Accepted golang-1.8 1.8.1-1+deb9u3 (source) into oldstable

To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
Subject: Accepted golang-1.8 1.8.1-1+deb9u3 (source) into oldstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 13 Mar 2021 17:50:11 +0000
Message-id: <[🔎] E1lL8Ox-0002lE-Om@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Mar 2021 15:28:08 +0100
Source: golang-1.8
Binary: golang-1.8-go golang-1.8-src golang-1.8-doc golang-1.8
Architecture: source
Version: 1.8.1-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Description:
 golang-1.8 - Go programming language compiler - metapackage
 golang-1.8-doc - Go programming language - documentation
 golang-1.8-go - Go programming language compiler, linker, compiled stdlib
 golang-1.8-src - Go programming language - source files
Changes:
 golang-1.8 (1.8.1-1+deb9u3) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2017-15041: Go allows "go get" remote command execution. Using
     custom domains, it is possible to arrange things so that
     example.com/pkg1 points to a Subversion repository but
     example.com/pkg1/pkg2 points to a Git repository. If the Subversion
     repository includes a Git checkout in its pkg2 directory and some
     other work is done to ensure the proper ordering of operations, "go
     get" can be tricked into reusing this Git checkout for the fetch of
     code from pkg2. If the Subversion repository's Git checkout has
     malicious commands in .git/hooks/, they will execute on the system
     running "go get."
   * CVE-2018-16873: the "go get" command is vulnerable to remote code
     execution when executed with the -u flag and the import path of a
     malicious Go package, as it may treat the parent directory as a Git
     repository root, containing malicious configuration.
   * CVE-2018-16874: the "go get" command is vulnerable to directory
     traversal when executed with the import path of a malicious Go package
     which contains curly braces (both '{' and '}' characters). The
     attacker can cause an arbitrary filesystem write, which can lead to
     code execution.
   * CVE-2019-9741: in net/http, CRLF injection is possible if the attacker
     controls a url parameter, as demonstrated by the second argument to
     http.NewRequest with \r\n followed by an HTTP header or a Redis
     command.
   * CVE-2019-16276: Go allows HTTP Request Smuggling.
   * CVE-2019-17596: Go can panic upon an attempt to process network
     traffic containing an invalid DSA public key. There are several attack
     scenarios, such as traffic from a client to a server that verifies
     client certificates.
   * CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs,
     related to an underflow of the lowest limb during the final complete
     reduction in the P-224 field.
Checksums-Sha1:
 7a39c57c617c902f771abd501aa14079fbe28b48 2487 golang-1.8_1.8.1-1+deb9u3.dsc
 9b658aa9550f7d670432c248b7d92b86b0d67927 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
 5428980882a9e7f30b58fd3ed7b6bc9ae0476f80 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo
Checksums-Sha256:
 d1f0313e04a375607c4b0bf9eaf90dbe807edefea658bc3a5abdf356fbc1fa42 2487 golang-1.8_1.8.1-1+deb9u3.dsc
 be9da23009cbcdf4bb1d1a791bbe6162e08ee6ab308382c1a54b04fc2d3696f8 55268 golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
 334da7fd343b56e38bc3ca6094d66f003e3aa8ea778477cc647132f722056862 6108 golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo
Files:
 305adbdf62ed5d42391efc71e2117c20 2487 devel optional golang-1.8_1.8.1-1+deb9u3.dsc
 15fea76a9ab45ef8f795d19ab2eb8a1d 55268 devel optional golang-1.8_1.8.1-1+deb9u3.debian.tar.xz
 6d3f0d703744cdfadcd053da7cc00cec 6108 devel optional golang-1.8_1.8.1-1+deb9u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBM7DUACgkQDTl9HeUl
XjDM2A/+MaxYldKhynOMETx/sdEhkbeOi68me5h/Oh1qf4TPBeEm6ODEiiB6ehFU
mDCbN7VAMXnnxpwIAiOahM+eWe2i1EpEC4IOiZFP2QUfosUpeUkJmpQog6ltYh9O
XX+4Oil5bRF0z6uwd1w4AQFopMWyHeoyzzg8w6kpdiFIRXAd2g6YpybWXLlH/Zec
JrjeGAL/BDgIAt2BMfcSmZJTbKwYqoK4ZMW4w9eKwv+f47+zoNn0Hi5Qvp4QUO9y
zLJCXBkj7He8XMCxPWm3sI60rrFpfu5VEdQ7ipnEw4yrCaMINaYaOsJzka/MudUl
+CgFgCRQ1+IGVAKQIBrMhP0+Wf71p/ei474OdypCpN3iRmjwi8wgfBHl610orxve
Lydiwo6PQf6pu938JBHHwbBPhXq39VDy2eiTLCDRiCP/yMg0yS/ynIhTuo4DrOXf
bt4vjOjBdmUoaYD0b0Q+h3Z49Bvwdb45/khTwYeblGkH2cufJRsHRljef3i28/mG
SN4uWqDWwpOdVj+l97StvZQlPLZyq099WVVP/4/ISP2ifUPxf9AtXR+aBTIIJDA6
5Rb9ZoIc5l4Oeq8I6n2+e4EmV6qb07B75R39nuTDgp8Sb7/FaKz7o7uE6HjS+CLE
uq+bcryz7IvYOTLCDT/qDqE1JGs6rno5FrleYW1CtlV5wqCSeQo=
=EMFg
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted pygments 2.2.0+dfsg-1+deb9u1 (source) into oldstable
Next by Date: Accepted golang-1.7 1.7.4-2+deb9u3 (source) into oldstable
Previous by thread: Accepted pygments 2.2.0+dfsg-1+deb9u1 (source) into oldstable
Next by thread: Accepted golang-1.7 1.7.4-2+deb9u3 (source) into oldstable
Index(es):
- Date
- Thread