diff --git a/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch b/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch deleted file mode 100644 index 9c01f02f58b2b76b8fc565aa780e386f363c2661..0000000000000000000000000000000000000000 --- a/1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 8cc22cc92b6941aaefe9c18b88662f5088228e92 Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Tue, 6 May 2025 09:27:10 -0700 -Subject: [PATCH] crypto/x509: decouple key usage and policy validation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Disabling key usage validation (by passing ExtKeyUsageAny) -unintentionally disabled policy validation. This change decouples these -two checks, preventing the user from unintentionally disabling policy -validation. - -Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this -issue. - -Fixes #73612 -Fixes CVE-2025-22874 - -Confict: no -Reference:https://go-review.googlesource.com/c/go/+/670375 - -Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40 -Reviewed-on: https://go-review.googlesource.com/c/go/+/670375 -Reviewed-by: Daniel McCarney -Reviewed-by: Cherry Mui -Reviewed-by: Ian Stapleton Cordasco -LUCI-TryBot-Result: Go LUCI -Signed-off-by: jichao wu ---- - src/crypto/x509/verify.go | 32 +++++++++++++++++++++--------- - src/crypto/x509/verify_test.go | 36 ++++++++++++++++++++++++++++++++++ - 2 files changed, 59 insertions(+), 9 deletions(-) - -diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go -index 5fe93c6..7cc0fb2 100644 ---- a/src/crypto/x509/verify.go -+++ b/src/crypto/x509/verify.go -@@ -841,31 +841,45 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e - } - } - -- if len(opts.KeyUsages) == 0 { -- opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} -+ chains = make([][]*Certificate, 0, len(candidateChains)) -+ -+ var invalidPoliciesChains int -+ for _, candidate := range candidateChains { -+ if !policiesValid(candidate, opts) { -+ invalidPoliciesChains++ -+ continue -+ } -+ chains = append(chains, candidate) -+ } -+ -+ if len(chains) == 0 { -+ return nil, CertificateInvalidError{c, NoValidChains, "all candidate chains have invalid policies"} - } - - for _, eku := range opts.KeyUsages { - if eku == ExtKeyUsageAny { - // If any key usage is acceptable, no need to check the chain for - // key usages. -- return candidateChains, nil -+ return chains, nil - } - } - -- chains = make([][]*Certificate, 0, len(candidateChains)) -- var incompatibleKeyUsageChains, invalidPoliciesChains int -+ if len(opts.KeyUsages) == 0 { -+ opts.KeyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth} -+ } -+ -+ candidateChains = chains -+ chains = chains[:0] -+ -+ var incompatibleKeyUsageChains int - for _, candidate := range candidateChains { - if !checkChainForKeyUsage(candidate, opts.KeyUsages) { - incompatibleKeyUsageChains++ - continue - } -- if !policiesValid(candidate, opts) { -- invalidPoliciesChains++ -- continue -- } - chains = append(chains, candidate) - } -+ - if len(chains) == 0 { - var details []string - if incompatibleKeyUsageChains > 0 { -diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go -index 1175e7d..7991f49 100644 ---- a/src/crypto/x509/verify_test.go -+++ b/src/crypto/x509/verify_test.go -@@ -3012,3 +3012,39 @@ func TestPoliciesValid(t *testing.T) { - }) - } - } -+ -+func TestInvalidPolicyWithAnyKeyUsage(t *testing.T) { -+ loadTestCert := func(t *testing.T, path string) *Certificate { -+ b, err := os.ReadFile(path) -+ if err != nil { -+ t.Fatal(err) -+ } -+ p, _ := pem.Decode(b) -+ c, err := ParseCertificate(p.Bytes) -+ if err != nil { -+ t.Fatal(err) -+ } -+ return c -+ } -+ -+ testOID3 := mustNewOIDFromInts([]uint64{1, 2, 840, 113554, 4, 1, 72585, 2, 3}) -+ root, intermediate, leaf := loadTestCert(t, "testdata/policy_root.pem"), loadTestCert(t, "testdata/policy_intermediate_require.pem"), loadTestCert(t, "testdata/policy_leaf.pem") -+ -+ expectedErr := "x509: no valid chains built: all candidate chains have invalid policies" -+ -+ roots, intermediates := NewCertPool(), NewCertPool() -+ roots.AddCert(root) -+ intermediates.AddCert(intermediate) -+ -+ _, err := leaf.Verify(VerifyOptions{ -+ Roots: roots, -+ Intermediates: intermediates, -+ KeyUsages: []ExtKeyUsage{ExtKeyUsageAny}, -+ CertificatePolicies: []OID{testOID3}, -+ }) -+ if err == nil { -+ t.Fatal("unexpected success, invalid policy shouldn't be bypassed by passing VerifyOptions.KeyUsages with ExtKeyUsageAny") -+ } else if err.Error() != expectedErr { -+ t.Fatalf("unexpected error, got %q, want %q", err, expectedErr) -+ } -+} --- -2.33.0 - diff --git a/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch b/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch deleted file mode 100644 index 44a575b36354227487b610243c6e58043e0e3477..0000000000000000000000000000000000000000 --- a/1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 709fda0a42b8ffde78136af52e02f260622926fa Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Wed, 21 May 2025 14:11:44 -0400 -Subject: [PATCH] net/http: strip sensitive proxy headers from redirect - requests - -Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain. - -https://fetch.spec.whatwg.org/#authentication-entries - -Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. - -Updates golang/go#73816 -Fixes golang/go#73905 -Fixes CVE-2025-4673 - -Confict: no -Reference:https://go-review.googlesource.com/c/go/+/679255 - -Change-Id: I1615f31977a2fd014fbc12aae43f82692315a6d0 -Reviewed-on: https://go-review.googlesource.com/c/go/+/679255 -LUCI-TryBot-Result: Go LUCI -Reviewed-by: Michael Knyszek -Signed-off-by: jichao wu ---- - src/net/http/client.go | 3 ++- - src/net/http/client_test.go | 3 +++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/net/http/client.go b/src/net/http/client.go -index 9231f63..a814cf3 100644 ---- a/src/net/http/client.go -+++ b/src/net/http/client.go -@@ -805,7 +805,8 @@ func (c *Client) makeHeadersCopier(ireq *Request) func(req *Request, stripSensit - for k, vv := range ireqhdr { - sensitive := false - switch CanonicalHeaderKey(k) { -- case "Authorization", "Www-Authenticate", "Cookie", "Cookie2": -+ case "Authorization", "Www-Authenticate", "Cookie", "Cookie2", -+ "Proxy-Authorization", "Proxy-Authenticate": - sensitive = true - } - if !(sensitive && stripSensitiveHeaders) { -diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go -index 1ce9539..8ab4f58 100644 ---- a/src/net/http/client_test.go -+++ b/src/net/http/client_test.go -@@ -1547,6 +1547,8 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { - if r.Host+r.URL.Path != "a.example.com/" { - if h := r.Header.Get("Authorization"); h != "" { - t.Errorf("on request to %v%v, Authorization=%q, want no header", r.Host, r.URL.Path, h) -+ } else if h := r.Header.Get("Proxy-Authorization"); h != "" { -+ t.Errorf("on request to %v%v, Proxy-Authorization=%q, want no header", r.Host, r.URL.Path, h) - } - } - // Follow a chain of redirects from a to b and back to a. -@@ -1575,6 +1577,7 @@ func testClientStripHeadersOnRepeatedRedirect(t *testing.T, mode testMode) { - req, _ := NewRequest("GET", proto+"://a.example.com/", nil) - req.Header.Add("Cookie", "foo=bar") - req.Header.Add("Authorization", "secretpassword") -+ req.Header.Add("Proxy-Authorization", "secretpassword") - res, err := c.Do(req) - if err != nil { - t.Fatal(err) --- -2.33.0 - diff --git a/go1.24.2.src.tar.gz b/go1.24.6.src.tar.gz similarity index 74% rename from go1.24.2.src.tar.gz rename to go1.24.6.src.tar.gz index 6b4a937512c1c8bcde1312e32dc9916460a6e317..fc97265045f66af26d4cf7440996473f8a687e37 100644 Binary files a/go1.24.2.src.tar.gz and b/go1.24.6.src.tar.gz differ diff --git a/golang.spec b/golang.spec index 529141f5745345a096a6db7e17c19701ce3ef39d..d0f5a022fdbdd578fa5820b4e5c7813a14b497b5 100644 --- a/golang.spec +++ b/golang.spec @@ -67,8 +67,8 @@ %endif Name: golang -Version: 1.24.2 -Release: 34 +Version: 1.24.6 +Release: 35 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -128,8 +128,6 @@ Requires: %{vendor}-rpm-config Patch1000: 1000-all-implement-plugin-build-mode-for-riscv64.patch Patch1001: 1001-cmd-link-cmd-internal-add-R_GOT_PCREL_ITYPE_RELOC-fo.patch Patch1002: 1002-cmd-compile-don-t-merge-symbols-on-riscv64-when-dyna.patch -Patch1003: 1003-CVE-2025-22874-crypto-x509-decouple-key-usage-and-po.patch -Patch1004: 1004-CVE-2025-4673-net-http-strip-sensitive-proxy-headers.patch Patch9001: 0001-fix-asan_test-test-case-failure.patch @@ -370,6 +368,12 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Wed Aug 13 2025 Julian Zhu - 1.24.6-35 +- Upgrade to 1.24.6 +- CVE: CVE-2025-47907, CVE-2025-47906, CVE-2025-4674, CVE-2025-22873 +- SUG:NA +- DESC: fix CVE-2025-47907, CVE-2025-47906, CVE-2025-4674, CVE-2025-22873 + * Fri Jun 20 2025 wujichao - 1.24.2-34 - Type:CVE - CVE:CVE-2025-22874,CVE-2025-4673