Your message dated Sun, 17 May 2026 09:50:48 +0000
with message-id <[email protected]>
and subject line Bug#1133077: fixed in golang-opentelemetry-otel 1.43.0-1
has caused the Debian Bug report #1133077,
regarding golang-opentelemetry-otel: CVE-2026-39882
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133077: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133077
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-opentelemetry-otel
Version: 1.31.0-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/open-telemetry/opentelemetry-go/pull/8108
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-opentelemetry-otel.
CVE-2026-39882[0]:
| OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to
| 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full
| HTTP response body into an in-memory bytes.Buffer without a size
| cap. This is exploitable for memory exhaustion when the configured
| collector endpoint is attacker-controlled (or a network attacker can
| mitm the exporter connection). This vulnerability is fixed in
| 1.43.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-39882
https://www.cve.org/CVERecord?id=CVE-2026-39882
[1]
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
[2] https://github.com/open-telemetry/opentelemetry-go/pull/8108
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-opentelemetry-otel
Source-Version: 1.43.0-1
Done: Andrew Lee (李健秋) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-opentelemetry-otel, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <[email protected]> (supplier of updated
golang-opentelemetry-otel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 May 2026 11:04:57 +0200
Source: golang-opentelemetry-otel
Architecture: source
Version: 1.43.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Andrew Lee (李健秋) <[email protected]>
Closes: 1133077 1136747
Changes:
golang-opentelemetry-otel (1.43.0-1) unstable; urgency=medium
.
* Team Upload.
* New upstream version 1.43.0. (Closes: #1133077, #1136747)
- Contains fix for CVE-2026-39882.
* debian/control: drop Priority: optional (now the default).
* debian/control: Drop Rules-Requires-Root: no (now the default).
* debian/control: bump to Standards-version to 4.7.4.
* debian/control: depends and build-deps on
golang-google-grpc-dev (>= 1.79.3~).
* debian/control: depends and build-deps on
golang-github-cenkalti-backoff-dev.
* debian/control: depends and build-deps on
golang-github-cespare-xxhash-dev.
* debian/patches/0002-Use-legacy-name-validation.patch: refresh.
* debian/rules: exclude exporters/prometheus due to
github.com/prometheus/otlptranslator isn't packaged yet in Debian.
* debian/patches/disable-sdk-auto.patch: disable auto/sdk submodule as
it's not yet available in Debian.
* debian/rules: adjust override_dh_auto_test for internal/global failed
to setup.
* debian/rules: excludes trace/internal/telemetry/test as it requires
collector module which is not yet packaged in Debian.
* debian/control: add missing depends.
Checksums-Sha1:
c8e04c7dc629402c5888d655472a0b2f90a673cd 2724
golang-opentelemetry-otel_1.43.0-1.dsc
2be4797fd7bbf0e05ba823e5de388324a6ffc54a 3727029
golang-opentelemetry-otel_1.43.0.orig.tar.gz
24fd63f87c659b9d74508bfe9fa73a0bd934b7d7 5048
golang-opentelemetry-otel_1.43.0-1.debian.tar.xz
d5fdc10ed2006c2127f5f46995037e67c18738dc 6081
golang-opentelemetry-otel_1.43.0-1_source.buildinfo
Checksums-Sha256:
e51192de00ebe8cda90499be9a923549f8714c2bdc582ce2682cbf61369606bb 2724
golang-opentelemetry-otel_1.43.0-1.dsc
f8ce59f6705b718114124b234a5761a9e9141261faa9b31d4a2a86b14e988e52 3727029
golang-opentelemetry-otel_1.43.0.orig.tar.gz
666aeabfd9e3cfc29376fda5bec78cf06b5a4622dc22af3273bad51621613d3f 5048
golang-opentelemetry-otel_1.43.0-1.debian.tar.xz
b1c2f84e877423c6edfca02ad5f04639dea47a1fe416cbae9f1cf8434df7f33a 6081
golang-opentelemetry-otel_1.43.0-1_source.buildinfo
Files:
ec22a687d6bdf80322ca72cb9b78bce8 2724 golang optional
golang-opentelemetry-otel_1.43.0-1.dsc
63b5ad9197a23514fde9aee57fa040fd 3727029 golang optional
golang-opentelemetry-otel_1.43.0.orig.tar.gz
bf814efbb9b73786d59674d630d7dcf8 5048 golang optional
golang-opentelemetry-otel_1.43.0-1.debian.tar.xz
69599824512be5b053c2432ddf4c48e5 6081 golang optional
golang-opentelemetry-otel_1.43.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAmoJjFUACgkQ58vhUqwX
+XPgnw//f5zYKsim5pREWtWpmVoS3uglfw3SisxUHgDOVBLAOc19uUKwB7Vsx3XC
N6KN4u85WxjCpSweqnCiWDHQ/9MfPxT/UGgsN/1pjxjWKsxpdEcl9LhLUFYlCzCr
eqmQhDr+gryeWtP4WbytyvEyjcQ6dzdSe8tgZUrdnS5y4P5xzhXyAeRCo3tSqkdJ
dqzKUmiHzORt0yXM79dnhPVBZIR7UowxjAHRb1rITgpqfMnUWBeZ5Sdyw0FR0S0d
Ei94OGQu0X2Ii69tkLaxZm/k40eziRYXcwM3bddHsQAOKTtqVvAu6RlIWc9wYZND
TntP2+Ybm9nlN9zxCGowIVSd6WWukVGzUrGUZSP0xzYcTlh1D/1iw1COo1kblHmv
GlodQjVt300wPYUKPuetcIGOGGixksehwREdGVsL6K4HrYdQ9eRTmuKZURlhWqG3
0A9RFC5rv73FnIL9TQ2QZEVmY7HG6j0q9c48bQseYqAeJiLkYEObClANmWqkqJfg
rasjbE3dbc2Iv047la5N/5LC2XrRVXrZnwlrhrnYqhOKBMzEOFf6QJCf6YoOKWQd
TXIcx529etMgHpcLCLuyQzqO//xnGm0H6n9JEvW51cjRB8An2P7F6ogjTHdtFW0P
w3bDs/M4ARcIh5XsIpAdUrW0WTAn0g4EciUjDjw23nMdDrOdSno=
=juF6
-----END PGP SIGNATURE-----
pgp5QQIRDeFu3.pgp
Description: PGP signature
--- End Message ---
