Change logs for golang-1.13 source package in Jammy

golang-1.13 (1.13.8-1ubuntu2.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: http request smuggling issue
    - debian/patches/CVE-2022-1705.patch: don't strip whitespace from
      Transfer-Encoding headers.
    - CVE-2022-1705
  * SECURITY UPDATE: DoS issue due to panic
    - debian/patches/CVE-2022-27664.patch: update bundled golang.org/x/net/http2.
    - debian/patches/CVE-2022-28131.patch: use iterative Skip, rather than
      recursive.
    - debian/patches/CVE-2022-30631.patch: fix stack exhaustion bug in
      Reader.Read.
    - debian/patches/CVE-2022-30632.patch: fix stack exhaustion in Glob.
    - debian/patches/CVE-2022-30633.patch: limit depth of nesting in unmarshal.
    - debian/patches/CVE-2022-30635.patch: add a depth limit for ignored fields.
    - debian/patches/CVE-2022-32189.patch: check buffer lengths in GobDecode.
    - debian/patches/CVE-2022-41717.patch: update bundled golang.org/x/net/http2.
    - debian/patches/CVE-2023-24534.patch: avoid overpredicting the number of
      MIME header keys.
    - CVE-2022-27664
    - CVE-2022-28131
    - CVE-2022-30631
    - CVE-2022-30632
    - CVE-2022-30633
    - CVE-2022-30635
    - CVE-2022-32189
    - CVE-2022-41717
    - CVE-2023-24534
  * SECURITY UPDATE: out-of-bound read issue
    - debian/patches/CVE-2022-2879.patch: limit size of headers.
    - debian/source/include-binaries: add test file bz2
      pax-bad-hdr-large.tar.bz2.
    - CVE-2022-2879
  * SECURITY UPDATE: query parameter smuggling issue in Go proxy
    - debian/patches/CVE-2022-2880-pre.patch: reject query values with
      semicolons.
    - debian/patches/CVE-2022-2880.patch: avoid query parameter smuggling.
    - CVE-2022-2880
  * SECURITY UPDATE: tls session takeover vulnerability
    - debian/patches/CVE-2022-30629.patch: randomly generate ticket_age_add.
    - CVE-2022-30629
  * SECURITY UPDATE: sensitive information exposure
    - debian/patches/CVE-2022-32148.patch: preserve nil values in Header.Clone.
    - CVE-2022-32148
  * SECURITY UPDATE: integer overflow issue
    - debian/patches/CVE-2023-24537.patch: reject large line and column number
      in //line directives.
    - CVE-2023-24537
  * SECURITY UPDATE: code injection vulnerability
    - debian/patches/CVE-2023-24538.patch: disallow actions in JS template
      literals.
    - CVE-2023-24538

 -- David Fernandez Gonzalez <email address hidden>  Wed, 03 Jan 2024 17:12:49 +0100

golang-1.13 (1.13.8-1ubuntu2.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Infinite read loop via invalid inputs
    - debian/patches/CVE-2020-16845.patch: ensure that ReadUvarint
      reads a limited amount of data in src/encoding/binary/varint.go.
    - CVE-2020-16845
  * debian/control.in: Add gcc-10 and g++-10 as gcc-11 and g++-11 are
    the new default versions. DWARF5 is not compatible and is used by
    11 versions.
  * debian/rules: Enforce the use of gcc-10 and g++-10.

 -- David Fernandez Gonzalez <email address hidden>  Wed, 09 Nov 2022 16:10:42 +0100

golang-1.13 (1.13.8-1ubuntu2) groovy; urgency=medium

  * Apply applicable parts of https://go-review.googlesource.com/c/go/+/262357/
    to fix build on arm64.

 -- Michael Hudson-Doyle <email address hidden>  Thu, 15 Oct 2020 21:55:17 +1300