Your message dated Fri, 08 Jan 2021 14:49:47 +0000 with message-id <e1kxt5h-0007e4...@fasolo.debian.org> and subject line Bug#971615: fixed in golang-github-russellhaering-goxmldsig 1.1.0-1 has caused the Debian Bug report #971615, regarding golang-github-russellhaering-goxmldsig: CVE-2020-15216 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 971615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-russellhaering-goxmldsig Version: 0.0~git20180430.7acd5e4-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for golang-github-russellhaering-goxmldsig. CVE-2020-15216[0]: | In goxmldsig (XML Digital Signatures implemented in pure Go) before | version 1.1.0, with a carefully crafted XML file, an attacker can | completely bypass signature validation and pass off an altered file as | a signed one. A patch is available, all users of goxmldsig should | upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 | or version 1.1.0 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15216 [1] https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 [2] https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-russellhaering-goxmldsig Source-Version: 1.1.0-1 Done: Thorsten Alteholz <deb...@alteholz.de> We believe that the bug you reported is fixed in the latest version of golang-github-russellhaering-goxmldsig, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 971...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz <deb...@alteholz.de> (supplier of updated golang-github-russellhaering-goxmldsig package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Jan 2021 23:13:56 +0000 Source: golang-github-russellhaering-goxmldsig Architecture: source Version: 1.1.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Thorsten Alteholz <deb...@alteholz.de> Closes: 971615 Changes: golang-github-russellhaering-goxmldsig (1.1.0-1) unstable; urgency=medium . * New upstream release (Closes: #971615) * add myself to Uploaders: * debian/control: use dh13 * debian/control: bump standard to 4.5.1 (no changes) * reverse dependencies successfully built with ratt: - nothing todo for this package Checksums-Sha1: a039996a5d073ed61274372764368c211c05d630 2706 golang-github-russellhaering-goxmldsig_1.1.0-1.dsc 9d6af0ce66bce57ce08b75e25f6f9d47326bfb4a 28875 golang-github-russellhaering-goxmldsig_1.1.0.orig.tar.gz 170cb2c7fb0d046bcf5460a02e1a9444c2d101fa 2724 golang-github-russellhaering-goxmldsig_1.1.0-1.debian.tar.xz 2eba28269d3eecece3a4bc0957d8699a98d01925 6975 golang-github-russellhaering-goxmldsig_1.1.0-1_amd64.buildinfo Checksums-Sha256: 6447045329a1d2eb442ecc3e087255fd2c6d75ed8540712ec57d27aecdd13dec 2706 golang-github-russellhaering-goxmldsig_1.1.0-1.dsc 50837e3c87af633d8edce12d51ecab906443a5efe5d79e1c537d5942b21e4f71 28875 golang-github-russellhaering-goxmldsig_1.1.0.orig.tar.gz 074b371935ddb4b0607646d6c3a9ba233e2a577a6f1cd039e94a245db605f06c 2724 golang-github-russellhaering-goxmldsig_1.1.0-1.debian.tar.xz bf87f0b967f7e7111426a8c15219281eab766c5206fed5bd0447ed684cb277b2 6975 golang-github-russellhaering-goxmldsig_1.1.0-1_amd64.buildinfo Files: d0001a4ebcbef7e8b8e0b9f6e0ca62dd 2706 devel optional golang-github-russellhaering-goxmldsig_1.1.0-1.dsc a69a942ef20f1a2ff45bfb49912d0e8a 28875 devel optional golang-github-russellhaering-goxmldsig_1.1.0.orig.tar.gz 07257b27a72664a0b940b92cfd85b341 2724 devel optional golang-github-russellhaering-goxmldsig_1.1.0-1.debian.tar.xz 84382da7a8a18c213df3b3fe4306809a 6975 devel optional golang-github-russellhaering-goxmldsig_1.1.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl/3nbdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR98rD/0YbBJFKWJXLDAh7j2e4dewpkEO2oHh Io5sEjNNbUo+7jSoN6XsOXI7W9yAsNLysnpYQ9UiaXlbuy572Fi+hunjO6zx2qoY dhV45BFrCE3X0xpDtuswHqJZZwfSFC+DvuKfNH4g1vm2ioifWp7AHAAFCDWumiPm ywxSc4nj0OKX2zQ+8ihzRkqhmADI+8bDeVeZF2KCIZ0qGcJZW0oE61phYsPSk0zy aHu0UMw31wPm1zv6lvhNLT8Z9J5XgKbd9gGF1XQ9f6hB6s5XFEqPhqhCatYmANvt tEVPIGfhTmgoEqVbsc2sjGHz+vxrXDvbHpWwtgIlW8SmNOQ0Ila9fKf/e/IbcaMa hLa6s9qNN6Moj/ILB7FspsEE7zDqSzNdHLq6uAfGD0IMHspW3EXhEIwr5naN6aNB VIoy1OQgRsd38qnazu8Uqq0wGqsWR/ZdpVkfenmkICk1YCm3n/7A4/pRBYWFPbbj UrkjXpkju/sekeZVdY+j95SW4r4PoQNXAowe1wdSBXuonfqCHSpiDWJsJaOttffW UEOGoiFcbdRBLqfGz0GDCjkXJ7Bb4avv81CGyOteTbgFAvI9J9B2qHL08rjNMgM+ zJyypeds1UjPcSU28KabqH3gwt2xZ6HYyKykAJWAFBnBOqJezHEvCBcuyYne4/Mz oCS9H+frctPtwA== =u1jc -----END PGP SIGNATURE-----
--- End Message ---
