Debian Quality Assurance

golang-1.25 (1.25.6-1) [PTS] [DDPO]

OK: VCS matches the version in the archive

• Git: https://salsa.debian.org/go-team/compiler/golang.git -b golang-1.25
• JSON
  Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
  For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
  The next upload will reset the information from the source package headers.
• Branch: golang-1.25
• Path: debian/changelog
• Repo size: 11567104
• Browser: https://salsa.debian.org/go-team/compiler/golang/tree/golang-1.25
• Last scan: 2026-02-01 00:34:08+00
• Next scan: 2026-02-06 04:16:00+00
• Merge requests: 3
• Debian changelog in Git:

  golang-1.25 (1.25.6-1) unstable; urgency=medium
  
    [ Anshul Singh ]
    * Update to 1.25.5 upstream release
      https://go.dev/doc/devel/release#go1.25.5
      - crypto/x509: excessive resource consumption in printing error string for host certificate validation
      - crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
  
    [ Tianon Gravi ]
    * Update to 1.25.6 upstream release
  
      1.25.6: (Closes: #1125916)
      - https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc/m/pQP7Bk0aCQAJ
  
      - CVE-2025-61728: https://go.dev/issue/77102
        archive/zip: denial of service when parsing arbitrary ZIP archives
  
      - CVE-2025-61726: https://go.dev/issue/77101
        net/http: memory exhaustion in Request.ParseForm
  
      - CVE-2025-68121: https://go.dev/issue/77113
        crypto/tls: Config.Clone copies automatically generated session ticket
        keys, session resumption does not account for the expiration of full
        certificate chain
  
      - CVE-2025-61731: https://go.dev/issue/77100
        cmd/go: bypass of flag sanitization can lead to arbitrary code
        execution
  
      - CVE-2025-68119: https://go.dev/issue/77099
        cmd/go: unexpected code execution when invoking toolchain
  
      - CVE-2025-61730: https://go.dev/issue/76443
        crypto/tls: handshake messages may be processed at the incorrect
        encryption level
  
      - os: allow direntries to have zero inodes on Linux (Closes: #1115301)
  
      1.25.5: (Closes: #1121847)
      - https://groups.google.com/g/golang-announce/c/8FJoBkPddm4/m/kYpVlPw1CQAJ
  
      - CVE-2025-61729: https://go.dev/issue/76445
        crypto/x509: excessive resource consumption in printing error string for
        host certificate validation
  
      - CVE-2025-61727: https://go.dev/issue/76442
        crypto/x509: excluded subdomain constraint does not restrict wildcard
        SANs
  
      1.25.4:
      - https://groups.google.com/g/golang-announce/c/tVVHm9gnwl8/m/-oTvYIjCAQAJ
  
    * Fix build with DEB_BUILD_OPTIONS=terse (Closes: #1125464)
      (solution borrowed from xz-utils debian/rules)
  
   -- Tianon Gravi <tianon@debian.org>  Thu, 22 Jan 2026 23:07:54 -0800

• This branch is even with tag debian/1.25.6-1

Package: JSON [Main page]

---

Back to the Debian Project homepage.

---