Your message dated Mon, 13 Jun 2022 11:34:05 +0000
with message-id <[email protected]>
and subject line Bug#1011338: fixed in golang-gopkg-yaml.v3 3.0.1-1
has caused the Debian Bug report #1011338,
regarding golang-gopkg-yaml.v3: CVE-2022-28948 - crash when attempting to
deserialize invalid input
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1011338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-gopkg-yaml.v3
Version: 3.0.0~git20200121.a6ecf24-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerability was published for golang-gopkg-yaml.v3-dev.
CVE-2022-28948[0]:
| An issue in the Unmarshal function in Go-Yaml v3 causes the program to
| crash when attempting to deserialize invalid input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28948
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: golang-gopkg-yaml.v3
Source-Version: 3.0.1-1
Done: Anthony Fok <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-gopkg-yaml.v3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anthony Fok <[email protected]> (supplier of updated golang-gopkg-yaml.v3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Jun 2022 04:56:55 -0600
Source: golang-gopkg-yaml.v3
Architecture: source
Version: 3.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Anthony Fok <[email protected]>
Closes: 1011338
Changes:
golang-gopkg-yaml.v3 (3.0.1-1) unstable; urgency=medium
.
* New upstream version 3.0.1
+ CVE-2022-28948 - crash when attempting to deserialize invalid input
Thanks to Neil William for the Debian bug report! (Closes: #1011338)
See also https://github.com/go-yaml/yaml/issues/666
* Change debian/watch to track v3 release tarballs
now that v3.0.0 and v3.0.1 have been released
* Reorder fields in debian/control and debian/copyright
* Update comment in debian/watch according to upstream LICENSE file
* Mark library package with "Multi-Arch: foreign"
* Bump Standards-Version to 4.6.1 (no change)
Checksums-Sha1:
8c1183c56ddd034073b9ee1538493a8e617dc522 2226 golang-gopkg-yaml.v3_3.0.1-1.dsc
cc7bb69c6a34bf61440d47ac00108f51cffea65f 91173
golang-gopkg-yaml.v3_3.0.1.orig.tar.gz
bf83009323f3b834e470b2d2f6199e638b6a38a6 4392
golang-gopkg-yaml.v3_3.0.1-1.debian.tar.xz
ecf148b35c2026ccabf0cc06e0065154a85cf749 6500
golang-gopkg-yaml.v3_3.0.1-1_amd64.buildinfo
Checksums-Sha256:
f3d721f4ee9d5903d1c3fac1e89f8e8a54e98dc4cb48cb8a1f878fd652fe998b 2226
golang-gopkg-yaml.v3_3.0.1-1.dsc
cf05411540d3e6ef8f1fd88434b34f94cedaceb540329031d80e23b74540c4e5 91173
golang-gopkg-yaml.v3_3.0.1.orig.tar.gz
3e073f881a5927b5bd1b05cba3ceb6f4c3116dfc67aa012112160c81567b7261 4392
golang-gopkg-yaml.v3_3.0.1-1.debian.tar.xz
bc8f0f49b93c557778d1e741db720b058774810ad94d0d58f2d84b5b98b5e1f6 6500
golang-gopkg-yaml.v3_3.0.1-1_amd64.buildinfo
Files:
585fa81c82e4c14ec98457642e5bbe59 2226 golang optional
golang-gopkg-yaml.v3_3.0.1-1.dsc
3653fca1491a8b432d590ed3dab3aa77 91173 golang optional
golang-gopkg-yaml.v3_3.0.1.orig.tar.gz
7e5e825ff2bff8ab5feca52717322046 4392 golang optional
golang-gopkg-yaml.v3_3.0.1-1.debian.tar.xz
70a876e5059e4f7fa57fd3ba94c26efc 6500 golang optional
golang-gopkg-yaml.v3_3.0.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmKnHFMQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWaz9nhEACmKbbGdGdi7NIYXGKN8XIq6tL1aiV2GT1z
yqsrPZABdevuWR5mer4RyGoQpkH1dtHgoWC4uluSpxzbDlPhRUjU4Xpu4bhSfkKc
03r4egbsA7v5EH1R9yiG2KcL1UuIrFORuU0KCaO/gNOwj2+dHhycggCUc6ffCQwG
U00NzXDPFDbhVCyhBszdEHLCqlkdL2Q48sKMe7wVR4F2ZtuBYKhLW2A4OMNJvO8b
YbSnhgMhKQ780sluDCeNOy3o5nwQ/tVC/7+b48PZcUgYCTVx6G+PZtVLSMIo5mmo
HGiil8c3kt0/l8xY3Mcgfml3dICUzJ1Cnk5tB84yZ1MwMnBfCgq15maNtxaHbXLm
B2yDJAbF6U0DhX8YA0tLVDyAPvIWH2YosWPFK0t0eGzzze9TDvgWqVl1My4io2sE
DecARTdxJUhlR31C/erW3vbwQ9q28DniEdUNHKUWdjswAZEO2ty2q7L4hPUblhMN
stBpPbvyDMJ7wAUZdiGlkDoUykqb/fcokguDEZWC0T2xjP1tka9HVXl2g34jI9BX
FmbzwdZL9Igwaqn73nKuz9c8cWAv5IBIMp0luUD7GYG7jHNsj/5nxJKBa0/zWOPd
q9IkgSv+lndAsOl+LFMkmPWeA7+9YaGaV9di4/K0c0I0AK2ecMYQMG3JUc5HMnm2
+uUdL3zDxg==
=taW4
-----END PGP SIGNATURE-----
--- End Message ---
