CVE-2025-47906 & CVE-2025-47907 fixed in Go 1.24.6 & 1.23.12

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://groups.google.com/g/golang-announce/c/x5MKroML2yM/m/5_v-oMjUAgAJ
announces:

> We have just released Go versions 1.24.6 and 1.23.12, minor point releases.
>
> These minor releases include 2 security fixes following the security policy:
>
>     os/exec: LookPath may return unexpected paths
>
>     If the PATH environment variable contains paths which are executables (rather
>     than just directories), passing certain strings to LookPath ("", ".", and ".."),
>     can result in the binaries listed in the PATH being unexpectedly returned.
>
>     Thanks to Olivier Mengué for reporting this issue.
>
>     This is CVE-2025-47906 and Go issue https://go.dev/issue/74466.
>
>     database/sql: incorrect results returned from Rows.Scan
>
>     Cancelling a query (e.g. by cancelling the context passed to one of the query
>     methods) during a call to the Scan method of the returned Rows can result in
>     unexpected results if other queries are being made in parallel. This can result
>     in a race condition that may overwrite the expected results with those of
>     another query, causing the call to Scan to return either unexpected results
>     from the other query or an error.
>
>     We believe this affects most database/sql drivers.
>
>     Thanks to Spike Curtis from Coder for reporting this issue.
>
>     This is CVE-2025-47907 and https://go.dev/issue/74831.
>
> View the release notes for more information:
> https://go.dev/doc/devel/release#go1.24.6

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris