[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112053: bookworm-pu: golang-github-gin-contrib-cors/1.4.0-1+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for golang-github-gin-contrib-cor fixes CVE-2019-25211 in Bookworm. The CVE is marked as no-dsa by the security team.
golang-github-gin-contrib-cor is a leaf package with no rdeps within Debian and the fix was already done by upstream a few years ago. 
There should be not much hassle with this fix.

  Thorsten


diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/changelog golang-github-gin-contrib-cors-1.4.0/debian/changelog
--- golang-github-gin-contrib-cors-1.4.0/debian/changelog	2022-12-03 10:49:55.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/changelog	2025-08-25 14:49:55.000000000 +0200
@@ -1,3 +1,10 @@
+golang-github-gin-contrib-cors (1.4.0-1+deb12u1) bookworm; urgency=medium
+
+  * CVE-2019-25211
+    fix handling of wildcards
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Mon, 25 Aug 2025 14:49:55 +0200
+
 golang-github-gin-contrib-cors (1.4.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch	2025-08-25 14:49:55.000000000 +0200
@@ -0,0 +1,22 @@
+From 27b723a473efd80d5a498fa9f5933c80204c850d Mon Sep 17 00:00:00 2001
+From: Benjamin Mitzkus <b.mitzkus@gmx.de>
+Date: Wed, 6 Mar 2024 06:28:12 +0100
+Subject: [PATCH] fixe(domain): wildcard parse bug (#106)
+
+---
+ cors.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: golang-github-gin-contrib-cors-1.4.0/cors.go
+===================================================================
+--- golang-github-gin-contrib-cors-1.4.0.orig/cors.go	2025-08-25 16:03:59.883858578 +0200
++++ golang-github-gin-contrib-cors-1.4.0/cors.go	2025-08-25 16:03:59.883858578 +0200
+@@ -132,7 +132,7 @@
+ 			continue
+ 		}
+ 		if i == (len(o) - 1) {
+-			wRules = append(wRules, []string{o[:i-1], "*"})
++			wRules = append(wRules, []string{o[:i], "*"})
+ 			continue
+ 		}
+ 
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/series golang-github-gin-contrib-cors-1.4.0/debian/patches/series
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/series	2025-08-25 14:49:55.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-25211.patch
Reply to: