Mageia 9: 2025-0184 moderate: golang information leak and handling issues
mageia
June 9, 2025
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information
Summary
Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information.
CVE-2025-4673.
os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
Windows systems when the target path was a dangling symlink. On Unix
systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
On Windows, when the target path was a symlink to a nonexistent
location, OpenFile would create a file in that location - CVE-2025-0913.
crypto/x509: usage of ExtKeyUsageAny disables policy validation. Calling
Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
unintentionally disabledpolicy validation. This only affected
certificate chains which contain policy graphs, which are rather
uncommon - CVE-2025-22874.
OpenFile now always returns an error when the O_CREATE and O_EXCL
flags are both set and the target path is a symlink.
References
- https://bugs.mageia.org/show_bug.cgi?id=34353
- https://www.openwall.com/lists/oss-security/2025/06/05/5
- https://www.cve.org/CVERecord?id=CVE-2025-4673
- https://www.cve.org/CVERecord?id=CVE-2025-0913
- https://www.cve.org/CVERecord?id=CVE-2025-22874
Resolution
SRPMS
- 9/core/golang-1.24.4-1.mga9
PREVIOUS
NEXT
Publication date: 09 Jun 2025
URL: https://advisories.mageia.org/MGASA-2025-0184.html
Type: security
CVE: CVE-2025-4673,
CVE-2025-0913,
CVE-2025-22874
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!