[Git][security-tracker-team/security-tracker][master] 2 commits: golang: standardize/clarify buster-lts triage
Sylvain Beucler (@beuc)
beuc at debian.org
Fri Sep 16 12:21:01 BST 2022
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e9e59255 by Sylvain Beucler at 2022-09-16T13:08:02+02:00
golang: standardize/clarify buster-lts triage
following discussion with Ola
- - - - -
584817f4 by Sylvain Beucler at 2022-09-16T13:08:44+02:00
dla add golang-1.11
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21292,7 +21292,7 @@ CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francois
CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository ...)
- golang-github-emicklei-go-restful <unfixed> (bug #1012763)
[bullseye] - golang-github-emicklei-go-restful <no-dsa> (Minor issue)
- [buster] - golang-github-emicklei-go-restful <no-dsa> (Minor issue)
+ [buster] - golang-github-emicklei-go-restful <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/
NOTE: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10
CVE-2022-1995 (The Malware Scanner WordPress plugin before 4.5.2 does not sanitise an ...)
@@ -22152,7 +22152,7 @@ CVE-2022-32189 (A too-short encoded message can cause a panic in Float.GobDecode
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53871
NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU
NOTE: https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66 (master, go1.19)
@@ -22248,7 +22248,7 @@ CVE-2022-32148 (Improper exposure of client IP addresses in net/http before Go 1
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/53423
NOTE: https://github.com/golang/go/commit/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a (go1.19rc1)
NOTE: https://github.com/golang/go/commit/ebea1e3353fa766025aa5190b9c7cc05cf069187 (go1.18.4)
@@ -22287,7 +22287,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53616
NOTE: https://github.com/golang/go/commit/695be961d57508da5a82217f7415200a11845879 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/0d1615b23f9a558aa0a1957b4c81596220eb8ec4 (go1.18.4)
@@ -26612,7 +26612,7 @@ CVE-2022-30635 (Uncontrolled recursion in Decoder.Decode in encoding/gob before
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53615
NOTE: https://github.com/golang/go/commit/6fa37e98ea4382bf881428ee0c150ce591500eb7 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/fb979a50823e5a0575cf6166b3f17a13364cbf81 (go1.18.4)
@@ -26634,7 +26634,7 @@ CVE-2022-30633 (Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53611
NOTE: https://github.com/golang/go/commit/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/2924ced71d16297320e8ff18829c2038e6ad8d9b (go1.18.4)
@@ -26645,7 +26645,7 @@ CVE-2022-30632 (Uncontrolled recursion in Glob in path/filepath before Go 1.17.1
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53416
NOTE: https://github.com/golang/go/commit/ac68c6c683409f98250d34ad282b9e1b0c9095ef (go1.19rc2)
NOTE: https://github.com/golang/go/commit/5ebd862b1714dad1544bd10a24c47cdb53ad7f46 (go1.18.4)
@@ -26656,7 +26656,7 @@ CVE-2022-30631 (Uncontrolled recursion in Reader.Read in compress/gzip before Go
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/issue/53168
NOTE: https://github.com/golang/go/commit/b2b8872c876201eac2d0707276c6999ff3eb185e (go1.19rc2)
NOTE: https://github.com/golang/go/commit/8e27a8ac4c001c27713810b75925aa3794049c48 (go1.18.4)
@@ -26679,7 +26679,7 @@ CVE-2022-30629 (Non-random values for ticket_age_add in session tickets in crypt
- golang-1.15 <removed>
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (Vulnerable code - TLS1.3 - introduced later)
- golang-1.7 <removed>
@@ -27660,21 +27660,21 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 w
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Limited support)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -34241,7 +34241,7 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x
- golang-1.18 1.18.4-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/53614
NOTE: https://github.com/golang/go/commit/08c46ed43d80bbb67cb904944ea3417989be4af3 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/90f040ec510dd678b7860d70ca77e5682f4c7e96 (go1.18.4)
@@ -35589,7 +35589,7 @@ CVE-2022-27664 (In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attack
- golang-1.17 <unfixed>
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
NOTE: https://github.com/golang/go/issues/54658
NOTE: https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824 (go1.19.1)
@@ -36943,7 +36943,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva document management system
NOT-FOR-US: Aseco
CVE-2022-27191 (The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...)
- golang-go.crypto 1:0.0~git20220315.3147a52-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ
NOTE: https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
CVE-2022-27190
@@ -37688,7 +37688,7 @@ CVE-2022-26946
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -43429,7 +43429,7 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u4
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/51112
@@ -47713,7 +47713,7 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50974
@@ -47843,7 +47843,7 @@ CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinte
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (vgo/modfetch module not present)
- golang-1.7 <removed>
@@ -47858,7 +47858,7 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50699
@@ -58095,7 +58095,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50057
@@ -58108,13 +58108,13 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
[stretch] - golang-golang-x-net-dev <postponed> (Limited support in stretch)
NOTE: https://github.com/golang/go/issues/50058
NOTE: https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ
@@ -60645,7 +60645,7 @@ CVE-2022-21709
CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In version ...)
- golang-github-graph-gophers-graphql-go 1.3.0-1
[bullseye] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue)
- [buster] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue)
+ [buster] - golang-github-graph-gophers-graphql-go <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe (v1.3.0)
NOTE: https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh
NOTE: https://github.com/graph-gophers/graphql-go/pull/492
@@ -60682,7 +60682,7 @@ CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive
CVE-2022-21698 (client_golang is the instrumentation library for Go applications in Pr ...)
- golang-github-prometheus-client-golang 1.11.1-1 (bug #1008008)
[bullseye] - golang-github-prometheus-client-golang <no-dsa> (Minor issue)
- [buster] - golang-github-prometheus-client-golang <no-dsa> (Minor issue)
+ [buster] - golang-github-prometheus-client-golang <postponed> (Limited support, minor issue, DoS in specific conditions, follow bullseye DSAs/point-releases)
[stretch] - golang-github-prometheus-client-golang <postponed> (Minor issue, DoS in specific conditions, requires rebuilding reverse-dependencies; Limited support in stretch)
NOTE: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
NOTE: https://github.com/prometheus/client_golang/pull/962
@@ -62821,7 +62821,7 @@ CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malic
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979
CVE-2021-43565 (The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of g ...)
- golang-go.crypto 1:0.0~git20211202.5770296-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
[stretch] - golang-go.crypto <postponed> (Limited support in stretch)
NOTE: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083
NOTE: https://github.com/golang/go/issues/49932
@@ -65787,7 +65787,7 @@ CVE-2021-42837 (An issue was discovered in Talend Data Catalog before 7.3-202109
CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of servic ...)
- golang-github-tidwall-gjson <unfixed> (bug #1000225)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
NOTE: https://github.com/tidwall/gjson/issues/236
@@ -68574,7 +68574,7 @@ CVE-2021-42249
CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON i ...)
- golang-github-tidwall-gjson <unfixed> (bug #1011616)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/issues/237
NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 (v1.9.3)
CVE-2021-42247
@@ -69829,7 +69829,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/48990
@@ -76045,7 +76045,7 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a c
- golang-1.15 1.15.15-2
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/47801
@@ -77845,7 +77845,7 @@ CVE-2021-38561
RESERVED
- golang-golang-x-text 0.3.7-1
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100495
CVE-2021-38560 (Ivanti Service Manager 2021.1 allows reflected XSS via the appName par ...)
NOT-FOR-US: Ivanti
@@ -78567,7 +78567,7 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <not-affected> (Vulnerable code not present)
- golang-1.7 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4
@@ -83780,7 +83780,7 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition
- golang-1.15 1.15.15-1 (bug #991961)
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46866
@@ -87817,7 +87817,7 @@ CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly as
- golang-1.16 1.16.6-1
- golang-1.15 1.15.9-6
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91149,7 +91149,7 @@ CVE-2021-33198 (In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a pa
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (Vulnerable code introduced later)
- golang-1.7 <removed>
@@ -91161,7 +91161,7 @@ CVE-2021-33197 (In Go before 1.15.13 and 1.16.x before 1.16.5, some configuratio
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, header corruption in proxy chains)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, header corruption in proxy chains, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91174,7 +91174,7 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a
- golang-1.16 1.16.5-1 (bug #989492)
- golang-1.15 1.15.9-4
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46242
@@ -91187,7 +91187,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS
- golang-1.15 1.15.9-5
[bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point release)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, affects poor validation practice, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, affects poor validation practice, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91198,7 +91198,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS
CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
NOTE: https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
NOTE: https://github.com/golang/go/issues/46288
@@ -95666,14 +95666,14 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
- golang-1.16 1.16.4-1
- golang-1.15 1.15.9-2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
[stretch] - golang-1.7 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, DoS)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
NOTE: https://github.com/golang/go/issues/45710
NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
@@ -100137,7 +100137,7 @@ CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero charac
- golang-1.16 <unfixed>
- golang-1.15 <unfixed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility)
- golang-1.7 <removed>
@@ -105196,7 +105196,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
- golang-1.16 1.16.3-1
- golang-1.15 1.15.9-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS)
- golang-1.7 <removed>
@@ -114992,7 +114992,7 @@ CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and
NOTE: https://github.com/servo/rust-smallvec/issues/252
CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorre ...)
- golang-github-nats-io-jwt 2.2.0-1
- [buster] - golang-github-nats-io-jwt <no-dsa> (Limited support)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support, requires rebuilding golang-github-nats-io-gnatsd)
- nats-server <not-affected> (Fixed before initial upload to Debian)
NOTE: https://advisories.nats.io/CVE/CVE-2021-3127.txt
NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c
@@ -115146,9 +115146,10 @@ CVE-2021-3122 (CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH server
NOT-FOR-US: CMCAgent in NCR Command Center Agent
CVE-2021-3121 (An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarsha ...)
- golang-gogoprotobuf 1.3.2-1
- [buster] - golang-gogoprotobuf <no-dsa> (Minor issue)
+ [buster] - golang-gogoprotobuf <postponed> (Limited support, minor issue)
[stretch] - golang-gogoprotobuf <no-dsa> (Minor issue)
NOTE: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
+ NOTE: Triage discussion: https://lists.debian.org/debian-lts/2021/03/msg00011.html
CVE-2021-3120 (An arbitrary file upload vulnerability in the YITH WooCommerce Gift Ca ...)
NOT-FOR-US: YITH WooCommerce Gift Cards Premium plugin for WordPress
CVE-2021-3119 (Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing is ...)
@@ -120931,12 +120932,12 @@ CVE-2020-36068
RESERVED
CVE-2020-36067 (GJSON <=v1.6.5 allows attackers to cause a denial of service (panic ...)
- golang-github-tidwall-gjson 1.6.7-1
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue)
NOTE: https://github.com/tidwall/gjson/issues/196
NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service (remote) ...)
- golang-github-tidwall-gjson 1.6.7-1
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue)
NOTE: https://github.com/tidwall/gjson/issues/195
NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
NOTE: fix in golang-github-tidwall-gjson is dependency on golang-github-tidwall-match v1.0.3
@@ -126672,11 +126673,11 @@ CVE-2020-35382 (SQL Injection in Classbooking before 2.4.1 via the username fiel
NOT-FOR-US: Classbooking
CVE-2020-35381 (jsonparser 1.0.0 allows attackers to cause a denial of service (panic: ...)
- golang-github-buger-jsonparser 1.1.1-1 (bug #978445)
- [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
+ [buster] - golang-github-buger-jsonparser <postponed> (Limited support, minor issue)
NOTE: https://github.com/buger/jsonparser/issues/219
CVE-2020-35380 (GJSON before 1.6.4 allows attackers to cause a denial of service via c ...)
- golang-github-tidwall-gjson 1.6.7-1 (bug #977622)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Limited support)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue)
NOTE: https://github.com/tidwall/gjson/issues/192
NOTE: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc (v1.6.4)
CVE-2020-35379
@@ -131140,14 +131141,14 @@ CVE-2020-28853
CVE-2020-28852 (In x/text in Go before v0.3.5, a "slice bounds out of range" panic occ ...)
- golang-golang-x-text 0.3.5-1 (bug #980002)
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.)
NOTE: https://github.com/golang/go/issues/42536
NOTE: https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6 (v0.3.5)
CVE-2020-28851 (In x/text in Go 1.15.4, an "index out of range" panic occurs in langua ...)
- golang-golang-x-text 0.3.6-1 (bug #980001)
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.)
NOTE: https://github.com/golang/go/issues/42535
CVE-2020-28850
@@ -133252,7 +133253,7 @@ CVE-2020-28484
CVE-2020-28483 (This affects all versions of package github.com/gin-gonic/gin. When gi ...)
- golang-github-gin-gonic-gin <unfixed> (bug #988943)
[bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
- [buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
+ [buster] - golang-github-gin-gonic-gin <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
NOTE: https://github.com/gin-gonic/gin/pull/2474
NOTE: https://github.com/gin-gonic/gin/commit/c9ea8ece4a3881028f7f715f008414346a7f4b88
@@ -133522,7 +133523,7 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and
{DLA-2460-1}
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (validation of cgo flags first introduced in golang-1.8 / CVE-2018-6574)
@@ -133531,7 +133532,7 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and
CVE-2020-28366 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. ...)
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, too intrusive to backport)
- golang-1.7 <removed>
@@ -136678,7 +136679,6 @@ CVE-2020-27813 (An integer overflow vulnerability exists with the length of webs
{DLA-2520-1}
- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
- golang-websocket <removed>
- [buster] - golang-websocket <no-dsa> (Limited support)
NOTE: https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh
NOTE: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37 (v1.4.1)
CVE-2020-27812
@@ -139493,7 +139493,7 @@ CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious a
NOT-FOR-US: ClamXAV
CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect Access ...)
- golang-github-nats-io-jwt 2.2.0-1 (bug #988950)
- [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support, minor issue, requires rebuilding golang-github-nats-io-gnatsd)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-4w5x-x539-ppf5
CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS d ...)
@@ -140364,7 +140364,7 @@ CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/ac
NOT-FOR-US: Garfield Petshop
CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a denial of se ...)
- golang-github-nats-io-jwt 2.2.0-1 (bug #988950)
- [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support, minor issue, requires rebuilding golang-github-nats-io-gnatsd)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-h2fg-54x9-5qhq
CVE-2020-26520
@@ -145281,7 +145281,7 @@ CVE-2020-24553 (Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because tex
- golang-1.15 1.15.2-1 (bug #969661)
- golang-1.14 <removed> (bug #969662)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <no-dsa> (Minor issue)
- golang-1.7 <removed>
@@ -165854,7 +165854,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa
- glpi <removed>
CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...)
- golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615)
- [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
+ [buster] - golang-github-russellhaering-goxmldsig <postponed> (Limited support, minor issue, no build rdeps, follow bullseye DSAs/point-releases)
NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...)
@@ -169208,7 +169208,7 @@ CVE-2020-14041
CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in encoding ...)
- golang-golang-x-text 0.3.3-1 (bug #964272)
- golang-x-text <removed> (bug #964271)
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/39491
NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
@@ -179815,7 +179815,7 @@ CVE-2020-10676
RESERVED
CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...)
- golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug #954373)
- [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
+ [buster] - golang-github-buger-jsonparser <postponed> (Limited support, minor issue)
NOTE: https://github.com/buger/jsonparser/issues/188
NOTE: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
@@ -183172,7 +183172,7 @@ CVE-2020-9284
CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...)
{DLA-2455-1 DLA-2453-1 DLA-2402-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462)
- [buster] - golang-go.crypto <no-dsa> (Minor issue)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch)
[jessie] - golang-go.crypto <no-dsa> (Minor issue)
NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...)
@@ -183964,7 +183964,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an authenticated attacker t
NOT-FOR-US: Netis devices
CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...)
- golang-github-proglottis-gpgme 0.1.1-1 (bug #951372)
- [buster] - golang-github-proglottis-gpgme <no-dsa> (Minor issue)
+ [buster] - golang-github-proglottis-gpgme <postponed> (Limited support, minor issue, requires rebuilding golang-github-keltia-archive and dmarc-cat)
NOTE: https://github.com/proglottis/gpgme/pull/23
CVE-2020-8944 (An arbitrary memory write vulnerability in Asylo versions up to 0.6.0 ...)
NOT-FOR-US: Asylo
@@ -230336,7 +230336,7 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote at
CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
{DLA-2402-1 DLA-1920-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, fixed in stretch)
NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note:
@@ -230345,7 +230345,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
{DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <no-dsa> (Minor issue)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch)
NOTE: https://github.com/golang/go/issues/30965
NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
@@ -238199,7 +238199,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <no-dsa> (Limited support, minor issue, DoS)
- nodejs 10.16.3~dfsg-1 (bug #934885)
[stretch] - nodejs <not-affected> (No HTTP2 support yet)
[jessie] - nodejs <not-affected> (No HTTP2 support yet)
@@ -238240,7 +238240,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, DoS)
- trafficserver 8.0.5+ds-1 (bug #934887)
- h2o 2.2.5+dfsg2-3 (bug #934886)
NOTE: Issue: https://github.com/golang/go/issues/33606
=====================================
data/dla-needed.txt
=====================================
@@ -48,6 +48,12 @@ glibc
NOTE: 20220913: Programming language: C, Assembly.
NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk)
--
+golang-1.11
+ NOTE: 20220916: Programming language: Go.
+ NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)
+ NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
+ NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
+--
golang-go.crypto
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220916/7c59c1ed/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list