Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id
<ee4c0876608d99eb3f8b333b556fbd92e7a652eb.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112053,
regarding bookworm-pu: golang-github-gin-contrib-cors/1.4.0-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112053
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
The attached debdiff for golang-github-gin-contrib-cor fixes
CVE-2019-25211 in Bookworm. The CVE is marked as no-dsa by the
security team.
golang-github-gin-contrib-cor is a leaf package with no rdeps within
Debian and the fix was already done by upstream a few years ago.
There should be not much hassle with this fix.
Thorsten
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/changelog
golang-github-gin-contrib-cors-1.4.0/debian/changelog
--- golang-github-gin-contrib-cors-1.4.0/debian/changelog 2022-12-03
10:49:55.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/changelog 2025-08-25
14:49:55.000000000 +0200
@@ -1,3 +1,10 @@
+golang-github-gin-contrib-cors (1.4.0-1+deb12u1) bookworm; urgency=medium
+
+ * CVE-2019-25211
+ fix handling of wildcards
+
+ -- Thorsten Alteholz <[email protected]> Mon, 25 Aug 2025 14:49:55 +0200
+
golang-github-gin-contrib-cors (1.4.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru
golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
1970-01-01 01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
2025-08-25 14:49:55.000000000 +0200
@@ -0,0 +1,22 @@
+From 27b723a473efd80d5a498fa9f5933c80204c850d Mon Sep 17 00:00:00 2001
+From: Benjamin Mitzkus <[email protected]>
+Date: Wed, 6 Mar 2024 06:28:12 +0100
+Subject: [PATCH] fixe(domain): wildcard parse bug (#106)
+
+---
+ cors.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: golang-github-gin-contrib-cors-1.4.0/cors.go
+===================================================================
+--- golang-github-gin-contrib-cors-1.4.0.orig/cors.go 2025-08-25
16:03:59.883858578 +0200
++++ golang-github-gin-contrib-cors-1.4.0/cors.go 2025-08-25
16:03:59.883858578 +0200
+@@ -132,7 +132,7 @@
+ continue
+ }
+ if i == (len(o) - 1) {
+- wRules = append(wRules, []string{o[:i-1], "*"})
++ wRules = append(wRules, []string{o[:i], "*"})
+ continue
+ }
+
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/series
golang-github-gin-contrib-cors-1.4.0/debian/patches/series
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/series 2025-08-25
14:49:55.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-25211.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.12
Hi,
Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.
Regards,
Adam
--- End Message ---
