Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: df4f6128 by Sylvain Beucler at 2023-04-19T17:47:48+02:00 Reserve DLA-3395-1 for golang-1.11 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -95662,7 +95662,6 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u4 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/51112 @@ -99963,7 +99962,6 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17 - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50974 @@ -100107,7 +100105,6 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before - golang-1.15 <removed> [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50699 @@ -110426,7 +110423,6 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/50057 @@ -110439,7 +110435,6 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> - golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1 @@ -122298,7 +122293,6 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/48990 @@ -128541,7 +128535,6 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a c - golang-1.15 1.15.15-2 [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/47801 @@ -131063,7 +131056,6 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow - golang-1.15 1.15.15-5 [bullseye] - golang-1.15 1.15.15-1~deb11u2 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <not-affected> (Vulnerable code not present) - golang-1.7 <not-affected> (Vulnerable code not present) NOTE: https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4 @@ -136311,7 +136303,6 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition - golang-1.15 1.15.15-1 (bug #991961) [bullseye] - golang-1.15 1.15.15-1~deb11u1 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46866 @@ -143758,7 +143749,6 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a - golang-1.16 1.16.5-1 (bug #989492) - golang-1.15 1.15.9-4 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts) - golang-1.8 <removed> - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46242 @@ -186223,7 +186213,6 @@ CVE-2020-28367 (Code injection in the go command with cgo before Go 1.14.12 and {DLA-2460-1} - golang-1.15 1.15.5-1 - golang-1.11 <removed> - [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed in stretch-lts) - golang-1.8 <removed> - golang-1.7 <removed> [stretch] - golang-1.7 <ignored> (validation of cgo flags first introduced in golang-1.8 / CVE-2018-6574) ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[19 Apr 2023] DLA-3395-1 golang-1.11 - security update + {CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23806 CVE-2022-24921} + [buster] - golang-1.11 1.11.6-1+deb10u5 [19 Apr 2023] DLA-3394-1 asterisk - security update {CVE-2023-27585} [buster] - asterisk 1:16.28.0~dfsg-0+deb10u3 ===================================== data/dla-needed.txt ===================================== @@ -92,14 +92,6 @@ fusiondirectory NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git -- -golang-1.11 (Sylvain Beucler) - NOTE: 20220916: Programming language: Go. - NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) - NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) - NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 - NOTE: 20230111: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/golang.html - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-1.11.git --- golang-go.crypto NOTE: 20220915: Programming language: Go. NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df4f6128913eff08347b81ca3609cc84c12ebf8e You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits