Your message dated Fri, 11 Dec 2020 09:18:32 +0000
with message-id <[email protected]>
and subject line Bug#976873: fixed in golang-github-hashicorp-go-slug 0.5.0-1
has caused the Debian Bug report #976873,
regarding golang-github-hashicorp-go-slug: CVE-2020-29529
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
976873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976873
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-hashicorp-go-slug
Version: 0.4.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/hashicorp/go-slug/pull/12
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-hashicorp-go-slug.
CVE-2020-29529[0]:
| HashiCorp go-slug up to 0.4.3 did not fully protect against Zip Slip
| attacks while unpacking tar archives, and protections could be
| bypassed with specific constructions of multiple symlinks. Fixed in
| 0.5.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-29529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29529
[1] https://github.com/hashicorp/go-slug/pull/12
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-hashicorp-go-slug
Source-Version: 0.5.0-1
Done: Thorsten Alteholz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-hashicorp-go-slug, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated
golang-github-hashicorp-go-slug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Dec 2020 20:27:48 +0000
Source: golang-github-hashicorp-go-slug
Architecture: source
Version: 0.5.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Closes: 976873
Changes:
golang-github-hashicorp-go-slug (0.5.0-1) unstable; urgency=low
.
[ Debian Janitor ]
* Bump debhelper from old 11 to 12.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository,
Repository-Browse.
* Update standards version to 4.5.0, no changes needed.
.
[ Thorsten Alteholz ]
* New upstream release: fix for CVE-2020-29529 (Closes: #976873)
* reverse dependencies successfully built with ratt:
- nothing todo for this package
Checksums-Sha1:
ce8ba9972929d728955688ff8625760f6c9fdbaa 2433
golang-github-hashicorp-go-slug_0.5.0-1.dsc
f2add9f439c3497b8ae2b906f24985434d41ff6f 15747
golang-github-hashicorp-go-slug_0.5.0.orig.tar.gz
e3d23f1f16cfbf55037d0fb1e77a50edad41f5bf 1868
golang-github-hashicorp-go-slug_0.5.0-1.debian.tar.xz
6ee583d3581561d7855c31a7bb89640f715db88e 6374
golang-github-hashicorp-go-slug_0.5.0-1_amd64.buildinfo
Checksums-Sha256:
a7e4bfd76ed3334d8363db2d5e48962074eee7a01504ca04713e4947f824d311 2433
golang-github-hashicorp-go-slug_0.5.0-1.dsc
73be251771ef7759ecffcde9d2bed2e3a57b00d3b1fc1063ac1c49811d9ef943 15747
golang-github-hashicorp-go-slug_0.5.0.orig.tar.gz
dfe8d3ce21d687ddc8a0ecd33391e5e40bf1a9825eb76c979c150710d6e1ee4b 1868
golang-github-hashicorp-go-slug_0.5.0-1.debian.tar.xz
ecf0c90d26de8b3efb3312631b4454297f045481da8a4304c3e79cee8ec05415 6374
golang-github-hashicorp-go-slug_0.5.0-1_amd64.buildinfo
Files:
a94f69bed9e7edfa72fd10aa9822cc19 2433 devel optional
golang-github-hashicorp-go-slug_0.5.0-1.dsc
807a6c58fdd3154ca840c0588bbb0233 15747 devel optional
golang-github-hashicorp-go-slug_0.5.0.orig.tar.gz
9f5ec39f71a2aff8d40990f98ac34171 1868 devel optional
golang-github-hashicorp-go-slug_0.5.0-1.debian.tar.xz
800914a10c892eca92ec06d5fab4eff8 6374 devel optional
golang-github-hashicorp-go-slug_0.5.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl/ShtpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR8OTEACK6EdYrbhZsTIHNNaCBKVggZs/zzb/
E9XZ24GZtGgL3yok06cANkijKcPSPCJ8IyPDvskTqkJBbrwK4H/J+GtGGRrN8ww5
wRps2751E7i7qIrvq9ZMe43b5LqCPBUOvsJbgZsnB4RlDsqlxH6JjsfAU66/5uu0
UZ0oWprE4OnqFuMlI1dshM/kfD0W6AnVQCOOO0/Ib6N3mJmLThaWC6/ppvl9mxYW
4NdoawtgggJU30CujJwf0z6Ap46VOGaiB5wERzi7aYohgyhcSahIk3p1ZP3A6vs+
EfQb01FXrWJIxWMHgQS4yaygvz1GuX7fmlpa7Z18JPD2KWEY2Gky/DLwsTXhzZMz
6qZ+YH50N3RSw1vhfziStabMrJLQpNLl9mZ2dW5Njpj4sojHDcU6rCcc9ZnTmRRb
z2AVpBtm1sB8gGkewuI+S3QDHl1+topaRcX01ck0nixJ7xx12px1Lhe/CYvG7SXX
S0HNIxKGZTI8D0Dy1i99WjP6jerCiQPbAf4pNZb3hLhmUGaIfmj939XuTi+jfx51
UVFcRG/UFrKQ7DMAqPgG3GbYsw9GedgkOpXXAWcaDvMLLSVI995X7+BjQUQZaMri
uSqBhcc1qAnK3ZqJ0OaCcpmmm0hdGl0EQgLJGo7mUHXwQLyvB8Ia2SdkgKFcLiux
8khjgHQ9dFf0Mw==
=0aK+
-----END PGP SIGNATURE-----
--- End Message ---