Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected]
[ Reason ] Update golang-1.15 to upstream latest minor release. The Go upstream has minor release with only important bugfix are backported. Uptream policy: https://github.com/golang/go/wiki/MinorReleases > security issues, serious problems with no workaround, and documentation fixes > are backported So I'd like to bring the latest minor version to bullseye. This 1.15.15 version also includes a non-urgent security fix for CVE-2021-36221. The full issues between 1.15.9(version in bullseye) to 1.15.15 + Go1.15.10 https://github.com/golang/go/milestone/204?closed=1 + Go1.15.11 https://github.com/golang/go/milestone/208?closed=1 + Go1.15.12 https://github.com/golang/go/milestone/209?closed=1 + Go1.15.13 https://github.com/golang/go/milestone/215?closed=1 + Go1.15.14 https://github.com/golang/go/milestone/217?closed=1 + Go1.15.15 https://github.com/golang/go/milestone/220?closed=1 [ Impact ] Fix many issues which are considered to be important by upstream. [ Tests ] Go1.15.15 is in testing for many days and many packages have been built with this version. Meanwhile upstream has extensive tests for their minor release. [ Risks ] I don't think there's risk. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The diff is big, so I only paste the diffstat here, and attach a link to the full diff. VERSION | 2 debian/changelog | 20 debian/control | 4 debian/control.in | 4 debian/patches/0007-CVE-2021-31525.patch | 45 -- debian/patches/0008-CVE-2021-33196.patch | 124 ----- debian/patches/0009-CVE-2021-33195-1.patch | 369 ----------------- debian/patches/0010-CVE-2021-33195-2.patch | 111 ----- debian/patches/0011-CVE-2021-33197.patch | 147 ------ debian/patches/0012-CVE-2021-33198.patch | 107 ---- debian/patches/0013-CVE-2021-34558.patch | 46 -- debian/patches/series | 7 misc/cgo/testcshared/cshared_test.go | 97 ++++ src/archive/zip/reader.go | 10 src/archive/zip/reader_test.go | 59 ++ src/cmd/cgo/out.go | 6 src/cmd/compile/internal/gc/escape.go | 7 src/cmd/compile/internal/ssa/gen/ARM.rules | 128 ++--- src/cmd/compile/internal/ssa/gen/ARM64Ops.go | 9 src/cmd/compile/internal/ssa/opGen.go | 6 src/cmd/compile/internal/ssa/rewriteARM.go | 306 +++++++------- src/cmd/compile/internal/ssa/shortcircuit.go | 18 src/cmd/go/go_test.go | 33 + src/cmd/go/internal/load/pkg.go | 5 src/cmd/go/internal/modcmd/tidy.go | 2 src/cmd/go/internal/modcmd/vendor.go | 4 src/cmd/go/internal/modfetch/cache.go | 17 src/cmd/go/internal/modfetch/fetch.go | 77 ++- src/cmd/go/internal/modload/init.go | 6 src/cmd/go/internal/modload/load.go | 32 + src/cmd/go/testdata/script/list_err_cycle.txt | 15 src/cmd/go/testdata/script/mod_get_missing_ziphash.txt | 55 ++ src/cmd/go/testdata/script/mod_readonly.txt | 6 src/cmd/go/testdata/script/mod_tidy_error.txt | 4 src/cmd/go/testdata/script/mod_tidy_too_new.txt | 31 + src/cmd/go/testdata/script/mod_verify.txt | 7 src/cmd/link/internal/arm/asm.go | 16 src/cmd/link/internal/ld/data.go | 12 src/cmd/link/internal/ld/elf.go | 2 src/cmd/link/internal/ld/lib.go | 11 src/cmd/link/internal/ld/macho.go | 2 src/cmd/link/internal/loader/loader.go | 12 src/cmd/link/internal/ppc64/asm.go | 26 - src/crypto/tls/key_agreement.go | 6 src/database/sql/sql.go | 14 src/database/sql/sql_test.go | 28 + src/go.mod | 2 src/go.sum | 4 src/internal/poll/copy_file_range_linux.go | 10 src/internal/poll/sendfile_bsd.go | 4 src/internal/poll/sendfile_linux.go | 3 src/internal/poll/sendfile_solaris.go | 3 src/math/big/arith_s390x.s | 192 -------- src/math/big/arith_test.go | 65 ++ src/math/big/ratconv.go | 15 src/math/big/ratconv_test.go | 25 + src/net/dnsclient_unix_test.go | 321 ++++++++++++++ src/net/http/h2_bundle.go | 2 src/net/http/httputil/reverseproxy.go | 31 - src/net/http/httputil/reverseproxy_test.go | 102 ++++ src/net/http/omithttp2.go | 4 src/net/http/transport.go | 39 + src/net/http/transport_test.go | 84 +++ src/net/lookup.go | 159 ++++++- src/net/sendfile_test.go | 64 ++ src/os/readfrom_linux_test.go | 32 + src/run.bash | 10 src/run.bat | 4 src/run.rc | 9 src/runtime/asm_arm64.s | 47 +- src/runtime/cgo/gcc_windows_386.c | 1 src/runtime/cgo/gcc_windows_amd64.c | 1 src/runtime/cgo/libcgo_windows.h | 12 src/runtime/pprof/pprof_test.go | 3 src/runtime/signal_unix.go | 2 src/runtime/symtab.go | 8 src/runtime/symtab_test.go | 85 +++ src/runtime/sys_linux_ppc64x.s | 86 +++ src/runtime/time.go | 5 src/syscall/exec_linux_test.go | 1 src/syscall/syscall_windows.go | 34 + src/syscall/zsyscall_windows.go | 6 src/time/sleep_test.go | 16 src/time/zoneinfo.go | 33 - src/time/zoneinfo_read.go | 44 +- src/time/zoneinfo_test.go | 95 +++- src/vendor/golang.org/x/net/http/httpguts/httplex.go | 10 src/vendor/modules.txt | 2 test/escape5.go | 11 test/fixedbugs/issue42876.go | 18 test/fixedbugs/issue45175.go | 29 + test/fixedbugs/issue46653.dir/bad/bad.go | 64 ++ test/fixedbugs/issue46653.dir/main.go | 27 + test/fixedbugs/issue46653.go | 10 94 files changed, 2240 insertions(+), 1649 deletions(-) Changelog: diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.15/debian/changelog --- golang-1.15-1.15.9/debian/changelog 2021-07-13 13:55:42.000000000 +0800 +++ golang-1.15-1.15.15/debian/changelog 2021-08-31 00:37:05.000000000 +0800 @@ -1,3 +1,23 @@ +golang-1.15 (1.15.15-1~deb11u1) bullseye; urgency=medium + + * Team upload. + * Rebuild 1.15.15 for bullseye. + Fix CVE-2021-36221: net/http: panic due to racy read of persistConn + after handler panic (Closes: #991961) + + -- Shengjing Zhu <[email protected]> Tue, 31 Aug 2021 00:37:05 +0800 + +golang-1.15 (1.15.15-1) unstable; urgency=medium + + * Team upload. + * New upstream version 1.15.15 + * Remove security patches which were previously backported + for 1.15.9 but are already in 1.15.15 + * Update Standards-Version to 4.5.1, no changes needed + * Change Section from devel to golang + + -- Anthony Fok <[email protected]> Sun, 15 Aug 2021 16:44:15 -0600 + golang-1.15 (1.15.9-6) unstable; urgency=medium * Team upload. Full: https://people.debian.org/~zhsj/golang-1.15_1.15.15-1~deb11u1.debdiff [ Other info ] If my guess it correct, Go1.15 is EOL since Go1.17 is released. So this is probably the only minor release we want to upload.
