[Git][security-tracker-team/security-tracker][master] Reserve DLA-3395-1 for golang-1.11
Sylvain Beucler (@beuc)
beuc at debian.org
Wed Apr 19 16:48:09 BST 2023
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
df4f6128 by Sylvain Beucler at 2023-04-19T17:47:48+02:00
Reserve DLA-3395-1 for golang-1.11
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -95662,7 +95662,6 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u4
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/51112
@@ -99963,7 +99962,6 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50974
@@ -100107,7 +100105,6 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50699
@@ -110426,7 +110423,6 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50057
@@ -110439,7 +110435,6 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
@@ -122298,7 +122293,6 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/48990
@@ -128541,7 +128535,6 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a c
- golang-1.15 1.15.15-2
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/47801
@@ -131063,7 +131056,6 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <not-affected> (Vulnerable code not present)
- golang-1.7 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4
@@ -136311,7 +136303,6 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition
- golang-1.15 1.15.15-1 (bug #991961)
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46866
@@ -143758,7 +143749,6 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a
- golang-1.16 1.16.5-1 (bug #989492)
- golang-1.15 1.15.9-4
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46242
@@ -186223,7 +186213,6 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and
{DLA-2460-1}
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (validation of cgo flags first introduced in golang-1.8 / CVE-2018-6574)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Apr 2023] DLA-3395-1 golang-1.11 - security update
+ {CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23806 CVE-2022-24921}
+ [buster] - golang-1.11 1.11.6-1+deb10u5
[19 Apr 2023] DLA-3394-1 asterisk - security update
{CVE-2023-27585}
[buster] - asterisk 1:16.28.0~dfsg-0+deb10u3
=====================================
data/dla-needed.txt
=====================================
@@ -92,14 +92,6 @@ fusiondirectory
NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git
--
-golang-1.11 (Sylvain Beucler)
- NOTE: 20220916: Programming language: Go.
- NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)
- NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
- NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
- NOTE: 20230111: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-1.11.git
---
golang-go.crypto
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230419/a4325c9d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list