Your message dated Sun, 27 Jan 2019 19:50:07 +0000 with message-id <e1gnqrt-000bra...@fasolo.debian.org> and subject line Bug#920548: fixed in golang-1.12 1.12~beta2-2 has caused the Debian Bug report #920548, regarding golang-1.12: CVE-2019-6486 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920548: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920548 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-1.12 Version: 1.12~beta2-1 Severity: grave Tags: security upstream Forwarded: https://github.com/golang/go/issues/29903 Hi, The following vulnerability was published for golang-1.12, which was already fixed for the released version 1.11.5 and 1.10.8 upstream. CVE-2019-6486[0]: | Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 | elliptic curves, which allows attackers to cause a denial of service | (CPU consumption) or possibly conduct ECDH private key recovery | attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-6486 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486 [1] https://github.com/golang/go/issues/29903 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-1.12 Source-Version: 1.12~beta2-2 We believe that the bug you reported is fixed in the latest version of golang-1.12, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dr. Tobias Quathamer <to...@debian.org> (supplier of updated golang-1.12 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 27 Jan 2019 20:05:59 +0100 Source: golang-1.12 Architecture: source Version: 1.12~beta2-2 Distribution: unstable Urgency: medium Maintainer: Go Compiler Team <team+go-compi...@tracker.debian.org> Changed-By: Dr. Tobias Quathamer <to...@debian.org> Closes: 920548 Changes: golang-1.12 (1.12~beta2-2) unstable; urgency=medium . * Refresh patch Reproducible BUILD_PATH_PREFIX_MAP. Thanks to Michael Stapelberg! * Add patch to fix CVE-2019-6486. (Closes: #920548) Checksums-Sha1: f7ee221e2c5ec216f82d516952d957e35d39fab5 2611 golang-1.12_1.12~beta2-2.dsc a08edb3d89002aee229007948d44d0e6328393bc 29832 golang-1.12_1.12~beta2-2.debian.tar.xz 9c570ec90b9b0338264a3a8dbc59640fd63f3afa 6494 golang-1.12_1.12~beta2-2_amd64.buildinfo Checksums-Sha256: ac07dfcf8611b0380c2d3b9f5428cfc57bd02f872415de9cd9935ce021d09315 2611 golang-1.12_1.12~beta2-2.dsc c8ff699bb540de782998690fe794d1d7ea2134b863030e8ff53634286ba70144 29832 golang-1.12_1.12~beta2-2.debian.tar.xz 233e7c738452f6ae5f935c4e8cb10eba83a50b63877f93236ed513601467518a 6494 golang-1.12_1.12~beta2-2_amd64.buildinfo Files: f2cf4915830e4b3db407a07fb88efeb4 2611 devel optional golang-1.12_1.12~beta2-2.dsc 07efc8e8120b611aa4eeb01b73b2ec6c 29832 devel optional golang-1.12_1.12~beta2-2.debian.tar.xz 2a696920cec8a351f096d043781dfa26 6494 devel optional golang-1.12_1.12~beta2-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlxOBk4ACgkQEwLx8Dbr 6xmzJBAAk+2ihr0j4Hq7aHFxM6Lqm+YHnqo+omz+DtETvvl3BEBs4cmF87F5eElU woUCAvvsW4XsEHxpVqbgrNSDBAZJXhO0dXoqmmGcEqKR1fjYLwBbUPkKOZeBx8Xd tbuAfIqNowXiwzo+eFYxLmz92cOUMbQU2MFncoiEQokWFMEA2JVatRpZ+CUSVZSL biDgkWRdQoUjInKVsaFnXKtlvhNLIWSkYASxA7hJwtYoH+PV6ksdNwrUuMJw8+SD zEfRuWuPmSXJKnJORIXz+T5iKsBVVAZR3g2rkydiVdaUyjRmxoitv9R1ueEF872P /CcrfiNBlNr7DSTj0L7Lh5hGlH3LOnaG7rYq2MTeV3QzCxI4/upicRaqO51lU+4X POts9Bn9VLhHVES9LKb4t0IVLC4reATnz23NE+mniLSdK5/nmP+QiIkZCUQSf9w5 BNPiFgaTcXasiNEx54r4IO8rcsZrV6uo+5o9gbkLhds9aHdzKnSKwDrZT5Z2rO+w lGnramVvPttKvSAfNDKIxwbYlq4WbT9fUJ/tnAeq/JgL18/wLmUkYOZroGEslzxZ UYTD4G/MInIOP1mSduv3iYwzTVcdP/09woThcmQzlUiZvnyF4hzoHK5JJOa5aCND 0aoGb+wpgeUcacNuuKg7aYBHSxiWgK4pCumxt+E88dvEI8rTPHM= =58OR -----END PGP SIGNATURE-----
--- End Message ---
