--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1
- From: Shengjing Zhu <zhsj@debian.org>
- Date: Tue, 31 Aug 2021 01:30:13 +0800
- Message-id: <YS0VpZxHswl+e/or@local.zhsj.me>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: zhsj@debian.org
[ Reason ]
Update golang-1.15 to upstream latest minor release.
The Go upstream has minor release with only important bugfix are backported.
Uptream policy: https://github.com/golang/go/wiki/MinorReleases
> security issues, serious problems with no workaround, and documentation fixes
> are backported
So I'd like to bring the latest minor version to bullseye.
This 1.15.15 version also includes a non-urgent security fix for CVE-2021-36221.
The full issues between 1.15.9(version in bullseye) to 1.15.15
+ Go1.15.10
https://github.com/golang/go/milestone/204?closed=1
+ Go1.15.11
https://github.com/golang/go/milestone/208?closed=1
+ Go1.15.12
https://github.com/golang/go/milestone/209?closed=1
+ Go1.15.13
https://github.com/golang/go/milestone/215?closed=1
+ Go1.15.14
https://github.com/golang/go/milestone/217?closed=1
+ Go1.15.15
https://github.com/golang/go/milestone/220?closed=1
[ Impact ]
Fix many issues which are considered to be important by upstream.
[ Tests ]
Go1.15.15 is in testing for many days and many packages have been built with
this version.
Meanwhile upstream has extensive tests for their minor release.
[ Risks ]
I don't think there's risk.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The diff is big, so I only paste the diffstat here, and attach a link to the full diff.
VERSION | 2
debian/changelog | 20
debian/control | 4
debian/control.in | 4
debian/patches/0007-CVE-2021-31525.patch | 45 --
debian/patches/0008-CVE-2021-33196.patch | 124 -----
debian/patches/0009-CVE-2021-33195-1.patch | 369 -----------------
debian/patches/0010-CVE-2021-33195-2.patch | 111 -----
debian/patches/0011-CVE-2021-33197.patch | 147 ------
debian/patches/0012-CVE-2021-33198.patch | 107 ----
debian/patches/0013-CVE-2021-34558.patch | 46 --
debian/patches/series | 7
misc/cgo/testcshared/cshared_test.go | 97 ++++
src/archive/zip/reader.go | 10
src/archive/zip/reader_test.go | 59 ++
src/cmd/cgo/out.go | 6
src/cmd/compile/internal/gc/escape.go | 7
src/cmd/compile/internal/ssa/gen/ARM.rules | 128 ++---
src/cmd/compile/internal/ssa/gen/ARM64Ops.go | 9
src/cmd/compile/internal/ssa/opGen.go | 6
src/cmd/compile/internal/ssa/rewriteARM.go | 306 +++++++-------
src/cmd/compile/internal/ssa/shortcircuit.go | 18
src/cmd/go/go_test.go | 33 +
src/cmd/go/internal/load/pkg.go | 5
src/cmd/go/internal/modcmd/tidy.go | 2
src/cmd/go/internal/modcmd/vendor.go | 4
src/cmd/go/internal/modfetch/cache.go | 17
src/cmd/go/internal/modfetch/fetch.go | 77 ++-
src/cmd/go/internal/modload/init.go | 6
src/cmd/go/internal/modload/load.go | 32 +
src/cmd/go/testdata/script/list_err_cycle.txt | 15
src/cmd/go/testdata/script/mod_get_missing_ziphash.txt | 55 ++
src/cmd/go/testdata/script/mod_readonly.txt | 6
src/cmd/go/testdata/script/mod_tidy_error.txt | 4
src/cmd/go/testdata/script/mod_tidy_too_new.txt | 31 +
src/cmd/go/testdata/script/mod_verify.txt | 7
src/cmd/link/internal/arm/asm.go | 16
src/cmd/link/internal/ld/data.go | 12
src/cmd/link/internal/ld/elf.go | 2
src/cmd/link/internal/ld/lib.go | 11
src/cmd/link/internal/ld/macho.go | 2
src/cmd/link/internal/loader/loader.go | 12
src/cmd/link/internal/ppc64/asm.go | 26 -
src/crypto/tls/key_agreement.go | 6
src/database/sql/sql.go | 14
src/database/sql/sql_test.go | 28 +
src/go.mod | 2
src/go.sum | 4
src/internal/poll/copy_file_range_linux.go | 10
src/internal/poll/sendfile_bsd.go | 4
src/internal/poll/sendfile_linux.go | 3
src/internal/poll/sendfile_solaris.go | 3
src/math/big/arith_s390x.s | 192 --------
src/math/big/arith_test.go | 65 ++
src/math/big/ratconv.go | 15
src/math/big/ratconv_test.go | 25 +
src/net/dnsclient_unix_test.go | 321 ++++++++++++++
src/net/http/h2_bundle.go | 2
src/net/http/httputil/reverseproxy.go | 31 -
src/net/http/httputil/reverseproxy_test.go | 102 ++++
src/net/http/omithttp2.go | 4
src/net/http/transport.go | 39 +
src/net/http/transport_test.go | 84 +++
src/net/lookup.go | 159 ++++++-
src/net/sendfile_test.go | 64 ++
src/os/readfrom_linux_test.go | 32 +
src/run.bash | 10
src/run.bat | 4
src/run.rc | 9
src/runtime/asm_arm64.s | 47 +-
src/runtime/cgo/gcc_windows_386.c | 1
src/runtime/cgo/gcc_windows_amd64.c | 1
src/runtime/cgo/libcgo_windows.h | 12
src/runtime/pprof/pprof_test.go | 3
src/runtime/signal_unix.go | 2
src/runtime/symtab.go | 8
src/runtime/symtab_test.go | 85 +++
src/runtime/sys_linux_ppc64x.s | 86 +++
src/runtime/time.go | 5
src/syscall/exec_linux_test.go | 1
src/syscall/syscall_windows.go | 34 +
src/syscall/zsyscall_windows.go | 6
src/time/sleep_test.go | 16
src/time/zoneinfo.go | 33 -
src/time/zoneinfo_read.go | 44 +-
src/time/zoneinfo_test.go | 95 +++-
src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10
src/vendor/modules.txt | 2
test/escape5.go | 11
test/fixedbugs/issue42876.go | 18
test/fixedbugs/issue45175.go | 29 +
test/fixedbugs/issue46653.dir/bad/bad.go | 64 ++
test/fixedbugs/issue46653.dir/main.go | 27 +
test/fixedbugs/issue46653.go | 10
94 files changed, 2240 insertions(+), 1649 deletions(-)
Changelog:
diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.15/debian/changelog
--- golang-1.15-1.15.9/debian/changelog 2021-07-13 13:55:42.000000000 +0800
+++ golang-1.15-1.15.15/debian/changelog 2021-08-31 00:37:05.000000000 +0800
@@ -1,3 +1,23 @@
+golang-1.15 (1.15.15-1~deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Rebuild 1.15.15 for bullseye.
+ Fix CVE-2021-36221: net/http: panic due to racy read of persistConn
+ after handler panic (Closes: #991961)
+
+ -- Shengjing Zhu <zhsj@debian.org> Tue, 31 Aug 2021 00:37:05 +0800
+
+golang-1.15 (1.15.15-1) unstable; urgency=medium
+
+ * Team upload.
+ * New upstream version 1.15.15
+ * Remove security patches which were previously backported
+ for 1.15.9 but are already in 1.15.15
+ * Update Standards-Version to 4.5.1, no changes needed
+ * Change Section from devel to golang
+
+ -- Anthony Fok <foka@debian.org> Sun, 15 Aug 2021 16:44:15 -0600
+
golang-1.15 (1.15.9-6) unstable; urgency=medium
* Team upload.
Full: https://people.debian.org/~zhsj/golang-1.15_1.15.15-1~deb11u1.debdiff
[ Other info ]
If my guess it correct, Go1.15 is EOL since Go1.17 is released. So this
is probably the only minor release we want to upload.
--- End Message ---