.24.4 for cauldron is fine for you if I send it?

CC: (none) => pkg-bugs

Comment 2 katnatek 2025-06-08 00:27:19 CEST

Can I jump to 1.24.4 in mageia 9 too? I build it and rebuild current docker with it, and new version of one of my packages requires golang >= 1.24.2

Comment 3 katnatek 2025-06-08 20:22:54 CEST

RPMS:
golang-1.24.4-1.mga9
golang-bin-1.24.4-1.mga9
golang-docs-1.24.4-1.mga9
golang-misc-1.24.4-1.mga9
golang-shared-1.24.4-1.mga9
golang-src-1.24.4-1.mga9
golang-tests-1.24.4-1.mga9

SRPM:
golang-1.24.4-1.mga9

Whiteboard: MGA9TOO => (none)
Assignee: j.alberto.vc => qa-bugs
Version: Cauldron => 9

Comment 4 katnatek 2025-06-08 21:08:40 CEST

Used to build docker current and testing version not assigned to QA
Works for me

Whiteboard: (none) => MGA9-64-OK,MGA9-32-OK
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33870

katnatek 2025-06-08 21:30:44 CEST

Keywords: (none) => advisory
Status comment: Fixed upstream in 1.23.10 => (none)

Comment 5 Thomas Andrews 2025-06-09 03:36:10 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2025-06-09 20:16:08 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0184.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.