Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: e9e59255 by Sylvain Beucler at 2022-09-16T13:08:02+02:00 golang: standardize/clarify buster-lts triage following discussion with Ola - - - - - 584817f4 by Sylvain Beucler at 2022-09-16T13:08:44+02:00 dla add golang-1.11 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -21292,7 +21292,7 @@ CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francois CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) - golang-github-emicklei-go-restful <unfixed> (bug #1012763) [bullseye] - golang-github-emicklei-go-restful <no-dsa> (Minor issue) - [buster] - golang-github-emicklei-go-restful <no-dsa> (Minor issue) + [buster] - golang-github-emicklei-go-restful <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/ NOTE: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 CVE-2022-1995 (The Malware Scanner WordPress plugin before 4.5.2 does not sanitise an ...) @@ -22152,7 +22152,7 @@ CVE-2022-32189 (A too-short encoded message can cause a panic in Float.GobDecode - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53871 NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU NOTE: https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66 (master, go1.19) @@ -22248,7 +22248,7 @@ CVE-2022-32148 (Improper exposure of client IP addresses in net/http before Go 1 - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/53423 NOTE: https://github.com/golang/go/commit/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a (go1.19rc1) NOTE: https://github.com/golang/go/commit/ebea1e3353fa766025aa5190b9c7cc05cf069187 (go1.18.4) @@ -22287,7 +22287,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53616 NOTE: https://github.com/golang/go/commit/695be961d57508da5a82217f7415200a11845879 (go1.19rc2) NOTE: https://github.com/golang/go/commit/0d1615b23f9a558aa0a1957b4c81596220eb8ec4 (go1.18.4) @@ -26612,7 +26612,7 @@ CVE-2022-30635 (Uncontrolled recursion in Decoder.Decode in encoding/gob before - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53615 NOTE: https://github.com/golang/go/commit/6fa37e98ea4382bf881428ee0c150ce591500eb7 (go1.19rc2) NOTE: https://github.com/golang/go/commit/fb979a50823e5a0575cf6166b3f17a13364cbf81 (go1.18.4) @@ -26634,7 +26634,7 @@ CVE-2022-30633 (Uncontrolled recursion in Unmarshal in encoding/xml before Go 1. - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53611 NOTE: https://github.com/golang/go/commit/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08 (go1.19rc2) NOTE: https://github.com/golang/go/commit/2924ced71d16297320e8ff18829c2038e6ad8d9b (go1.18.4) @@ -26645,7 +26645,7 @@ CVE-2022-30632 (Uncontrolled recursion in Glob in path/filepath before Go 1.17.1 - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53416 NOTE: https://github.com/golang/go/commit/ac68c6c683409f98250d34ad282b9e1b0c9095ef (go1.19rc2) NOTE: https://github.com/golang/go/commit/5ebd862b1714dad1544bd10a24c47cdb53ad7f46 (go1.18.4) @@ -26656,7 +26656,7 @@ CVE-2022-30631 (Uncontrolled recursion in Reader.Read in compress/gzip before Go - golang-1.17 1.17.13-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/53168 NOTE: https://github.com/golang/go/commit/b2b8872c876201eac2d0707276c6999ff3eb185e (go1.19rc2) NOTE: https://github.com/golang/go/commit/8e27a8ac4c001c27713810b75925aa3794049c48 (go1.18.4) @@ -26679,7 +26679,7 @@ CVE-2022-30629 (Non-random values for ticket_age_add in session tickets in crypt - golang-1.15 <removed> [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> [stretch] - golang-1.8 <not-affected> (Vulnerable code - TLS1.3 - introduced later) - golang-1.7 <removed> @@ -27660,21 +27660,21 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 w CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) - [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) + [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) - [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) + [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) - [buster] - golang-github-hashicorp-go-getter <no-dsa> (Limited support) + [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) @@ -34241,7 +34241,7 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x - golang-1.18 1.18.4-1 - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/53614 NOTE: https://github.com/golang/go/commit/08c46ed43d80bbb67cb904944ea3417989be4af3 (go1.19rc2) NOTE: https://github.com/golang/go/commit/90f040ec510dd678b7860d70ca77e5682f4c7e96 (go1.18.4) @@ -35589,7 +35589,7 @@ CVE-2022-27664 (In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attack - golang-1.17 <unfixed> - golang-1.15 <removed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Limited support) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s NOTE: https://github.com/golang/go/issues/54658 NOTE: https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824 (go1.19.1) @@ -36943,7 +36943,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva document management system NOT-FOR-US: Aseco CVE-2022-27191 (The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...) - golang-go.crypto 1:0.0~git20220315.3147a52-1 - [buster] - golang-go.crypto <no-dsa> (Limited support) + [buster] - golang-go.crypto <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ NOTE: https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d CVE-2022-27190 @@ -37688,7 +37688,7 @@ CVE-2022-26946 CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...) - golang-github-hashicorp-go-getter <unfixed> (bug #1011741) [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) - [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) + [buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 NOTE: https://github.com/hashicorp/go-getter/pull/359 NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0) @@ -43429,7 +43429,7 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u4 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/51112 @@ -47713,7 +47713,7 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17 - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50974 @@ -47843,7 +47843,7 @@ CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinte - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> [stretch] - golang-1.8 <not-affected> (vgo/modfetch module not present) - golang-1.7 <removed> @@ -47858,7 +47858,7 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50699 @@ -58095,7 +58095,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50057 @@ -58108,13 +58108,13 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> - golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1 [bullseye] - golang-golang-x-net <no-dsa> (Minor issue) - golang-golang-x-net-dev <removed> - [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue) + [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) [stretch] - golang-golang-x-net-dev <postponed> (Limited support in stretch) NOTE: https://github.com/golang/go/issues/50058 NOTE: https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ @@ -60645,7 +60645,7 @@ CVE-2022-21709 CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In version ...) - golang-github-graph-gophers-graphql-go 1.3.0-1 [bullseye] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue) - [buster] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue) + [buster] - golang-github-graph-gophers-graphql-go <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe (v1.3.0) NOTE: https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh NOTE: https://github.com/graph-gophers/graphql-go/pull/492 @@ -60682,7 +60682,7 @@ CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive CVE-2022-21698 (client_golang is the instrumentation library for Go applications in Pr ...) - golang-github-prometheus-client-golang 1.11.1-1 (bug #1008008) [bullseye] - golang-github-prometheus-client-golang <no-dsa> (Minor issue) - [buster] - golang-github-prometheus-client-golang <no-dsa> (Minor issue) + [buster] - golang-github-prometheus-client-golang <postponed> (Limited support, minor issue, DoS in specific conditions, follow bullseye DSAs/point-releases) [stretch] - golang-github-prometheus-client-golang <postponed> (Minor issue, DoS in specific conditions, requires rebuilding reverse-dependencies; Limited support in stretch) NOTE: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p NOTE: https://github.com/prometheus/client_golang/pull/962 @@ -62821,7 +62821,7 @@ CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malic NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979 CVE-2021-43565 (The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of g ...) - golang-go.crypto 1:0.0~git20211202.5770296-1 - [buster] - golang-go.crypto <no-dsa> (Limited support) + [buster] - golang-go.crypto <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) [stretch] - golang-go.crypto <postponed> (Limited support in stretch) NOTE: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 NOTE: https://github.com/golang/go/issues/49932 @@ -65787,7 +65787,7 @@ CVE-2021-42837 (An issue was discovered in Talend Data Catalog before 7.3-202109 CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of servic ...) - golang-github-tidwall-gjson <unfixed> (bug #1000225) [bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue) - [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue) + [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944 NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 NOTE: https://github.com/tidwall/gjson/issues/236 @@ -68574,7 +68574,7 @@ CVE-2021-42249 CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON i ...) - golang-github-tidwall-gjson <unfixed> (bug #1011616) [bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue) - [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue) + [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/tidwall/gjson/issues/237 NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 (v1.9.3) CVE-2021-42247 @@ -69829,7 +69829,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/48990 @@ -76045,7 +76045,7 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a c - golang-1.15 1.15.15-2 [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/47801 @@ -77845,7 +77845,7 @@ CVE-2021-38561 RESERVED - golang-golang-x-text 0.3.7-1 - golang-x-text <removed> - [buster] - golang-x-text <no-dsa> (Minor issue) + [buster] - golang-x-text <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100495 CVE-2021-38560 (Ivanti Service Manager 2021.1 allows reflected XSS via the appName par ...) NOT-FOR-US: Ivanti @@ -78567,7 +78567,7 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <not-affected> (Vulnerable code not present) - golang-1.7 <not-affected> (Vulnerable code not present) NOTE: https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4 @@ -83780,7 +83780,7 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition - golang-1.15 1.15.15-1 (bug #991961) [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46866 @@ -87817,7 +87817,7 @@ CVE-2021-34558 (The crypto/tls package of Go through 1.16.5 does not properly as - golang-1.16 1.16.6-1 - golang-1.15 1.15.9-6 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS) - golang-1.8 <removed> [stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies) - golang-1.7 <removed> @@ -91149,7 +91149,7 @@ CVE-2021-33198 (In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a pa - golang-1.16 1.16.5-1 - golang-1.15 1.15.9-5 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <not-affected> (Vulnerable code introduced later) - golang-1.7 <removed> @@ -91161,7 +91161,7 @@ CVE-2021-33197 (In Go before 1.15.13 and 1.16.x before 1.16.5, some configuratio - golang-1.16 1.16.5-1 - golang-1.15 1.15.9-5 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, header corruption in proxy chains) - golang-1.8 <removed> [stretch] - golang-1.8 <postponed> (Minor issue, header corruption in proxy chains, requires rebuilding reverse-dependencies) - golang-1.7 <removed> @@ -91174,7 +91174,7 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a - golang-1.16 1.16.5-1 (bug #989492) - golang-1.15 1.15.9-4 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46242 @@ -91187,7 +91187,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS - golang-1.15 1.15.9-5 [bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point release) - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, affects poor validation practice, follow bullseye DSAs/point-releases) - golang-1.8 <removed> [stretch] - golang-1.8 <postponed> (Minor issue, affects poor validation practice, requires rebuilding reverse-dependencies) - golang-1.7 <removed> @@ -91198,7 +91198,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...) - golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4 - golang-golang-x-net-dev <removed> - [buster] - golang-golang-x-net-dev <no-dsa> (Limited support) + [buster] - golang-golang-x-net-dev <postponed> (Limited support) [stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch) NOTE: https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ NOTE: https://github.com/golang/go/issues/46288 @@ -95666,14 +95666,14 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re - golang-1.16 1.16.4-1 - golang-1.15 1.15.9-2 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS) - golang-1.8 <removed> [stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies) - golang-1.7 <removed> [stretch] - golang-1.7 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies) - golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3 - golang-golang-x-net-dev <removed> - [buster] - golang-golang-x-net-dev <no-dsa> (Limited support) + [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, DoS) [stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch) NOTE: https://github.com/golang/go/issues/45710 NOTE: https://github.com/golang/go/issues/45711 (1.15 backport) @@ -100137,7 +100137,7 @@ CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero charac - golang-1.16 <unfixed> - golang-1.15 <unfixed> - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> [stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control failure in specific cases, upstream won't fix supported releases for backward compatibility) - golang-1.7 <removed> @@ -105196,7 +105196,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an - golang-1.16 1.16.3-1 - golang-1.15 1.15.9-1 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS) - golang-1.8 <removed> [stretch] - golang-1.8 <postponed> (Minor issue, DoS) - golang-1.7 <removed> @@ -114992,7 +114992,7 @@ CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and NOTE: https://github.com/servo/rust-smallvec/issues/252 CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorre ...) - golang-github-nats-io-jwt 2.2.0-1 - [buster] - golang-github-nats-io-jwt <no-dsa> (Limited support) + [buster] - golang-github-nats-io-jwt <postponed> (Limited support, requires rebuilding golang-github-nats-io-gnatsd) - nats-server <not-affected> (Fixed before initial upload to Debian) NOTE: https://advisories.nats.io/CVE/CVE-2021-3127.txt NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c @@ -115146,9 +115146,10 @@ CVE-2021-3122 (CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH server NOT-FOR-US: CMCAgent in NCR Command Center Agent CVE-2021-3121 (An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarsha ...) - golang-gogoprotobuf 1.3.2-1 - [buster] - golang-gogoprotobuf <no-dsa> (Minor issue) + [buster] - golang-gogoprotobuf <postponed> (Limited support, minor issue) [stretch] - golang-gogoprotobuf <no-dsa> (Minor issue) NOTE: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc + NOTE: Triage discussion: https://lists.debian.org/debian-lts/2021/03/msg00011.html CVE-2021-3120 (An arbitrary file upload vulnerability in the YITH WooCommerce Gift Ca ...) NOT-FOR-US: YITH WooCommerce Gift Cards Premium plugin for WordPress CVE-2021-3119 (Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing is ...) @@ -120931,12 +120932,12 @@ CVE-2020-36068 RESERVED CVE-2020-36067 (GJSON <=v1.6.5 allows attackers to cause a denial of service (panic ...) - golang-github-tidwall-gjson 1.6.7-1 - [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue) + [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue) NOTE: https://github.com/tidwall/gjson/issues/196 NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service (remote) ...) - golang-github-tidwall-gjson 1.6.7-1 - [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue) + [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue) NOTE: https://github.com/tidwall/gjson/issues/195 NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc NOTE: fix in golang-github-tidwall-gjson is dependency on golang-github-tidwall-match v1.0.3 @@ -126672,11 +126673,11 @@ CVE-2020-35382 (SQL Injection in Classbooking before 2.4.1 via the username fiel NOT-FOR-US: Classbooking CVE-2020-35381 (jsonparser 1.0.0 allows attackers to cause a denial of service (panic: ...) - golang-github-buger-jsonparser 1.1.1-1 (bug #978445) - [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue) + [buster] - golang-github-buger-jsonparser <postponed> (Limited support, minor issue) NOTE: https://github.com/buger/jsonparser/issues/219 CVE-2020-35380 (GJSON before 1.6.4 allows attackers to cause a denial of service via c ...) - golang-github-tidwall-gjson 1.6.7-1 (bug #977622) - [buster] - golang-github-tidwall-gjson <no-dsa> (Limited support) + [buster] - golang-github-tidwall-gjson <postponed> (Limited support, minor issue) NOTE: https://github.com/tidwall/gjson/issues/192 NOTE: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc (v1.6.4) CVE-2020-35379 @@ -131140,14 +131141,14 @@ CVE-2020-28853 CVE-2020-28852 (In x/text in Go before v0.3.5, a "slice bounds out of range" panic occ ...) - golang-golang-x-text 0.3.5-1 (bug #980002) - golang-x-text <removed> - [buster] - golang-x-text <no-dsa> (Minor issue) + [buster] - golang-x-text <postponed> (Limited support, minor issue) [stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.) NOTE: https://github.com/golang/go/issues/42536 NOTE: https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6 (v0.3.5) CVE-2020-28851 (In x/text in Go 1.15.4, an "index out of range" panic occurs in langua ...) - golang-golang-x-text 0.3.6-1 (bug #980001) - golang-x-text <removed> - [buster] - golang-x-text <no-dsa> (Minor issue) + [buster] - golang-x-text <postponed> (Limited support, minor issue) [stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited support in stretch.) NOTE: https://github.com/golang/go/issues/42535 CVE-2020-28850 @@ -133252,7 +133253,7 @@ CVE-2020-28484 CVE-2020-28483 (This affects all versions of package github.com/gin-gonic/gin. When gi ...) - golang-github-gin-gonic-gin <unfixed> (bug #988943) [bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue) - [buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue) + [buster] - golang-github-gin-gonic-gin <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736 NOTE: https://github.com/gin-gonic/gin/pull/2474 NOTE: https://github.com/gin-gonic/gin/commit/c9ea8ece4a3881028f7f715f008414346a7f4b88 @@ -133522,7 +133523,7 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and {DLA-2460-1} - golang-1.15 1.15.5-1 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts) - golang-1.8 <removed> - golang-1.7 <removed> [stretch] - golang-1.7 <ignored> (validation of cgo flags first introduced in golang-1.8 / CVE-2018-6574) @@ -133531,7 +133532,7 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and CVE-2020-28366 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. ...) - golang-1.15 1.15.5-1 - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <ignored> (Minor issue, too intrusive to backport) - golang-1.7 <removed> @@ -136678,7 +136679,6 @@ CVE-2020-27813 (An integer overflow vulnerability exists with the length of webs {DLA-2520-1} - golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package) - golang-websocket <removed> - [buster] - golang-websocket <no-dsa> (Limited support) NOTE: https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh NOTE: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37 (v1.4.1) CVE-2020-27812 @@ -139493,7 +139493,7 @@ CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious a NOT-FOR-US: ClamXAV CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect Access ...) - golang-github-nats-io-jwt 2.2.0-1 (bug #988950) - [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue) + [buster] - golang-github-nats-io-jwt <postponed> (Limited support, minor issue, requires rebuilding golang-github-nats-io-gnatsd) NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-4w5x-x539-ppf5 CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS d ...) @@ -140364,7 +140364,7 @@ CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/ac NOT-FOR-US: Garfield Petshop CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a denial of se ...) - golang-github-nats-io-jwt 2.2.0-1 (bug #988950) - [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue) + [buster] - golang-github-nats-io-jwt <postponed> (Limited support, minor issue, requires rebuilding golang-github-nats-io-gnatsd) NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-h2fg-54x9-5qhq CVE-2020-26520 @@ -145281,7 +145281,7 @@ CVE-2020-24553 (Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because tex - golang-1.15 1.15.2-1 (bug #969661) - golang-1.14 <removed> (bug #969662) - golang-1.11 <removed> - [buster] - golang-1.11 <no-dsa> (Minor issue) + [buster] - golang-1.11 <postponed> (Limited support, minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <no-dsa> (Minor issue) - golang-1.7 <removed> @@ -165854,7 +165854,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa - glpi <removed> CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...) - golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615) - [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) + [buster] - golang-github-russellhaering-goxmldsig <postponed> (Limited support, minor issue, no build rdeps, follow bullseye DSAs/point-releases) NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...) @@ -169208,7 +169208,7 @@ CVE-2020-14041 CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in encoding ...) - golang-golang-x-text 0.3.3-1 (bug #964272) - golang-x-text <removed> (bug #964271) - [buster] - golang-x-text <no-dsa> (Minor issue) + [buster] - golang-x-text <postponed> (Limited support, minor issue) [stretch] - golang-x-text <no-dsa> (Minor issue) NOTE: https://github.com/golang/go/issues/39491 NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e @@ -179815,7 +179815,7 @@ CVE-2020-10676 RESERVED CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...) - golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug #954373) - [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue) + [buster] - golang-github-buger-jsonparser <postponed> (Limited support, minor issue) NOTE: https://github.com/buger/jsonparser/issues/188 NOTE: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717 CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) @@ -183172,7 +183172,7 @@ CVE-2020-9284 CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go a ...) {DLA-2455-1 DLA-2453-1 DLA-2402-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462) - [buster] - golang-go.crypto <no-dsa> (Minor issue) + [buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch) [jessie] - golang-go.crypto <no-dsa> (Minor issue) NOTE: https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236 CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...) @@ -183964,7 +183964,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an authenticated attacker t NOT-FOR-US: Netis devices CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...) - golang-github-proglottis-gpgme 0.1.1-1 (bug #951372) - [buster] - golang-github-proglottis-gpgme <no-dsa> (Minor issue) + [buster] - golang-github-proglottis-gpgme <postponed> (Limited support, minor issue, requires rebuilding golang-github-keltia-archive and dmarc-cat) NOTE: https://github.com/proglottis/gpgme/pull/23 CVE-2020-8944 (An arbitrary memory write vulnerability in Asylo versions up to 0.6.0 ...) NOT-FOR-US: Asylo @@ -230336,7 +230336,7 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote at CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...) {DLA-2402-1 DLA-1920-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 - [buster] - golang-go.crypto <no-dsa> (Limited support) + [buster] - golang-go.crypto <postponed> (Limited support, fixed in stretch) NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442 NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text") NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note: @@ -230345,7 +230345,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) {DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1} - golang-go.crypto 1:0.0~git20200221.2aa609c-1 - [buster] - golang-go.crypto <no-dsa> (Minor issue) + [buster] - golang-go.crypto <postponed> (Limited support, minor issue, fixed in stretch) NOTE: https://github.com/golang/go/issues/30965 NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ @@ -238199,7 +238199,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote - golang <removed> [jessie] - golang <not-affected> (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue) + [buster] - golang-golang-x-net-dev <no-dsa> (Limited support, minor issue, DoS) - nodejs 10.16.3~dfsg-1 (bug #934885) [stretch] - nodejs <not-affected> (No HTTP2 support yet) [jessie] - nodejs <not-affected> (No HTTP2 support yet) @@ -238240,7 +238240,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent - golang <removed> [jessie] - golang <not-affected> (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue) + [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor issue, DoS) - trafficserver 8.0.5+ds-1 (bug #934887) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: Issue: https://github.com/golang/go/issues/33606 ===================================== data/dla-needed.txt ===================================== @@ -48,6 +48,12 @@ glibc NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) -- +golang-1.11 + NOTE: 20220916: Programming language: Go. + NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) + NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) + NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 +-- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits