[Git][security-tracker-team/security-tracker][master] CVE-2019-11841/golang-go.crypto: jessie triage

Sylvain Beucler beuc at debian.org
Sun Jul 7 12:07:03 BST 2019 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a86514bc by Sylvain Beucler at 2019-07-07T11:06:35Z
CVE-2019-11841/golang-go.crypto: jessie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3800,6 +3800,9 @@ CVE-2019-11843
 CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
 	- golang-go.crypto <unfixed>
 	NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
+	NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
+	NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note:
+	NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html
 CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
 	{DLA-1840-1}
 	- golang-go.crypto <unfixed>


=====================================
data/dla-needed.txt
=====================================
@@ -32,6 +32,8 @@ freeimage
 glib2.0 (Mike Gabriel)
   NOTE: 20190626: https://lists.debian.org/debian-lts/2019/06/msg00031.html
 --
+golang-go.crypto
+--
 hdf5
   NOTE: 20190511: upstream was not aware of our undetermined issues. They have assigned
   NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a86514bc61e9d6901113936292eac5e6784f9c7a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a86514bc61e9d6901113936292eac5e6784f9c7a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190707/075f900f/attachment.html>

More information about the debian-security-tracker-commits mailing list