CVE-2017-12678

2017-08-09 Thread Dr. Tobias Quathamer
Dear security team, I've just seen . I have now inspected the code of the embedded copy of taglib in my package silverjuke. From what I can tell, the embedded copy does not contain the vulnerability. The code in question is not included in silverjuke, because the

Update information about golang packages

2018-12-14 Thread Dr. Tobias Quathamer
Hi, the recent uploads of golang-1.10 (version 1.10.6-1) and golang-1.11 (version 1.11.3-1) include the fixes for the CVEs assigned to those packages, namely: CVE-2018-16875 CVE-2018-16874 CVE-2018-16873 Unfortunately, those CVS numbers have not been included in d/changelog, so the automatic syn

CVEs in golang

2019-08-14 Thread Dr. Tobias Quathamer
Hi, there are a couple of CVEs in golang: CVE-2019-14809: net/url: URL.Parse Multiple Parsing Issues Issue: https://github.com/golang/go/issues/29098 Fixed for golang-1.11: https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc Fixed for golang-1.12: https://github.com/gol

CVE in golang

2019-09-26 Thread Dr. Tobias Quathamer
Hi, there is another CVE in golang: CVE-2019-16276 net/textproto: don't normalize headers with spaces before the colon. https://github.com/golang/go/issues/34541 This has been fixed in the latest uploads of golang: golang-1.12: 1.12.10-1 golang-1.13: 1.13.1-1 For the stable distribution, I'll

Re: CVE in golang

2019-09-26 Thread Dr. Tobias Quathamer
Am 26.09.19 um 12:09 schrieb Dr. Tobias Quathamer: > Hi, > > there is another CVE in golang: > > CVE-2019-16276 > net/textproto: don't normalize headers with spaces before the colon. > https://github.com/golang/go/issues/34541 > > This has been fixed in the lates

CVE in golang

2020-01-31 Thread Dr. Tobias Quathamer
Dear security team, after some quiet months, it's time again for a security issue in golang :-) CVE-2020-7919 crypto/x509, x/crypto/cryptobyte: panic in certificate parsing Issue: https://github.com/golang/go/issues/36838 I've already uploaded a fixed version (golang-1.13) to unstable and am inv

Re: CVE in golang

2020-01-31 Thread Dr. Tobias Quathamer
Am 31.01.20 um 22:31 schrieb Salvatore Bonaccorso: > Thanks, I just have added a tracking item in the security-tracker for > CVE-2020-7919. > > Regards, > Salvatore Hi Salvatore, I've just received an answer from the security team that this issue does not warrant a DSA for golang-1.11 in stable.