Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN340

_____________________________________________________________________

DATE                : 06/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Go versions prior to 1.24.4,
                                        1.23.10.

=====================================================================
https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ
_____________________________________________________________________

Hello gophers,

We have just released Go versions 1.24.4 and 1.23.10, minor point
releases.

These minor releases include 3 security fixes following the security
policy:

    net/http: sensitive headers not cleared on cross-origin redirect

    Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information.

    Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
reporting this issue.

    This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

    os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix
and Windows systems when the target path was a dangling symlink. On
Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows
symlinks. On Windows, when the target path was a symlink to a
nonexistent location, OpenFile would create a file in that location.

    OpenFile now always returns an error when the O_CREATE and
O_EXCL flags are both set and the target path is a symlink.

    Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for
discovering this issue.

    This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

    crypto/x509: usage of ExtKeyUsageAny disables policy validation

    Calling Verify with a VerifyOptions.KeyUsages that contains
ExtKeyUsageAny unintentionally disabledpolicy validation. This only
affected certificate chains which contain policy graphs, which are
rather uncommon.

    Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting
this issue.

    This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.4

You can download binary and source distributions from the Go website:
https://go.dev/dl/

To compile from source using a Git clone, update to the release with
git checkout go1.24.4 and build as usual.

Thanks to everyone who contributed to the releases.

Cheers,
Carlos and Michael for the Go team


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================