[Git][security-tracker-team/security-tracker][master] Reserve DLA-3395-1 for golang-1.11

Wed, 19 Apr 2023 08:48:19 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df4f6128 by Sylvain Beucler at 2023-04-19T17:47:48+02:00
Reserve DLA-3395-1 for golang-1.11

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -95662,7 +95662,6 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 
1.17.x before 1.17.8 all
        - golang-1.15 <removed>
        [bullseye] - golang-1.15 1.15.15-1~deb11u4
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/51112
@@ -99963,7 +99962,6 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in 
Go before 1.16.14 and 1.17
        - golang-1.15 <removed>
        [bullseye] - golang-1.15 1.15.15-1~deb11u3
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/50974
@@ -100107,7 +100105,6 @@ CVE-2022-23772 (Rat.SetString in math/big in Go 
before 1.16.14 and 1.17.x before
        - golang-1.15 <removed>
        [bullseye] - golang-1.15 1.15.15-1~deb11u3
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/50699
@@ -110426,7 +110423,6 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 
1.17.5 on UNIX allows write
        - golang-1.15 1.15.15-5
        [bullseye] - golang-1.15 1.15.15-1~deb11u2
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/50057
@@ -110439,7 +110435,6 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 
1.17.x before 1.17.5 allows un
        - golang-1.15 1.15.15-5
        [bullseye] - golang-1.15 1.15.15-1~deb11u2
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        - golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
@@ -122298,7 +122293,6 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for 
Open or OpenFat) in Go befor
        - golang-1.15 1.15.15-5
        [bullseye] - golang-1.15 1.15.15-1~deb11u2
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/48990
@@ -128541,7 +128535,6 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 
and 1.17.x before 1.17.1, a c
        - golang-1.15 1.15.15-2
        [bullseye] - golang-1.15 1.15.15-1~deb11u1
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/47801
@@ -131063,7 +131056,6 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 
1.17.2 has a Buffer Overflow
        - golang-1.15 1.15.15-5
        [bullseye] - golang-1.15 1.15.15-1~deb11u2
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <not-affected> (Vulnerable code not present)
        - golang-1.7 <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4
@@ -136311,7 +136303,6 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 
1.16.7 has a race condition
        - golang-1.15 1.15.15-1 (bug #991961)
        [bullseye] - golang-1.15 1.15.15-1~deb11u1
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/46866
@@ -143758,7 +143749,6 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 
and 1.16.x before 1.16.5, a
        - golang-1.16 1.16.5-1 (bug #989492)
        - golang-1.15 1.15.9-4
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed 
in stretch-lts)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        NOTE: https://github.com/golang/go/issues/46242
@@ -186223,7 +186213,6 @@ CVE-2020-28367 (Code injection in the go command with 
cgo before Go 1.14.12 and
        {DLA-2460-1}
        - golang-1.15 1.15.5-1
        - golang-1.11 <removed>
-       [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed 
in stretch-lts)
        - golang-1.8 <removed>
        - golang-1.7 <removed>
        [stretch] - golang-1.7 <ignored> (validation of cgo flags first 
introduced in golang-1.8 / CVE-2018-6574)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[19 Apr 2023] DLA-3395-1 golang-1.11 - security update
+       {CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-38297 
CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 
CVE-2022-23806 CVE-2022-24921}
+       [buster] - golang-1.11 1.11.6-1+deb10u5
 [19 Apr 2023] DLA-3394-1 asterisk - security update
        {CVE-2023-27585}
        [buster] - asterisk 1:16.28.0~dfsg-0+deb10u3


=====================================
data/dla-needed.txt
=====================================
@@ -92,14 +92,6 @@ fusiondirectory
   NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not 
too serious (gladk).
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/fusiondirectory.git
 --
-golang-1.11 (Sylvain Beucler)
-  NOTE: 20220916: Programming language: Go.
-  NOTE: 20220916: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't)
-  NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 
11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
-  NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 
CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 
CVE-2022-23806 CVE-2022-24921
-  NOTE: 20230111: Testsuite: 
https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
-  NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/golang-1.11.git
---
 golang-go.crypto
   NOTE: 20220915: Programming language: Go.
   NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to