Skip to content

update to go1.24.4#6124

Merged
thaJeztah merged 1 commit intodocker:masterfrom
vvoland:update-go
Jun 10, 2025
Merged

update to go1.24.4#6124
thaJeztah merged 1 commit intodocker:masterfrom
vvoland:update-go

Conversation

@vvoland
Copy link
Collaborator

@vvoland vvoland commented Jun 9, 2025
edited
Loading

This release includes 3 security fixes following the security policy:

  • net/http: sensitive headers not cleared on cross-origin redirect

    Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

    Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

    This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

  • os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.

    OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

    Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.

    This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

  • crypto/x509: usage of ExtKeyUsageAny disables policy validation

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

    Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.

    This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

- Description for the changelog

Update Go runtime to [1.24.4](https://go.dev/doc/devel/release#go1.24.4)

Signed-off-by: Paweł Gronowski pawel.gronowski@docker.com

@vvoland vvoland self-assigned this Jun 9, 2025
@vvoland vvoland added this to the 28.2.3 milestone Jun 9, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jun 9, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.03%. Comparing base (9e50654) to head (fe7fc2f).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6124   +/-   ##
=======================================
  Coverage   55.03%   55.03%           
=======================================
  Files         361      361           
  Lines       30153    30153           
=======================================
  Hits        16596    16596           
  Misses      12599    12599           
  Partials      958      958
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@vvoland
update to go1.24.4
fe7fc2f 
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
- full diff: golang/go@go1.24.3...go1.24.4

This release includes 3 security fixes following the security policy:

- net/http: sensitive headers not cleared on cross-origin redirect

    Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

    Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

    This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

- os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.

    OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

    Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.

    This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

- crypto/x509: usage of ExtKeyUsageAny disables policy validation

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

    Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.

    This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
thaJeztah
thaJeztah approved these changes Jun 10, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@thaJeztah thaJeztah merged commit 8b8f558 into docker:master Jun 10, 2025
119 of 122 checks passed
@thaJeztah thaJeztah modified the milestones: 28.2.3, 28.3.0 Jun 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

@vvoland vvoland

Labels

area/dependencies area/packaging impact/changelog status/2-code-review

Projects

None yet

Milestone

28.3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@vvoland @codecov-commenter @thaJeztah