Your message dated Sun, 06 Feb 2022 20:36:36 +0000
with message-id <[email protected]>
and subject line Bug#991664: fixed in golang-github-sylabs-sif 2.3.1-1
has caused the Debian Bug report #991664,
regarding golang-github-sylabs-sif: CVE-2021-29499
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991664
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-sylabs-sif
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for golang-github-sylabs-sif.
CVE-2021-29499[0]:
| SIF is an open source implementation of the Singularity Container
| Image Format. The `siftool new` command and func siftool.New() produce
| predictable UUID identifiers due to insecure randomness in the version
| of the `github.com/satori/go.uuid` module used as a dependency. A
| patch is available in version >= v1.2.3 of the module. Users are
| encouraged to upgrade. As a workaround, users passing CreateInfo
| struct should ensure the `ID` field is generated using a version of
| `github.com/satori/go.uuid` that is not vulnerable to this issue.
https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-29499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29499
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: golang-github-sylabs-sif
Source-Version: 2.3.1-1
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-sylabs-sif, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated
golang-github-sylabs-sif package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Feb 2022 14:55:12 -0500
Source: golang-github-sylabs-sif
Architecture: source
Version: 2.3.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 991664 1005051
Changes:
golang-github-sylabs-sif (2.3.1-1) experimental; urgency=medium
.
* Team upload
* New upstream version, Closes: #1005051
- Fixes CVE-2021-29499, Closes: #991664
Checksums-Sha1:
fbbfbac1fe97291e6b68fa1765f6e3c154eed775 2529
golang-github-sylabs-sif_2.3.1-1.dsc
d95968d199e607f9ac77d6d822106b3bf08303d0 191580
golang-github-sylabs-sif_2.3.1.orig.tar.gz
73be0b9aacd2132fe0484d7d43a63d72ba0fcef9 2644
golang-github-sylabs-sif_2.3.1-1.debian.tar.xz
Checksums-Sha256:
a350e0d791f6d95b6571a18231eb1c44f93bb9019b302639d53145247f9d9a5a 2529
golang-github-sylabs-sif_2.3.1-1.dsc
0cc3ae226271ee4fd500eeb099702976f562c0f88469a41d7b5fbb74fc84c900 191580
golang-github-sylabs-sif_2.3.1.orig.tar.gz
3ec45449faf3228c9eece06634da642fb47d88a180656da607c27c843ad59be7 2644
golang-github-sylabs-sif_2.3.1-1.debian.tar.xz
Files:
96cafc085a1b8e6729598b1180af80ad 2529 devel optional
golang-github-sylabs-sif_2.3.1-1.dsc
a2c257565c0d2e7bbebdbedf646b8d32 191580 devel optional
golang-github-sylabs-sif_2.3.1.orig.tar.gz
e727d9de66b1af24f888778fbfb5d320 2644 devel optional
golang-github-sylabs-sif_2.3.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmIAKl8UHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJst++A//edKQIwYNQ5OvNSIb8MOBbfP4iMBb
+Ab8Mf59uf9wOciNny5j9IV1uoj5eSQXHSKIT/Qwf/x49xMscRwMEr4CkO1DPA4r
NepzDui2usmtDa8kY9SHogQVeiHX8Yq2HCZqxsbh1QaAF+WeKcZQ8lUweAmp8zgP
Qo1VAZoVl4H/4uEIYj71iFbKhzeNHwsPbPNHY5T6qEQ2H5dUloLyKHgHathsnUn4
9UEVx6D/UE7aLkuhpXVIh7KNGq+PMFYVujoqMjZ0KlkO3VJF5ahpLKMqZ6l8CHOH
uba0kaUFlOnStzITFkt61kWUMz2faQUVLA4S/lIGFU57DrPFE1ozBksfU5ooSC7F
Q1bZe5diiuvWvEijAiI2a8f1heEsD+IUDP8jr63Ng9A/SRbcj2je1LEwqbkEH/q8
P704ICnTPz02gfV+iJLLf93g4TJXnGoRhVzNYSnJh+ZN3uzhkCRXYOOu2s+V01jJ
g4jmCoUANuNMM31pI7WGM44veA9R1j8O2QWb9jrRDWTTRIXOww80YJzWOogFeNdl
DlNJuQvdVBi2oICyh46V6ILAKzt2Syp2DS5bBeW4wjLQCGjx/WzKGTYHhm988Kj+
MjhWvFz+A5TyxRKsb7YDSS+uPhI6xsLx3ItKZjkpqH8DIYjWur8pl0UiW3QfDLsK
BX2jH+BDtDkzFhs=
=3/s7
-----END PGP SIGNATURE-----
--- End Message ---
