Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9e59255 by Sylvain Beucler at 2022-09-16T13:08:02+02:00
golang: standardize/clarify buster-lts triage
following discussion with Ola
- - - - -
584817f4 by Sylvain Beucler at 2022-09-16T13:08:44+02:00
dla add golang-1.11
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21292,7 +21292,7 @@ CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in
GitHub repository francois
CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub
repository ...)
- golang-github-emicklei-go-restful <unfixed> (bug #1012763)
[bullseye] - golang-github-emicklei-go-restful <no-dsa> (Minor issue)
- [buster] - golang-github-emicklei-go-restful <no-dsa> (Minor issue)
+ [buster] - golang-github-emicklei-go-restful <postponed> (Limited
support, follow bullseye DSAs/point-releases)
NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/
NOTE:
https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10
CVE-2022-1995 (The Malware Scanner WordPress plugin before 4.5.2 does not
sanitise an ...)
@@ -22152,7 +22152,7 @@ CVE-2022-32189 (A too-short encoded message can cause a
panic in Float.GobDecode
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53871
NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU
NOTE:
https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66
(master, go1.19)
@@ -22248,7 +22248,7 @@ CVE-2022-32148 (Improper exposure of client IP
addresses in net/http before Go 1
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/53423
NOTE:
https://github.com/golang/go/commit/b2cc0fecc2ccd80e6d5d16542cc684f97b3a9c8a
(go1.19rc1)
NOTE:
https://github.com/golang/go/commit/ebea1e3353fa766025aa5190b9c7cc05cf069187
(go1.18.4)
@@ -22287,7 +22287,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse
functions in go/parser before
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53616
NOTE:
https://github.com/golang/go/commit/695be961d57508da5a82217f7415200a11845879
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/0d1615b23f9a558aa0a1957b4c81596220eb8ec4
(go1.18.4)
@@ -26612,7 +26612,7 @@ CVE-2022-30635 (Uncontrolled recursion in
Decoder.Decode in encoding/gob before
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53615
NOTE:
https://github.com/golang/go/commit/6fa37e98ea4382bf881428ee0c150ce591500eb7
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/fb979a50823e5a0575cf6166b3f17a13364cbf81
(go1.18.4)
@@ -26634,7 +26634,7 @@ CVE-2022-30633 (Uncontrolled recursion in Unmarshal in
encoding/xml before Go 1.
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53611
NOTE:
https://github.com/golang/go/commit/c4c1993fd2a5b26fe45c09592af6d3388a3b2e08
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/2924ced71d16297320e8ff18829c2038e6ad8d9b
(go1.18.4)
@@ -26645,7 +26645,7 @@ CVE-2022-30632 (Uncontrolled recursion in Glob in
path/filepath before Go 1.17.1
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53416
NOTE:
https://github.com/golang/go/commit/ac68c6c683409f98250d34ad282b9e1b0c9095ef
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/5ebd862b1714dad1544bd10a24c47cdb53ad7f46
(go1.18.4)
@@ -26656,7 +26656,7 @@ CVE-2022-30631 (Uncontrolled recursion in Reader.Read
in compress/gzip before Go
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://go.dev/issue/53168
NOTE:
https://github.com/golang/go/commit/b2b8872c876201eac2d0707276c6999ff3eb185e
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/8e27a8ac4c001c27713810b75925aa3794049c48
(go1.18.4)
@@ -26679,7 +26679,7 @@ CVE-2022-30629 (Non-random values for ticket_age_add in
session tickets in crypt
- golang-1.15 <removed>
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (Vulnerable code - TLS1.3 -
introduced later)
- golang-1.7 <removed>
@@ -27660,21 +27660,21 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise
version 0.2.0 up to 1.3.0 w
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing
password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource
exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access
via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Limited support)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
@@ -34241,7 +34241,7 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go
before 1.17.12 and 1.18.x
- golang-1.18 1.18.4-1
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/53614
NOTE:
https://github.com/golang/go/commit/08c46ed43d80bbb67cb904944ea3417989be4af3
(go1.19rc2)
NOTE:
https://github.com/golang/go/commit/90f040ec510dd678b7860d70ca77e5682f4c7e96
(go1.18.4)
@@ -35589,7 +35589,7 @@ CVE-2022-27664 (In net/http in Go before 1.18.6 and
1.19.x before 1.19.1, attack
- golang-1.17 <unfixed>
- golang-1.15 <removed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Limited support)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
NOTE: https://github.com/golang/go/issues/54658
NOTE:
https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824
(go1.19.1)
@@ -36943,7 +36943,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva
document management system
NOT-FOR-US: Aseco
CVE-2022-27191 (The golang.org/x/crypto/ssh package before
0.0.0-20220314234659-1baeb1 ...)
- golang-go.crypto 1:0.0~git20220315.3147a52-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, follow
bullseye DSAs/point-releases)
NOTE:
https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ
NOTE:
https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
CVE-2022-27190
@@ -37688,7 +37688,7 @@ CVE-2022-26946
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching,
endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
- [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
@@ -43429,7 +43429,7 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and
1.17.x before 1.17.8 all
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u4
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/51112
@@ -47713,7 +47713,7 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in
Go before 1.16.14 and 1.17
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50974
@@ -47843,7 +47843,7 @@ CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x
before 1.17.7 can misinte
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (vgo/modfetch module not present)
- golang-1.7 <removed>
@@ -47858,7 +47858,7 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before
1.16.14 and 1.17.x before
- golang-1.15 <removed>
[bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50699
@@ -58095,7 +58095,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before
1.17.5 on UNIX allows write
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50057
@@ -58108,13 +58108,13 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and
1.17.x before 1.17.5 allows un
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor
issue, follow bullseye DSAs/point-releases)
[stretch] - golang-golang-x-net-dev <postponed> (Limited support in
stretch)
NOTE: https://github.com/golang/go/issues/50058
NOTE:
https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ
@@ -60645,7 +60645,7 @@ CVE-2022-21709
CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In
version ...)
- golang-github-graph-gophers-graphql-go 1.3.0-1
[bullseye] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor
issue)
- [buster] - golang-github-graph-gophers-graphql-go <no-dsa> (Minor issue)
+ [buster] - golang-github-graph-gophers-graphql-go <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe
(v1.3.0)
NOTE:
https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh
NOTE: https://github.com/graph-gophers/graphql-go/pull/492
@@ -60682,7 +60682,7 @@ CVE-2022-21699 (IPython (Interactive Python) is a
command shell for interactive
CVE-2022-21698 (client_golang is the instrumentation library for Go
applications in Pr ...)
- golang-github-prometheus-client-golang 1.11.1-1 (bug #1008008)
[bullseye] - golang-github-prometheus-client-golang <no-dsa> (Minor
issue)
- [buster] - golang-github-prometheus-client-golang <no-dsa> (Minor issue)
+ [buster] - golang-github-prometheus-client-golang <postponed> (Limited
support, minor issue, DoS in specific conditions, follow bullseye
DSAs/point-releases)
[stretch] - golang-github-prometheus-client-golang <postponed> (Minor
issue, DoS in specific conditions, requires rebuilding reverse-dependencies;
Limited support in stretch)
NOTE:
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
NOTE: https://github.com/prometheus/client_golang/pull/962
@@ -62821,7 +62821,7 @@ CVE-2021-43566 (All versions of Samba prior to 4.13.16
are vulnerable to a malic
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979
CVE-2021-43565 (The x/crypto/ssh package before
0.0.0-20211202192323-5770296d904e of g ...)
- golang-go.crypto 1:0.0~git20211202.5770296-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
[stretch] - golang-go.crypto <postponed> (Limited support in stretch)
NOTE:
https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083
NOTE: https://github.com/golang/go/issues/49932
@@ -65787,7 +65787,7 @@ CVE-2021-42837 (An issue was discovered in Talend Data
Catalog before 7.3-202109
CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial
of servic ...)
- golang-github-tidwall-gjson <unfixed> (bug #1000225)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
NOTE:
https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
NOTE: https://github.com/tidwall/gjson/issues/236
@@ -68574,7 +68574,7 @@ CVE-2021-42249
CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via
crafted JSON i ...)
- golang-github-tidwall-gjson <unfixed> (bug #1011616)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/issues/237
NOTE:
https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96
(v1.9.3)
CVE-2021-42247
@@ -69829,7 +69829,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for
Open or OpenFat) in Go befor
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/48990
@@ -76045,7 +76045,7 @@ CVE-2021-39293 (In archive/zip in Go before 1.16.8 and
1.17.x before 1.17.1, a c
- golang-1.15 1.15.15-2
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/47801
@@ -77845,7 +77845,7 @@ CVE-2021-38561
RESERVED
- golang-golang-x-text 0.3.7-1
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100495
CVE-2021-38560 (Ivanti Service Manager 2021.1 allows reflected XSS via the
appName par ...)
NOT-FOR-US: Ivanti
@@ -78567,7 +78567,7 @@ CVE-2021-38297 (Go before 1.16.9 and 1.17.x before
1.17.2 has a Buffer Overflow
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <not-affected> (Vulnerable code not present)
- golang-1.7 <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/golang/go/commit/77f2750f4398990eed972186706f160631d7dae4
@@ -83780,7 +83780,7 @@ CVE-2021-36221 (Go before 1.15.15 and 1.16.x before
1.16.7 has a race condition
- golang-1.15 1.15.15-1 (bug #991961)
[bullseye] - golang-1.15 1.15.15-1~deb11u1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46866
@@ -87817,7 +87817,7 @@ CVE-2021-34558 (The crypto/tls package of Go through
1.16.5 does not properly as
- golang-1.16 1.16.6-1
- golang-1.15 1.15.9-6
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires
rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91149,7 +91149,7 @@ CVE-2021-33198 (In Go before 1.15.13 and 1.16.x before
1.16.5, there can be a pa
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <not-affected> (Vulnerable code introduced later)
- golang-1.7 <removed>
@@ -91161,7 +91161,7 @@ CVE-2021-33197 (In Go before 1.15.13 and 1.16.x before
1.16.5, some configuratio
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
header corruption in proxy chains)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, header corruption in
proxy chains, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91174,7 +91174,7 @@ CVE-2021-33196 (In archive/zip in Go before 1.15.13 and
1.16.x before 1.16.5, a
- golang-1.16 1.16.5-1 (bug #989492)
- golang-1.15 1.15.9-4
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed
in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46242
@@ -91187,7 +91187,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before
1.16.5 has functions for DNS
- golang-1.15 1.15.9-5
[bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point
release)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
affects poor validation practice, follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, affects poor
validation practice, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
@@ -91198,7 +91198,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before
1.16.5 has functions for DNS
CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023
allows atta ...)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in
stretch)
NOTE:
https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
NOTE: https://github.com/golang/go/issues/46288
@@ -95666,14 +95666,14 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and
1.16.x before 1.16.4 allows re
- golang-1.16 1.16.4-1
- golang-1.15 1.15.9-2
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS, requires
rebuilding reverse-dependencies)
- golang-1.7 <removed>
[stretch] - golang-1.7 <postponed> (Minor issue, DoS, requires
rebuilding reverse-dependencies)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
- golang-golang-x-net-dev <removed>
- [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor
issue, DoS)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in
stretch)
NOTE: https://github.com/golang/go/issues/45710
NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
@@ -100137,7 +100137,7 @@ CVE-2021-29923 (Go before 1.17 does not properly
consider extraneous zero charac
- golang-1.16 <unfixed>
- golang-1.15 <unfixed>
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue,
follow bullseye DSAs/point-releases)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, IP-based access control
failure in specific cases, upstream won't fix supported releases for backward
compatibility)
- golang-1.7 <removed>
@@ -105196,7 +105196,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and
1.16.x before 1.16.1 has an
- golang-1.16 1.16.3-1
- golang-1.15 1.15.9-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, DoS)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS)
- golang-1.7 <removed>
@@ -114992,7 +114992,7 @@ CVE-2021-25900 (An issue was discovered in the
smallvec crate before 0.6.14 and
NOTE: https://github.com/servo/rust-smallvec/issues/252
CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have
Incorre ...)
- golang-github-nats-io-jwt 2.2.0-1
- [buster] - golang-github-nats-io-jwt <no-dsa> (Limited support)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support,
requires rebuilding golang-github-nats-io-gnatsd)
- nats-server <not-affected> (Fixed before initial upload to Debian)
NOTE: https://advisories.nats.io/CVE/CVE-2021-3127.txt
NOTE:
https://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c
@@ -115146,9 +115146,10 @@ CVE-2021-3122 (CMCAgent in NCR Command Center Agent
16.3 on Aloha POS/BOH server
NOT-FOR-US: CMCAgent in NCR Command Center Agent
CVE-2021-3121 (An issue was discovered in GoGo Protobuf before 1.3.2.
plugin/unmarsha ...)
- golang-gogoprotobuf 1.3.2-1
- [buster] - golang-gogoprotobuf <no-dsa> (Minor issue)
+ [buster] - golang-gogoprotobuf <postponed> (Limited support, minor
issue)
[stretch] - golang-gogoprotobuf <no-dsa> (Minor issue)
NOTE:
https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
+ NOTE: Triage discussion:
https://lists.debian.org/debian-lts/2021/03/msg00011.html
CVE-2021-3120 (An arbitrary file upload vulnerability in the YITH WooCommerce
Gift Ca ...)
NOT-FOR-US: YITH WooCommerce Gift Cards Premium plugin for WordPress
CVE-2021-3119 (Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer
dereferencing is ...)
@@ -120931,12 +120932,12 @@ CVE-2020-36068
RESERVED
CVE-2020-36067 (GJSON <=v1.6.5 allows attackers to cause a denial of
service (panic ...)
- golang-github-tidwall-gjson 1.6.7-1
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue)
NOTE: https://github.com/tidwall/gjson/issues/196
NOTE:
https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service
(remote) ...)
- golang-github-tidwall-gjson 1.6.7-1
- [buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue)
NOTE: https://github.com/tidwall/gjson/issues/195
NOTE:
https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
NOTE: fix in golang-github-tidwall-gjson is dependency on
golang-github-tidwall-match v1.0.3
@@ -126672,11 +126673,11 @@ CVE-2020-35382 (SQL Injection in Classbooking
before 2.4.1 via the username fiel
NOT-FOR-US: Classbooking
CVE-2020-35381 (jsonparser 1.0.0 allows attackers to cause a denial of service
(panic: ...)
- golang-github-buger-jsonparser 1.1.1-1 (bug #978445)
- [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
+ [buster] - golang-github-buger-jsonparser <postponed> (Limited support,
minor issue)
NOTE: https://github.com/buger/jsonparser/issues/219
CVE-2020-35380 (GJSON before 1.6.4 allows attackers to cause a denial of
service via c ...)
- golang-github-tidwall-gjson 1.6.7-1 (bug #977622)
- [buster] - golang-github-tidwall-gjson <no-dsa> (Limited support)
+ [buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue)
NOTE: https://github.com/tidwall/gjson/issues/192
NOTE:
https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc
(v1.6.4)
CVE-2020-35379
@@ -131140,14 +131141,14 @@ CVE-2020-28853
CVE-2020-28852 (In x/text in Go before v0.3.5, a "slice bounds out of range"
panic occ ...)
- golang-golang-x-text 0.3.5-1 (bug #980002)
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited
support in stretch.)
NOTE: https://github.com/golang/go/issues/42536
NOTE:
https://github.com/golang/text/commit/4482a914f52311356f6f4b7a695d4075ca22c0c6
(v0.3.5)
CVE-2020-28851 (In x/text in Go 1.15.4, an "index out of range" panic occurs
in langua ...)
- golang-golang-x-text 0.3.6-1 (bug #980001)
- golang-x-text <removed>
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue. Golang has limited
support in stretch.)
NOTE: https://github.com/golang/go/issues/42535
CVE-2020-28850
@@ -133252,7 +133253,7 @@ CVE-2020-28484
CVE-2020-28483 (This affects all versions of package github.com/gin-gonic/gin.
When gi ...)
- golang-github-gin-gonic-gin <unfixed> (bug #988943)
[bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
- [buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
+ [buster] - golang-github-gin-gonic-gin <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
NOTE: https://github.com/gin-gonic/gin/pull/2474
NOTE:
https://github.com/gin-gonic/gin/commit/c9ea8ece4a3881028f7f715f008414346a7f4b88
@@ -133522,7 +133523,7 @@ CVE-2020-28367 (Code injection in the go command with
cgo before Go 1.14.12 and
{DLA-2460-1}
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue, fixed
in stretch-lts)
- golang-1.8 <removed>
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (validation of cgo flags first
introduced in golang-1.8 / CVE-2018-6574)
@@ -133531,7 +133532,7 @@ CVE-2020-28367 (Code injection in the go command with
cgo before Go 1.14.12 and
CVE-2020-28366 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Code
Injection. ...)
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, too intrusive to
backport)
- golang-1.7 <removed>
@@ -136678,7 +136679,6 @@ CVE-2020-27813 (An integer overflow vulnerability
exists with the length of webs
{DLA-2520-1}
- golang-github-gorilla-websocket <not-affected> (Fixed with first
upload to Debian with renamed source package)
- golang-websocket <removed>
- [buster] - golang-websocket <no-dsa> (Limited support)
NOTE:
https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh
NOTE:
https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37
(v1.4.1)
CVE-2020-27812
@@ -139493,7 +139493,7 @@ CVE-2020-26893 (An issue was discovered in ClamXAV 3
before 3.1.1. A malicious a
NOT-FOR-US: ClamXAV
CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect
Access ...)
- golang-github-nats-io-jwt 2.2.0-1 (bug #988950)
- [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support,
minor issue, requires rebuilding golang-github-nats-io-gnatsd)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
NOTE:
https://github.com/nats-io/jwt/security/advisories/GHSA-4w5x-x539-ppf5
CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable
to XSS d ...)
@@ -140364,7 +140364,7 @@ CVE-2020-26522 (A cross-site request forgery (CSRF)
vulnerability in mod/user/ac
NOT-FOR-US: Garfield Petshop
CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a
denial of se ...)
- golang-github-nats-io-jwt 2.2.0-1 (bug #988950)
- [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
+ [buster] - golang-github-nats-io-jwt <postponed> (Limited support,
minor issue, requires rebuilding golang-github-nats-io-gnatsd)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
NOTE:
https://github.com/nats-io/jwt/security/advisories/GHSA-h2fg-54x9-5qhq
CVE-2020-26520
@@ -145281,7 +145281,7 @@ CVE-2020-24553 (Go before 1.14.8 and 1.15.x before
1.15.1 allows XSS because tex
- golang-1.15 1.15.2-1 (bug #969661)
- golang-1.14 <removed> (bug #969662)
- golang-1.11 <removed>
- [buster] - golang-1.11 <no-dsa> (Minor issue)
+ [buster] - golang-1.11 <postponed> (Limited support, minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <no-dsa> (Minor issue)
- golang-1.7 <removed>
@@ -165854,7 +165854,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there
is a leakage of user informa
- glpi <removed>
CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go)
before ve ...)
- golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615)
- [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
+ [buster] - golang-github-russellhaering-goxmldsig <postponed> (Limited
support, minor issue, no build rdeps, follow bullseye DSAs/point-releases)
NOTE:
https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
NOTE:
https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2
is vuln ...)
@@ -169208,7 +169208,7 @@ CVE-2020-14041
CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in
encoding ...)
- golang-golang-x-text 0.3.3-1 (bug #964272)
- golang-x-text <removed> (bug #964271)
- [buster] - golang-x-text <no-dsa> (Minor issue)
+ [buster] - golang-x-text <postponed> (Limited support, minor issue)
[stretch] - golang-x-text <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/39491
NOTE:
https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
@@ -179815,7 +179815,7 @@ CVE-2020-10676
RESERVED
CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows
attacker ...)
- golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug
#954373)
- [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
+ [buster] - golang-github-buger-jsonparser <postponed> (Limited support,
minor issue)
NOTE: https://github.com/buger/jsonparser/issues/188
NOTE:
https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
interact ...)
@@ -183172,7 +183172,7 @@ CVE-2020-9284
CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975
for Go a ...)
{DLA-2455-1 DLA-2453-1 DLA-2402-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462)
- [buster] - golang-go.crypto <no-dsa> (Minor issue)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue,
fixed in stretch)
[jessie] - golang-go.crypto <no-dsa> (Minor issue)
NOTE:
https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10
before ...)
@@ -183964,7 +183964,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow
an authenticated attacker t
NOT-FOR-US: Netis devices
CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library
has a use ...)
- golang-github-proglottis-gpgme 0.1.1-1 (bug #951372)
- [buster] - golang-github-proglottis-gpgme <no-dsa> (Minor issue)
+ [buster] - golang-github-proglottis-gpgme <postponed> (Limited support,
minor issue, requires rebuilding golang-github-keltia-archive and dmarc-cat)
NOTE: https://github.com/proglottis/gpgme/pull/23
CVE-2020-8944 (An arbitrary memory write vulnerability in Asylo versions up to
0.6.0 ...)
NOT-FOR-US: Asylo
@@ -230336,7 +230336,7 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for
WordPress allows remote at
CVE-2019-11841 (A message-forgery issue was discovered in
crypto/openpgp/clearsign/cle ...)
{DLA-2402-1 DLA-1920-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <no-dsa> (Limited support)
+ [buster] - golang-go.crypto <postponed> (Limited support, fixed in
stretch)
NOTE:
https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
NOTE: but not the first ("ignores the value of [the Hash] header"), as
hinted at reporter's 2019-05-09 note:
@@ -230345,7 +230345,7 @@ CVE-2019-11841 (A message-forgery issue was
discovered in crypto/openpgp/clearsi
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography
libraries, ak ...)
{DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <no-dsa> (Minor issue)
+ [buster] - golang-go.crypto <postponed> (Limited support, minor issue,
fixed in stretch)
NOTE: https://github.com/golang/go/issues/30965
NOTE:
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
NOTE:
https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
@@ -238199,7 +238199,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are
vulnerable to a reset flood, pote
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <no-dsa> (Limited support, minor
issue, DoS)
- nodejs 10.16.3~dfsg-1 (bug #934885)
[stretch] - nodejs <not-affected> (No HTTP2 support yet)
[jessie] - nodejs <not-affected> (No HTTP2 support yet)
@@ -238240,7 +238240,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are
vulnerable to ping floods, potent
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
- [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
+ [buster] - golang-golang-x-net-dev <postponed> (Limited support, minor
issue, DoS)
- trafficserver 8.0.5+ds-1 (bug #934887)
- h2o 2.2.5+dfsg2-3 (bug #934886)
NOTE: Issue: https://github.com/golang/go/issues/33606
=====================================
data/dla-needed.txt
=====================================
@@ -48,6 +48,12 @@ glibc
NOTE: 20220913: Programming language: C, Assembly.
NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and
Debian 11.5 (Beuc/front-desk)
--
+golang-1.11
+ NOTE: 20220916: Programming language: Go.
+ NOTE: 20220916: Special attention: limited support; requires rebuilding
reverse build dependencies (though recent bullseye updates didn't)
+ NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian
11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
+ NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293
CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773
CVE-2022-23806 CVE-2022-24921
+--
golang-go.crypto
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/acfccc6158c3d493c7d3b4132f852f570a0a0df5...584817f4a179bed5519970132956257d39204b5c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
