Accepted golang-1.8 1.8.1-1+deb9u3 (source) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Mar 2021 15:28:08 +0100
Source: golang-1.8
Binary: golang-1.8-go golang-1.8-src golang-1.8-doc golang-1.8
Architecture: source
Version: 1.8.1-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
golang-1.8 - Go programming language compiler - metapackage
golang-1.8-doc - Go programming language - documentation
golang-1.8-go - Go programming language compiler, linker, compiled stdlib
golang-1.8-src - Go programming language - source files
Changes:
golang-1.8 (1.8.1-1+deb9u3) stretch-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* CVE-2017-15041: Go allows "go get" remote command execution. Using
custom domains, it is possible to arrange things so that
example.com/pkg1 points to a Subversion repository but
example.com/pkg1/pkg2 points to a Git repository. If the Subversion
repository includes a Git checkout in its pkg2 directory and some
other work is done to ensure the proper ordering of operations, "go
get" can be tricked into reusing this Git checkout for the fetch of
code from pkg2. If the Subversion repository's Git checkout has
malicious commands in .git/hooks/, they will execute on the system
running "go get."
* CVE-2018-16873: the "go get" command is vulnerable to remote code
execution when executed with the -u flag and the import path of a
malicious Go package, as it may treat the parent directory as a Git
repository root, containing malicious configuration.
* CVE-2018-16874: the "go get" command is vulnerable to directory
traversal when executed with the import path of a malicious Go package
which contains curly braces (both '{' and '}' characters). The
attacker can cause an arbitrary filesystem write, which can lead to
code execution.
* CVE-2019-9741: in net/http, CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the second argument to
http.NewRequest with \r\n followed by an HTTP header or a Redis
command.
* CVE-2019-16276: Go allows HTTP Request Smuggling.
* CVE-2019-17596: Go can panic upon an attempt to process network
traffic containing an invalid DSA public key. There are several attack
scenarios, such as traffic from a client to a server that verifies
client certificates.
* CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs,
related to an underflow of the lowest limb during the final complete
reduction in the P-224 field.
Checksums-Sha1:
7a39c57c617c902f771abd501aa14079fbe28b48 2487 golang-1.8_1.8.1-1+deb9u3.dsc
9b658aa9550f7d670432c248b7d92b86b0d67927 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
5428980882a9e7f30b58fd3ed7b6bc9ae0476f80 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo
Checksums-Sha256:
d1f0313e04a375607c4b0bf9eaf90dbe807edefea658bc3a5abdf356fbc1fa42 2487 golang-1.8_1.8.1-1+deb9u3.dsc
be9da23009cbcdf4bb1d1a791bbe6162e08ee6ab308382c1a54b04fc2d3696f8 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
334da7fd343b56e38bc3ca6094d66f003e3aa8ea778477cc647132f722056862 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo
Files:
305adbdf62ed5d42391efc71e2117c20 2487 devel optional golang-1.8_1.8.1-1+deb9u3.dsc
15fea76a9ab45ef8f795d19ab2eb8a1d 55268 devel optional golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
6d3f0d703744cdfadcd053da7cc00cec 6108 devel optional golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBM7DUACgkQDTl9HeUl
XjDM2A/+MaxYldKhynOMETx/sdEhkbeOi68me5h/Oh1qf4TPBeEm6ODEiiB6ehFU
mDCbN7VAMXnnxpwIAiOahM+eWe2i1EpEC4IOiZFP2QUfosUpeUkJmpQog6ltYh9O
XX+4Oil5bRF0z6uwd1w4AQFopMWyHeoyzzg8w6kpdiFIRXAd2g6YpybWXLlH/Zec
JrjeGAL/BDgIAt2BMfcSmZJTbKwYqoK4ZMW4w9eKwv+f47+zoNn0Hi5Qvp4QUO9y
zLJCXBkj7He8XMCxPWm3sI60rrFpfu5VEdQ7ipnEw4yrCaMINaYaOsJzka/MudUl
+CgFgCRQ1+IGVAKQIBrMhP0+Wf71p/ei474OdypCpN3iRmjwi8wgfBHl610orxve
Lydiwo6PQf6pu938JBHHwbBPhXq39VDy2eiTLCDRiCP/yMg0yS/ynIhTuo4DrOXf
bt4vjOjBdmUoaYD0b0Q+h3Z49Bvwdb45/khTwYeblGkH2cufJRsHRljef3i28/mG
SN4uWqDWwpOdVj+l97StvZQlPLZyq099WVVP/4/ISP2ifUPxf9AtXR+aBTIIJDA6
5Rb9ZoIc5l4Oeq8I6n2+e4EmV6qb07B75R39nuTDgp8Sb7/FaKz7o7uE6HjS+CLE
uq+bcryz7IvYOTLCDT/qDqE1JGs6rno5FrleYW1CtlV5wqCSeQo=
=EMFg
-----END PGP SIGNATURE-----
Reply to: