UbuntuUpdates.org

Package "golang-1.22"

Name: golang-1.22

Description:

Go programming language compiler - metapackage
Latest version: 1.22.8-1ubuntu0.1
Release: oracular (24.10)
Level: security
Repository: universe
Homepage: https://go.dev/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "golang-1.22"

All arch deb package
APT INSTALL

Other versions of "golang-1.22" in Oracular

Repository Area Version
base universe 1.22.8-1
base main 1.22.8-1
security main 1.22.8-1ubuntu0.1
updates main 1.22.8-1ubuntu0.1
updates universe 1.22.8-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.22.8-1ubuntu0.1 2025-06-19 04:08:50 UTC

  golang-1.22 (1.22.8-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: leak sensitive headers when handling redirect
    requests.
    - debian/patches/CVE-2024-45336.patch: net/http: persist header
      stripping across repeated redirects.
    - CVE-2024-45336
  * SECURITY UPDATE: IPv6 zone IDs can bypass URI name constraints.
    - debian/patches/CVE-2024-45341.patch: crypto/x509: properly
      check for IPv6 hosts in URIs.
    - CVE-2024-45341
  * SECURITY UPDATE: information bit leak on ppc64le architecture.
    - debian/patches/CVE-2025-22866.patch: crypto/internal/fips140/nistec:
      make p256NegCond constant time on ppc64le.
    - CVE-2025-22866
  * SECURITY UPDATE: denial of service issue by improperly treating an IPv6
    zone ID as a hostname component.
    - debian/patches/CVE-2025-22870.patch: http/httpproxy: do not mismatch
      IPv6 zone ids against hosts.
    - CVE-2025-22870
  * SECURITY UPDATE: leak sensitive information on redirects outside of
    the original domain.
    - debian/patches/CVE-2025-4673.patch: net/http: strip sensitive proxy
      headers from redirect requests.
    - CVE-2025-4673
  * BUILD UPDATE: tls certificate expired during building and testing.
    - debian/patches/fix-config-time-tests-using-expired-certs.patch:
      crypto/tls: fix Config.Time in tests using expired certificates.

 -- Evan Caville <email address hidden> Tue, 17 Jun 2025 10:38:39 +1000
CVE-2024-45336 The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header
CVE-2024-45341 A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
CVE-2025-22866 Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are
CVE-2025-22870 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment var
CVE-2025-4673 Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.


About   -   Send Feedback to @ubuntu_updates