Your message dated Wed, 26 Feb 2020 21:07:58 +0000
with message-id <[email protected]>
and subject line Bug#952462: fixed in golang-go.crypto
1:0.0~git20200221.2aa609c-1
has caused the Debian Bug report #952462,
regarding golang-go.crypto: CVE-2020-9283
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
952462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952462
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.0~git20190701.4def268-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for golang-go.crypto.
CVE-2020-9283[0]:
| golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go
| allows a panic during signature verification in the
| golang.org/x/crypto/ssh package. A client can attack an SSH server
| that accepts public keys. Also, a server can attack any SSH client.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9283
[1]
https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-go.crypto
Source-Version: 1:0.0~git20200221.2aa609c-1
Done: Anthony Fok <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anthony Fok <[email protected]> (supplier of updated golang-go.crypto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 26 Feb 2020 13:36:38 -0700
Source: golang-go.crypto
Architecture: source
Version: 1:0.0~git20200221.2aa609c-1
Distribution: unstable
Urgency: high
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Anthony Fok <[email protected]>
Closes: 952462
Changes:
golang-go.crypto (1:0.0~git20200221.2aa609c-1) unstable; urgency=high
.
* New upstream version 0.0~git20200221.2aa609c
- ssh: return an error for malformed ed25519 public keys
rather than panic (v0.0.0-20200220183623-bac4c82f6975).
Fixes CVE-2020-9283 (Closes: #952462)
* Previously uploaded upstream version 0.0~git20190701.4def268 contains:
- salsa20/salsa: fix keystream loop in amd64 assembly when overflowing
32-bit counter (commit b7391e9, 2019-03-20). Fixes CVE-2019-11840
- openpgp/clearsign: reject potentially misleading headers and messages
(commit c05e17b, 2019-04-24). Fixes CVE-2019-11841
* debian/gbp.conf: Set debian-branch to debian/sid for DEP-14 conformance
* Bump Standards-Version to 4.5.0 (no change)
* debian/copyright: Add Upstream-Contact
* Remove d/patches/0001-ssh-test-delete-TestInvalidTerminalMode.patch
which has been applied upstream as commit 9756ffd
* Build-Depends on dh-golang (>= 1.48~) to prevent
"no non-test Go files" error in internal/wycheproof during build
* Add d/patches/0001-skip-wycheproof_test.patch to skip test
that access the Internet with "go mod download -json"
* Override dh_auto_install with --no-binaries
to prevent /usr/bin/acmeprobe from being built
Checksums-Sha1:
c5015f19cba6330c3c438faa8aa90a1a38f12433 2465
golang-go.crypto_0.0~git20200221.2aa609c-1.dsc
1b4a6e30c1f2ab63df7fb582ff76ca762508663e 1525536
golang-go.crypto_0.0~git20200221.2aa609c.orig.tar.xz
4f7eead4ae2795007ca45a68616a876a6110b5e9 5732
golang-go.crypto_0.0~git20200221.2aa609c-1.debian.tar.xz
668f0ecb86f1832355823a1fe80662ea24c491c7 7090
golang-go.crypto_0.0~git20200221.2aa609c-1_amd64.buildinfo
Checksums-Sha256:
b130a6e2d104aad65e736bb41c01aa6fc4c1e16a139c31fc12c3d21df573912b 2465
golang-go.crypto_0.0~git20200221.2aa609c-1.dsc
dcd8132ab5acd92dfe2fc8ce8e3c76f3a91f6c60bdfdac1df407b365c1ccd490 1525536
golang-go.crypto_0.0~git20200221.2aa609c.orig.tar.xz
1c9c458572ef8ee734672463159c344c1c4517587427726a968546dd1fed73f8 5732
golang-go.crypto_0.0~git20200221.2aa609c-1.debian.tar.xz
0feef6bc2d0b872620c50d4bccf03a3841eb9655fd92fdc9c4afc1a258eeb915 7090
golang-go.crypto_0.0~git20200221.2aa609c-1_amd64.buildinfo
Files:
0a03dc86aed04ecb9ceb44561369f829 2465 devel optional
golang-go.crypto_0.0~git20200221.2aa609c-1.dsc
fc9ec138dc31168df107dc0ce282617c 1525536 devel optional
golang-go.crypto_0.0~git20200221.2aa609c.orig.tar.xz
37ce1a799859a3f283730a9fcbdd3d3c 5732 devel optional
golang-go.crypto_0.0~git20200221.2aa609c-1.debian.tar.xz
294dc38aea99f905917b039562c366b7 7090 devel optional
golang-go.crypto_0.0~git20200221.2aa609c-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAl5W2GUACgkQ6iUAtBLF
ms/sgA//TcMBe1sgevNYxZFzMLn7Y7xFRazaMr15GYTQiUoI2zD3HhYwm+aElGgT
2zEzY0W1KRnhT8dOw3mFr2yr1oTUBXRuzAdxyxIVMekyfnFJrZX7owDHKF6iitSS
+wpW2ZQ123nKl7BL0fGWwKmJPFEmHfoI/w2CI+Cho/rGHl0MnQGE5J8WRBo+vkO3
VCoAq/zqXBuwcrlBozko5q9N/VinN8Te5l5GHvXC8ZoLsaG07ZJHy3iN9JsYzXzn
Tba5WXbSKj2aZyru6kakV740WTqFK7lm1t/e3JFnYljhwwx/kAzcTz+9JaEPoPg7
ptLt1ieUq8DatllyrPax/bASU3gaiyl2fjVz+Rvvx+7VigHu8VHBroGsDH+Okefh
D8lu5WfeT+0yn6TtGKmEV7vwVkm/V1nmp9dlJ7YRlulD+EfnMCvHIMtwjlEt16tL
seSVYzUDo+kBnSOFAemYplyUpM/WxzO8RzfAlp8rYWbq3zLlxMd3GZeOeJrAgnaD
Wz75JZJJlewjZrfX9P/uYAQZE7ukSzHkrz1WEa8xZaCiiEKv5Wk0FYLrXOoCDnwI
wUsYVPOWOBoZXu9AjK49jJbusH9NinWMIZ0ZTm1bs5W/N0Sqp09G7HRHqbl2olNX
iFiH9d43nDes0CTS0D64DNr23b0MJ7EuTlCk/a39Dn8MIhOCPsY=
=cNWr
-----END PGP SIGNATURE-----
--- End Message ---
