[Git][security-tracker-team/security-tracker][master] Triage result for golang packages in stretch. Marked all issues for...

Ola Lundqvist (@opal) opal at debian.org
Thu Jun 24 09:14:40 BST 2021 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e2cb5dfd by Ola Lundqvist at 2021-06-24T10:14:26+02:00
Triage result for golang packages in stretch. Marked all issues for golang-1.8, golang-x-text and golang-golang-x-net-dev as no-dsa since it is not in packages to support list and golang support is very limited in stretch and buster. Added golang-1.7 to the dla-needed since it is in fact in packages to support but with a note that it should be checked further.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5052,6 +5052,7 @@ CVE-2021-33198
 	- golang-1.15 1.15.9-5
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/44910
 	NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
@@ -5061,6 +5062,7 @@ CVE-2021-33197
 	- golang-1.15 1.15.9-5
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/46313
 	NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
@@ -5070,6 +5072,7 @@ CVE-2021-33196 [archive/zip: malformed archive may cause panic or memory exhaust
 	- golang-1.15 1.15.9-4
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/46242
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
@@ -5080,12 +5083,14 @@ CVE-2021-33195
 	- golang-1.15 1.15.9-5
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/46241
 	NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
 CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...)
 	- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4
 	- golang-golang-x-net-dev <removed>
+	[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
 	NOTE: https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
 	NOTE: https://github.com/golang/go/issues/46288
 	TODO: check completeness
@@ -9086,12 +9091,15 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
 	- golang-1.15 1.15.9-2
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
 	- golang-1.7 <removed>
 	- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
 	- golang-golang-x-net-dev <removed>
+	[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
 	NOTE: https://github.com/golang/go/issues/45710
 	NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
 	NOTE: https://github.com/golang/go/issues/45712 (1.16 backport)
+	NOTE: https://go-review.googlesource.com/c/net/+/313069
 CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found in Ope ...)
 	- openexr <unfixed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947591
@@ -42970,11 +42978,13 @@ CVE-2020-28853
 CVE-2020-28852 (In x/text in Go before v0.3.5, a "slice bounds out of range" panic occ ...)
 	- golang-golang-x-text 0.3.5-1 (bug #980002)
 	- golang-x-text <removed>
+	[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.)
 	NOTE: https://github.com/golang/go/issues/42536
 	NOTE: https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6 (v0.3.5)
 CVE-2020-28851 (In x/text in Go 1.15.4, an "index out of range" panic occurs in langua ...)
 	- golang-golang-x-text 0.3.6-1 (bug #980001)
 	- golang-x-text <removed>
+	[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.)
 	NOTE: https://github.com/golang/go/issues/42535
 CVE-2020-28850
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -51,6 +51,9 @@ ffmpeg (Anton Gladky)
   NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
   NOTE: 20210621: WIP
 --
+golang-1.7
+  NOTE: 20210624: Need further checks whether any issues are important to solve or not.
+--
 gpac (Thorsten Alteholz)
   NOTE: 20210620: WIP
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2cb5dfd9953aadf7f2630f5794c70c63d3ae7dc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2cb5dfd9953aadf7f2630f5794c70c63d3ae7dc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210624/0df3c3c3/attachment.htm>

More information about the debian-security-tracker-commits mailing list