Your message dated Wed, 26 Apr 2017 09:04:51 +0000
with message-id <e1d3isv-000dsd...@fasolo.debian.org>
and subject line Bug#859655: fixed in golang-go.crypto 
1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
has caused the Debian Bug report #859655,
regarding golang-go.crypto: CVE-2017-3204
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859655: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-go.crypto
Version: 1:0.0~git20161012.0.5f31782-1
Severity: grave
Tags: upstream patch security
Forwarded: https://github.com/golang/go/issues/19767

Hi,

the following vulnerability was published for golang-go.crypto.

CVE-2017-3204[0]:
| The Go SSH library (x/crypto/ssh) by default does not verify host
| keys, facilitating man-in-the-middle attacks. Default behavior changed
| in commit e4e2799 to require explicitly registering a hostkey
| verification mechanism.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3204
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
[1] https://github.com/golang/go/issues/19767

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: golang-go.crypto
Source-Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1

We believe that the bug you reported is fixed in the latest version of
golang-go.crypto, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 859...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Lustfield <mich...@lustfield.net> (supplier of updated golang-go.crypto 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 26 Apr 2017 02:42:23 -0500
Source: golang-go.crypto
Binary: golang-golang-x-crypto-dev golang-go.crypto-dev
Architecture: source
Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team 
<pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Michael Lustfield <mich...@lustfield.net>
Description:
 golang-go.crypto-dev - Transitional package for golang-golang-x-crypto-dev
 golang-golang-x-crypto-dev - Supplementary Go cryptography libraries
Closes: 859655
Changes:
 golang-go.crypto 
(1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; 
urgency=medium
 .
   * Reverts previous upload to permit freeze exception.
   * patches/0001-ssh-require-host-key-checking_CVE-2017-3204.patch:
     + CVE-2017-3204: Default behavior changed to require explicitly
       registering a hostkey verification mechanism. (Closes: #859655)
Checksums-Sha1:
 af960bc0c10cc66e332636b27534733ba2369cf2 2750 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 ed416354f9339ceb33e5bdd60132398aecbdef79 1100132 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 9beb5eb53533312c312187791b9f3a052388836b 8852 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 695405c180fa8e3063eb5bc628236788af27fd41 6746 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo
Checksums-Sha256:
 f4bd7051d643763723933f51a1f067f178ce880d6de31635fa59c325d31f158b 2750 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 a0697187211be58315cd5bf64831c6560295002676c41ef2a06d11536ca5f723 1100132 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 6dad49fecf782b610c3ae9e74e0bc7b9740dfb16053b7b3c5a42e2b4c7e5ee97 8852 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 c42b9a8da338cbc8326c028e4b1a6950de2491a5da34bade21c3503dab8cd318 6746 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo
Files:
 d993dccb862f691979f15280f75b976e 2750 devel extra 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc
 e66ac1fd994db1dd282a3c64a6c3ae7c 1100132 devel extra 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz
 73d71121cafb42c3adeb677e729949d5 8852 devel extra 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz
 b6f0011376e1886abea2f662e15eccce 6746 devel extra 
golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJKBAEBCAA0FiEEBs1j101ZjEpH5CyWA6iJGnZa0IUFAlkAUKAWHG1pY2hhZWxA
bHVzdGZpZWxkLm5ldAAKCRADqIkadlrQhU7BEACyPG1cjCpMP3J/FmM1AC392y0c
Ko07ukya9XMcoIjIJS8US3mWJLGuB6WW3n7rhWXtTnbnbN2/JiCMSMc7AfOa6nUo
EinKeb2L0aRmcBWc6MSW1NflzZ0haFzJ0DJdHVXZcHbAK+va/BYlASWaLeB5sNjN
igK7Dp251O5KCuszHjH2EbBly6dWdCDWl3GGTBa8OFNVAkqb8I5oMNaTDlpKsZen
gAjLnHgAMUaRhz8zbeZ40Kc8I8gb/7jYVRrUaICMnZwEUizE2rNJFMNSYR4uNBl9
E43PYM8jbZbIT9i5QPvzhoydjuUl479o+5aLRnKSyguvrYrD6Vs7xwww7F3i32+D
DUr31vfusSt0mAHy+cUZYiVlTJNjJVMfBfStn1VtCJvPyUykyVpgO/dymkv11Nod
dODW4pqjIbfAP4iQTT2mESi3Z10wfxqxt6b0TV/VtNbRaHJ/wIrb1M8HW30NTwlI
Ofv4Hi6m1gBRNpHF3to5g8SvVMgju3rWc1QUuhvGP7fv9ZsM+nciCxhjK40SslLC
KAaC46ROYom6R0RGPbTARBGC06lwTyRVUeFOvRGYlRkJ23C6HI9+v7Ut/TT4dRoz
uC7F4x5HuV6afYApoKUDQRaV4fGmUBP3pZSUmuL5bQZctWx8r8cQ0Hj7UMufvbZ5
IbXLg8y46XsIAoNmBQ==
=Kgmq
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
Pkg-go-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers

Reply via email to