Your message dated Sat, 15 May 2021 13:18:29 +0000
with message-id <[email protected]>
and subject line Bug#985025: fixed in golang-github-pires-go-proxyproto 0.4.2-1
has caused the Debian Bug report #985025,
regarding golang-github-pires-go-proxyproto: CVE-2021-23351
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985025
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-pires-go-proxyproto
Version: 0.4.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pires/go-proxyproto/issues/69
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-pires-go-proxyproto.
CVE-2021-23351[0]:
| The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable
| to Denial of Service (DoS) via the parseVersion1() function. The
| reader in this package is a default bufio.Reader wrapping a net.Conn.
| It will read from the connection until it finds a newline. Since no
| limits are implemented in the code, a deliberately malformed V1 header
| could be used to exhaust memory in a server process using this code -
| and create a DoS. This can be exploited by sending a stream starting
| with PROXY and continuing to send data (which does not contain a
| newline) until the target stops acknowledging. The risk here is small,
| because only trusted sources should be allowed to send proxy protocol
| headers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23351
[1] https://github.com/pires/go-proxyproto/issues/69
[2]
https://github.com/pires/go-proxyproto/commit/7f48261db810703d173f27f3309a808cc2b49b8b
[3] https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1081577
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-pires-go-proxyproto
Source-Version: 0.4.2-1
Done: Roger Shimizu <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-pires-go-proxyproto, which is due to be installed in the Debian
FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roger Shimizu <[email protected]> (supplier of updated
golang-github-pires-go-proxyproto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 May 2021 21:59:19 +0900
Source: golang-github-pires-go-proxyproto
Architecture: source
Version: 0.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Roger Shimizu <[email protected]>
Closes: 985025
Changes:
golang-github-pires-go-proxyproto (0.4.2-1) unstable; urgency=medium
.
* New upstream release 0.4.2
* debian/patches:
- Cherry-pick patches from upstream to fix CVE-2021-23351
(Closes: #985025)
Checksums-Sha1:
e8010b52b5e85714f34831b52f3664a2c8a9c360 2318
golang-github-pires-go-proxyproto_0.4.2-1.dsc
a829e053146285d491587d4993307744ea421dc7 31707
golang-github-pires-go-proxyproto_0.4.2.orig.tar.gz
bc9e9b96493b32b71e7867096fb765722a90fdd0 6680
golang-github-pires-go-proxyproto_0.4.2-1.debian.tar.xz
35d66d5aa476e45355d05b9df3412e2d2ab1b692 6004
golang-github-pires-go-proxyproto_0.4.2-1_amd64.buildinfo
Checksums-Sha256:
729d6aecf4c3c6c1a0f6003ccdbe02d3d8457ca36a0ae811bf1aa03d60ae3f8d 2318
golang-github-pires-go-proxyproto_0.4.2-1.dsc
569e376c9fd522c1cfbb8c3417a8a531071f5ffe43a0057a0e2d5ce4e272eca6 31707
golang-github-pires-go-proxyproto_0.4.2.orig.tar.gz
0e5da3147bc83301a29ad330932730943309896d506f48bc778b316ababab75d 6680
golang-github-pires-go-proxyproto_0.4.2-1.debian.tar.xz
a5f9aff30c60bd7e72d5d487975c63634b8905362b6229dedd77d6d604f590fb 6004
golang-github-pires-go-proxyproto_0.4.2-1_amd64.buildinfo
Files:
d0be745b68e3266a1348d71909f49df9 2318 devel optional
golang-github-pires-go-proxyproto_0.4.2-1.dsc
7966d82ac86f2cd1b4876c0ab7606bf3 31707 devel optional
golang-github-pires-go-proxyproto_0.4.2.orig.tar.gz
e9d713ea89378288ed352fbf3399f830 6680 devel optional
golang-github-pires-go-proxyproto_0.4.2-1.debian.tar.xz
1d6fb60cb10ee4bf7d870299910dd0bc 6004 devel optional
golang-github-pires-go-proxyproto_0.4.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEECjKtvoA5m+cWOFnspHhrDacDNKgFAmCfxn4QHHJvc2hAZGVi
aWFuLm9yZwAKCRCkeGsNpwM0qL8OD/9XSjD8pzHZguuxaDF/Bhk35WLep6SSzESh
94/VSpwtt81AqezZst/VL05jHXVKkcq3f9mujMAan8cguFPTle95uagsBmPrayMo
AxNOeLoxALIUUlx0PyxJ6Qm7EjFyhFzBCT0aPpY5LD/6mSnoLqGJdQjtiTQYcmpj
5NEA9ZAO6CnN+Pmi5d6yJLeHO02ahvZVnsMFEDEYWUADYE+JZXDgX0bqXrGpV/rP
k4zfyZekppDUyCPmd6SIwikYVjlKJi/srR4pfJW7cXwnONyG2ssZ6XWfuPk7ryy/
zZRaApu0fdA7ct551E25dSSGsHhJZd2OfD/jLo9ezBOrq1o7ASt8fVxKesovsCFZ
mVXmUAKD/J1cLfiqDkN7iYEcGwuVqpTmoOs9HoeaPbq/x6UD1vcpJ0FpBHd2QSkv
PtW41VrxUjy4/8iI6GPYn5Ufwgb4jOFuItONP6kYA8EPG51QrPjMymXx8oxxibRW
ftjQMm7Av9i3N7XwFLErA9cWdKNhaEHwnd0cukmciHQFNKCv1ts+/f6IIcATWdLo
7DlSj8YKjHRTFcI6bpBmWd/jyqDsfkMZFYcxJgzNz3w+XSnVhrbM3H8T4xisTLtm
OY/5OAOR7qAIVSCsDD86povqTvZYstTzC76RQdC8Oz0zaSqgZIqKLcuB+K1uCtdD
UCvxCr0pSA==
=3E0O
-----END PGP SIGNATURE-----
--- End Message ---
