惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Know Your Adversary
Know Your Adversary
云风的 BLOG
云风的 BLOG
Recent Announcements
Recent Announcements
F
Fortinet All Blogs
B
Blog
罗磊的独立博客
宝玉的分享
宝玉的分享
Vercel News
Vercel News
Martin Fowler
Martin Fowler
N
Netflix TechBlog - Medium
P
Proofpoint News Feed
T
Threatpost
Security Latest
Security Latest
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
I
Intezer
P
Privacy International News Feed
D
Docker
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
M
MIT News - Artificial intelligence
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
Lohrmann on Cybersecurity
Google DeepMind News
Google DeepMind News
The Last Watchdog
The Last Watchdog
A
Arctic Wolf
IT之家
IT之家
S
SegmentFault 最新的问题
S
Securelist
博客园 - 叶小钗
N
News and Events Feed by Topic
F
Full Disclosure
Security Archives - TechRepublic
Security Archives - TechRepublic
Engineering at Meta
Engineering at Meta
Hacker News: Ask HN
Hacker News: Ask HN
博客园 - Franky
GbyAI
GbyAI
AI
AI
Y
Y Combinator Blog
WordPress大学
WordPress大学
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
人人都是产品经理
人人都是产品经理
N
News | PayPal Newsroom
The Cloudflare Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
I
InfoQ

Arch Linux Security Advisories

[ASA-202506-6] python-django: content spoofing - Arch Linux [ASA-202506-5] konsole: arbitrary code execution [ASA-202506-3] samba: access restriction bypass [ASA-202506-2] curl: denial of service [ASA-202506-1] roundcubemail: arbitrary code execution [ASA-202505-15] ghostscript: information disclosure - Arch Linux [ASA-202505-14] bind: denial of service [ASA-202505-13] varnish: content spoofing - Arch Linux [ASA-202505-12] go: directory traversal - Arch Linux [ASA-202505-11] freetype2: arbitrary code execution [ASA-202505-10] python-django: denial of service [ASA-202505-9] dropbear: arbitrary command execution [ASA-202505-8] nodejs-lts-iron: multiple issues - Arch Linux [ASA-202505-7] nodejs-lts-jod: denial of service
[ASA-202506-4] go: multiple issues - Arch Linux
Arch Linux S · 2025-06-07 · via Arch Linux Security Advisories

ASA-202506-4 log generated external raw

[ASA-202506-4] go: multiple issues

Arch Linux Security Advisory ASA-202506-4 ========================================= Severity: Medium Date : 2025-06-07 CVE-ID : CVE-2025-4673 CVE-2025-22874 Package : go Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2896 Summary ======= The package go before version 1.24.4-1 is vulnerable to multiple issues including certificate verification bypass and information disclosure. Resolution ========== Upgrade to 1.24.4-1. # pacman -Syu "go>=1.24.4-1" The problems have been fixed upstream in version 1.24.4. Workaround ========== None. Description =========== - CVE-2025-4673 (information disclosure) net/http: Proxy-Authorization and Proxy-Authenticate headers were not cleared during cross-origin redirects, potentially leaking sensitive credentials in proxy-authenticated environments. - CVE-2025-22874 (certificate verification bypass) crypto/x509: When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate policy validation is unintentionally disabled. This affects certificate chains with policy constraints, which are uncommon but security-relevant when used. Impact ====== A remote attacker can exploit Go's HTTP client to leak proxy credentials via cross-origin redirects, or bypass certificate policy validation when ExtKeyUsageAny is used during TLS verification. References ========== https://github.com/golang/go/issues/73816 https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A/m/XDxq7uidAgAJ https://go.dev/doc/devel/release#go1.24.4 https://github.com/golang/go/issues/73612 https://security.archlinux.org/CVE-2025-4673 https://security.archlinux.org/CVE-2025-22874