[Git][security-tracker-team/security-tracker][master] Reserve DLA-3455-1 for golang-go.crypto

Fri Jun 16 22:09:19 BST 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
178e878e by Markus Koschany at 2023-06-16T23:09:07+02:00
Reserve DLA-3455-1 for golang-go.crypto

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -242406,7 +242406,6 @@ CVE-2020-9284
 CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...)
 	{DLA-2455-1 DLA-2453-1 DLA-2402-1}
 	- golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462)
-	[buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch)
 	[jessie] - golang-go.crypto <no-dsa> (Minor issue)
 	NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
 CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...)
@@ -289552,7 +289551,6 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote at
 CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
 	{DLA-2402-1 DLA-1920-1}
 	- golang-go.crypto 1:0.0~git20200221.2aa609c-1
-	[buster] - golang-go.crypto <postponed> (Limited support, fixed in stretch)
 	NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
 	NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
 	NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note:
@@ -289561,7 +289559,6 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi
 CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
 	{DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
 	- golang-go.crypto 1:0.0~git20200221.2aa609c-1
-	[buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch)
 	NOTE: https://github.com/golang/go/issues/30965
 	NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
 	NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Jun 2023] DLA-3455-1 golang-go.crypto - security update
+	{CVE-2019-11840 CVE-2019-11841 CVE-2020-9283}
+	[buster] - golang-go.crypto 1:0.0~git20181203.505ab14-1+deb10u1
 [13 Jun 2023] DLA-3454-1 ffmpeg - security update
 	{CVE-2022-3109 CVE-2022-3341}
 	[buster] - ffmpeg 7:4.1.11-0+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -54,10 +54,6 @@ fusiondirectory (Abhijith PA)
 glib2.0
   NOTE: 20230612: Added by Front-Desk (apo)
 --
-golang-go.crypto (Markus Koschany)
-  NOTE: 20220915: Added by Front-Desk (Beuc)
-  NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
---
 golang-yaml.v2 (sgmoore)
   NOTE: 20230125: Added by Front-Desk (gladk)
   NOTE: 20230525: In review with utkarsh.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230616/f6ea29bc/attachment.htm>
