Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1

To: 993318@bugs.debian.org
Subject: Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 11 Sep 2021 18:04:13 +0800
Message-id: <YTx/HTvHAi53BQbS@local.zhsj.me>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 993318@bugs.debian.org
In-reply-to: <YS0VpZxHswl+e/or@local.zhsj.me>
References: <YS0VpZxHswl+e/or@local.zhsj.me> <YS0VpZxHswl+e/or@local.zhsj.me>

On Tue, Aug 31, 2021 at 01:30:13AM +0800, Shengjing Zhu wrote:
> 
> Changelog:
> 
> diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.15/debian/changelog
> --- golang-1.15-1.15.9/debian/changelog	2021-07-13 13:55:42.000000000 +0800
> +++ golang-1.15-1.15.15/debian/changelog	2021-08-31 00:37:05.000000000 +0800
> @@ -1,3 +1,23 @@
> +golang-1.15 (1.15.15-1~deb11u1) bullseye; urgency=medium
> +
> +  * Team upload.
> +  * Rebuild 1.15.15 for bullseye.
> +    Fix CVE-2021-36221: net/http: panic due to racy read of persistConn
> +    after handler panic (Closes: #991961)
> +
> + -- Shengjing Zhu <zhsj@debian.org>  Tue, 31 Aug 2021 00:37:05 +0800
> +
> +golang-1.15 (1.15.15-1) unstable; urgency=medium
> +
> +  * Team upload.
> +  * New upstream version 1.15.15
> +  * Remove security patches which were previously backported
> +    for 1.15.9 but are already in 1.15.15
> +  * Update Standards-Version to 4.5.1, no changes needed
> +  * Change Section from devel to golang
> +
> + -- Anthony Fok <foka@debian.org>  Sun, 15 Aug 2021 16:44:15 -0600
> +
>  golang-1.15 (1.15.9-6) unstable; urgency=medium
>  
>    * Team upload.
> 

Since a new CVE is published for go compiler, I have backported to this version as well.
The new changes are:

diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.15/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-07-13 13:55:42.000000000 +0800
+++ golang-1.15-1.15.15/debian/changelog	2021-09-11 15:54:07.000000000 +0800
@@ -1,3 +1,29 @@
+golang-1.15 (1.15.15-1~deb11u1) bullseye; urgency=medium
+
+  [ Anthony Fok ]
+  * Fix Lintian warning tab-in-license-text
+    debian/copyright (starting at line 381)
+
+  [ Shengjing Zhu ]
+  * Rebuild 1.15.15 for bullseye
+    + Include fix for CVE-2021-36221 (Closes: #991961)
+      net/http: panic due to racy read of persistConn after handler panic
+  * Backport patch for CVE-2021-39293
+    archive/zip: overflow in preallocation check can cause OOM panic
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 11 Sep 2021 15:54:07 +0800
+
+golang-1.15 (1.15.15-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream version 1.15.15
+  * Remove security patches which were previously backported
+    for 1.15.9 but are already in 1.15.15
+  * Update Standards-Version to 4.5.1, no changes needed
+  * Change Section from devel to golang
+
+ -- Anthony Fok <foka@debian.org>  Sun, 15 Aug 2021 16:44:15 -0600
+

The full diff is still at https://people.debian.org/~zhsj/golang-1.15_1.15.15-1~deb11u1.debdiff

Reply to:

Follow-Ups:
- Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#991919: transition: r-api-bioc-3.13
Next by Date: Bug#993351: transition: folks
Previous by thread: Bug#994064: bullseye-pu: package python-eventlet/0.26.1-7
Next by thread: Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1
Index(es):
- Date
- Thread