Advisories » MGASA-2025-0184

Updated golang packages fix security vulnerabilities

Publication date: 09 Jun 2025
Modification date: 09 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-4673 , CVE-2025-0913 , CVE-2025-22874

Description

Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information.
CVE-2025-4673.
os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
Windows systems when the target path was a dangling symlink. On Unix
systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
On Windows, when the target path was a symlink to a nonexistent
location, OpenFile would create a file in that location - CVE-2025-0913.
crypto/x509: usage of ExtKeyUsageAny disables policy validation. Calling
Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
unintentionally disabledpolicy validation. This only affected
certificate chains which contain policy graphs, which are rather
uncommon - CVE-2025-22874.
OpenFile now always returns an error when the O_CREATE and O_EXCL
flags are both set and the target path is a symlink.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34353
• https://www.openwall.com/lists/oss-security/2025/06/05/5
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4673
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0913
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22874

SRPMS

9/core

• golang-1.24.4-1.mga9