[Git][security-tracker-team/security-tracker][master] golang-1.7,golang-1.8: stretch triage precisions

Sylvain Beucler beuc at debian.org
Wed Mar 10 19:16:29 GMT 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b0c42720 by Sylvain Beucler at 2021-03-10T20:16:06+01:00
golang-1.7,golang-1.8: stretch triage precisions
CVE-2021-3115
CVE-2019-16276
CVE-2019-14809
CVE-2018-16875
CVE-2018-6574
CVE-2017-15042
CVE-2017-8932

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9951,7 +9951,9 @@ CVE-2021-3115 (Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerab
 	- golang-1.15 1.15.7-1
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <ignored> (Minor issue, requires unsecure PATH and compiling a malicious dependency)
 	- golang-1.7 <removed>
+	[stretch] - golang-1.7 <ignored> (Minor issue, requires unsecure PATH and compiling a malicious dependency)
 	NOTE: https://github.com/golang/go/issues/43783
 	NOTE: https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0 (master)
 	NOTE: https://github.com/golang/go/commit/e8e7facfaa47bf21007c0a1c679debba52ec3ea0 (1.15.7)
@@ -107383,7 +107385,7 @@ CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Sm
 	- golang-1.7 <removed>
 	[stretch] - golang-1.7 <ignored> (Minor issue)
 	- golang <removed>
-	[jessie] - golang <ignored> (does not makes sense to fix in jessie if not in later dists)
+	[jessie] - golang <ignored> (Minor issue)
 	NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q
 	NOTE: https://golang.org/issue/34540
 	NOTE: https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c (golang-1.13)
@@ -112305,9 +112307,9 @@ CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles
 	- golang-1.12 1.12.8-1
 	- golang-1.11 1.11.13-1
 	- golang-1.8 <removed>
-	[stretch] - golang-1.8 <ignored> (Minor issue)
+	[stretch] - golang-1.8 <ignored> (Minor issue, affects poor validation practice, introduce regressions, requires rebuilding affected go-based packages)
 	- golang-1.7 <removed>
-	[stretch] - golang-1.7 <ignored> (Minor issue)
+	[stretch] - golang-1.7 <ignored> (Minor issue, affects poor validation practice, introduce regressions, requires rebuilding affected go-based packages)
 	- golang <removed>
 	[jessie] - golang <ignored> (Fix too invasive to backport, url.go file in jessie too far behind upstream)
 	NOTE: Issue: https://github.com/golang/go/issues/29098
@@ -162917,7 +162919,9 @@ CVE-2018-16875 (The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.
 	- golang-1.11 1.11.3-1
 	- golang-1.10 1.10.6-1
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
 	- golang-1.7 <removed>
+	[stretch] - golang-1.7 <ignored> (Minor issue, DoS, requires rebuilding affected go-based packages)
 	NOTE: https://github.com/golang/go/issues/29233
 	NOTE: https://github.com/golang/go/commit/df523969435b8945d939c7e2a849b50910ef4c25 (1.11.3)
 	NOTE: https://github.com/golang/go/commit/0a4a37f1f0a36e55d8ae5c34210a79499f9f2a9d (1.10.6)
@@ -191114,7 +191118,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases
 	- golang-1.9 1.9.4-1
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
-	[stretch] - golang-1.7 <ignored> (Minor issue)
+	[stretch] - golang-1.7 <ignored> (Minor issue, may break packages compilation, ignored for 1.7 by package maintainers)
 	- golang <removed>
 	[jessie] - golang <ignored> (Minor issue)
 	[wheezy] - golang <ignored> (Minor issue)
@@ -216960,11 +216964,11 @@ CVE-2017-15043 (A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440,
 CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x befo ...)
 	- golang-1.9 1.9.1-1
 	- golang-1.8 1.8.4-1
-	[stretch] - golang-1.8 <ignored> (Minor issue, would require builds of all go packages in stable)
+	[stretch] - golang-1.8 <ignored> (Minor issue, would require rebuilds of affected go-based packages in stable)
 	- golang-1.7 <removed>
-	[stretch] - golang-1.7 <ignored> (Minor issue, would require builds of all go packages in stable)
+	[stretch] - golang-1.7 <ignored> (Minor issue, would require rebuilds of affected go-based packages in stable)
 	- golang <removed>
-	[jessie] - golang <ignored> (Minor issue, would require builds of all go packages in stable)
+	[jessie] - golang <ignored> (Minor issue, would require rebuilds of affected go packages in oldstable)
 	[wheezy] - golang <not-affected> (Vulnerable code introduced later in version 1.1)
 	NOTE: https://github.com/golang/go/issues/22134
 	NOTE: https://golang.org/cl/68023
@@ -235506,9 +235510,9 @@ CVE-2016-10374 (perltidy through 20160302, as used by perlcritic, check-all-the-
 	[wheezy] - perltidy <no-dsa> (Minor issue)
 CVE-2017-8932 (A bug in the standard library ScalarMult implementation of curve P-256 ...)
 	- golang-1.8 1.8.3-1 (bug #863307)
-	[stretch] - golang-1.8 <ignored> (Minor issue, would require builds of all go packages in stable)
+	[stretch] - golang-1.8 <ignored> (Minor issue, would require rebuilds of affected go-based packages in stable)
 	- golang-1.7 1.7.6-1 (bug #863308)
-	[stretch] - golang-1.7 <ignored> (Minor issue, would require builds of all go packages in stable)
+	[stretch] - golang-1.7 <ignored> (Minor issue, would require rebuilds of affected go-based packages in stable)
 	- golang <removed>
 	[wheezy] - golang <not-affected> (Vulnerable code not present, no ASM implementation of the p256 elliptic curve)
 	[jessie] - golang <not-affected> (Vulnerable code not present, no ASM implementation of the p256 elliptic curve)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0c42720f0b2da8716f537173e78cc44f1683c29

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0c42720f0b2da8716f537173e78cc44f1683c29
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210310/f09409e9/attachment.htm>

More information about the debian-security-tracker-commits mailing list