go-snap

Please, update Go snap to version 1.25.2 recently released

Bug #2120749 reported by Jan Pfeifer
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
go-snap
Fix Released
Undecided
Anshul Singh

Bug Description

Release notes:

https://go.dev/doc/go1.25

Revision history for this message
Felix Kollmann (fkollmann) wrote :

Any news here? Is there a way to help? Best Regards, Felix

Revision history for this message
hideou aoi (aoilinux) wrote :

+1

Revision history for this message
Ingo IO Oeser (ioe-fdc) wrote :

Also Go 1.25.1 is out now and fixes CVE 2025-47910

see https://github.com/golang/go/issues?q=is%3Aissue%20%20milestone%3AGo1.25.1%20label%3ACherryPickApproved for the release content.

Ken VanDine (ken-vandine)
Changed in go-snap:
assignee: nobody → Anshul Singh (levihackerman-102)
Revision history for this message
Felix Kollmann (fkollmann) wrote :

For Ubuntu you can use: https://launchpad.net/~longsleep/+archive/ubuntu/golang-backports
For Fedora you can use: https://copr.fedorainfracloud.org/coprs/krouma/golang-1.25/

Revision history for this message
Jakob Ersson (jersson) wrote :

+1, would appreciate 1.25.x support.

Revision history for this message
Ame Nomade (ame-nomade) wrote :

Guys, is there a reason why this package that has no dependencies and that was made carefully and professionally during the past 6 months by a team of experts at Google, waits on the finish line at Ubuntu? Shouldn't this process of publishing a stable package be entirely automatic?

The folks at Homebrew bumped the version number a while ago, and most probably automatically, so that we developers on Mac have been coding using this major update for months now (started back in August, we're in October now) but our production is out of sync, still in 1.24.x. So I guess the question for us is: should we stop using Snaps in production?

PS.: "edge" is for the future, but here the 1.25.1 is the present so "edge" should be 1.25.2. You're 2 versions late

Revision history for this message
Jan Pfeifer (pfjan) wrote :

Question: would you like some volunteer help to maintain this package ?

Revision history for this message
Ame Nomade (ame-nomade) wrote :

In fact it's possible to upgrade go with go:
```
$ go install golang.org/dl/go1.25.1@latest
$ go1.25.1 download
```
It installs the go binary in "~/go/bin/go1.25.1" and the dependencies in "~/sdk/go1.25.1/"
Then to use it instead of the installed snap package version, the command is "go1.25.1" instead of "go", like: "$ go1.25.1 build ...", "$ go1.25.1 test ...", etc

So for Mac devs with a prod in Ubuntu a useful bash makefile is:
```
SHELL = /bin/bash
OS := $(shell uname -s)

ifeq ($(OS),Linux)
GO := go1.25.1
endif
ifeq ($(OS),Darwin)
GO := go
endif

tidy:
 $(GO) mod tidy

test:
 $(GO) test -v ./...

run:
 $(GO) run .

build:
 GOEXPERIMENT=greenteagc $(GO) build -v
```

Revision history for this message
Ame Nomade (ame-nomade) wrote :

Go 1.25.2 was published yesterday and Homebrew made the new version available immediately, as it should be. Which means that for them at least, the process to deal with new package releases is obviously automatic

Revision history for this message
Ingo IO Oeser (ioe-fdc) wrote :

Please note that the minor release Go 1.25.2 closes 23 isssues, with 10 related to security.

Namely the following CVEs have been addressed:
- CVE-2025-61725
- CVE-2025-58187
- CVE-2025-58189
- CVE-2025-61723
- CVE-2025-47912
- CVE-2025-58185
- CVE-2025-58186
- CVE-2025-58188
- CVE-2025-58183
- CVE-2025-61724

Risk assessment as markdown
```markdown
| CVE ID | Component | Estimated Criticality | Justification |
| :--- | :--- | :--- | :--- |
| `CVE-2025-61725` | `net/mail` | **High (7.5)** | A remote Denial of Service (DoS) vulnerability caused by excessive CPU consumption when parsing a crafted email. |
| `CVE-2025-58187` | `crypto/x509`| **High (7.5)** | A remote DoS vulnerability from CPU exhaustion when validating a malicious certificate chain. |
| `CVE-2025-58189` | `crypto/tls` | **Medium (5.3)** | A log injection vulnerability that allows an attacker to write arbitrary data to logs, potentially hiding other attacks. |
| `CVE-2025-61723` | `encoding/pem` | **High (7.5)** | A remote DoS vulnerability from CPU exhaustion when parsing untrusted PEM-encoded data. |
| `CVE-2025-47912` | `net/url` | **High (8.6)** | Insufficient validation that could lead to security bypasses, such as Server-Side Request Forgery (SSRF). |
| `CVE-2025-58185` | `encoding/asn1` | **High (7.5)** | A remote DoS vulnerability from memory exhaustion by sending a crafted payload to certificate parsing functions. |
| `CVE-2025-58186` | `net/http` | **High (7.5)** | A remote DoS vulnerability from memory exhaustion caused by an attacker sending a very large number of cookies. |
| `CVE-2025-58188` | `crypto/x509` | **High (7.5)** | A remote DoS vulnerability where validating a certificate with a DSA public key causes the application to panic (crash). |
| `CVE-2025-58183` | `archive/tar` | **High (7.5)** | A remote DoS vulnerability from unbounded memory allocation when parsing a malicious tar archive. |
| `CVE-2025-61724` | `net/textproto` | **High (7.5)** | A DoS vulnerability caused by excessive CPU consumption when parsing a large number of lines in a response. |
 ```

summary: - Please, update Go snap to version 1.25.0 recently released
+ Please, update Go snap to version 1.25.2 recently released
Revision history for this message
HuangTao (remember19890604) wrote :

go 1.25.2 released
and go 1.24.8 also released at the same time
details: https://go.dev/doc/devel/release

Anshul Singh (levihackerman-102)
Changed in go-snap:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.