[Git][security-tracker-team/security-tracker][master] golang-1.11: postpone open CVEs unfixed in bullseye

Sylvain Beucler (@beuc) beuc at debian.org
Wed Apr 19 12:50:49 BST 2023 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cf04c43b by Sylvain Beucler at 2023-04-19T13:48:49+02:00
golang-1.11: postpone open CVEs unfixed in bullseye

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18394,6 +18394,7 @@ CVE-2023-24538 (Templates do not properly consider backticks (`) as Javascript s
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
 	NOTE: https://go.dev/issue/59234
 	NOTE: https://github.com/golang/go/commit/20374d1d759bc4e17486bde1cb9dca5be37d9e52 (go1.20.3)
@@ -18404,6 +18405,7 @@ CVE-2023-24537 (Calling any of the Parse functions on Go source code which conta
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
 	NOTE: https://go.dev/issue/59180
 	NOTE: https://github.com/golang/go/commit/e7c4b07ecf6b367f1afc9cc48cde963829dd0aab (go1.20.3)
@@ -18415,6 +18417,7 @@ CVE-2023-24536 (Multipart form parsing can consume large amounts of CPU and memo
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
 	NOTE: https://go.dev/issue/59153
 	NOTE: https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3)
@@ -18427,6 +18430,7 @@ CVE-2023-24534 (HTTP and MIME header parsing can allocate large amounts of memor
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
 	NOTE: https://go.dev/issue/58975
 	NOTE: https://github.com/golang/go/commit/3991f6c41c7dfd167e889234c0cf1d840475e93c (go1.20.3)
@@ -18440,7 +18444,7 @@ CVE-2023-24532 (The ScalarMult and ScalarBaseMult methods of the P256 Curve may
 	- golang-1.15 <removed>
 	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
-	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
+	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://golangtutorial.dev/news/go-1.20.2-and-go-1.19.7-versions-released/
 	NOTE: https://github.com/golang/go/issues/58647
 	NOTE: https://go-review.googlesource.com/c/go/+/471256
@@ -48484,6 +48488,7 @@ CVE-2022-41717 (An attacker can cause excessive memory growth in a Go server acc
 	- golang-1.18 1.18.9-1
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	- golang-golang-x-net 1:0.4.0+dfsg-1
 	- golang-golang-x-net-dev <removed>
 	NOTE: https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU
@@ -73306,7 +73311,7 @@ CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francois
 CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository  ...)
 	- golang-github-emicklei-go-restful 3.10.2-1 (bug #1012763)
 	[bullseye] - golang-github-emicklei-go-restful <no-dsa> (Minor issue)
-	[buster] - golang-github-emicklei-go-restful <postponed> (Limited support, follow bullseye DSAs/point-releases)
+	[buster] - golang-github-emicklei-go-restful <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/
 	NOTE: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 (v3.8.0)
 CVE-2022-1995 (The Malware Scanner WordPress plugin before 4.5.2 does not sanitise an ...)
@@ -89106,7 +89111,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva document management system
 CVE-2022-27191 (The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...)
 	- golang-go.crypto 1:0.0~git20220315.3147a52-1
 	[bullseye] - golang-go.crypto <no-dsa> (Minor issue)
-	[buster] - golang-go.crypto <postponed> (Limited support, follow bullseye DSAs/point-releases)
+	[buster] - golang-go.crypto <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ
 	NOTE: https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
 CVE-2022-27190



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf04c43bc06c46637980c741d70e1dee3b25e8aa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf04c43bc06c46637980c741d70e1dee3b25e8aa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230419/a18f127f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list