-
golang-1.18 (1.18.10-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.18.10
* Add NO_PNG_PKG_MANGLE to prevent mangling testdata.
This is Ubuntu specific behaviour so they can sync the package without
vendor patch.
-- Shengjing Zhu <email address hidden> Wed, 11 Jan 2023 16:33:29 +0800
-
golang-1.18 (1.18.9-1) unstable; urgency=medium
* New upstream version 1.18.9
+ CVE-2022-41720: os, net/http: avoid escapes from os.DirFS and http.Dir
on Windows
+ CVE-2022-41717: net/http: limit canonical header cache by bytes, not
entries
-- William 'jawn-smith' Wilson <email address hidden> Tue, 06 Dec 2022 13:39:48 -0600
-
golang-1.18 (1.18.8-1) unstable; urgency=medium
* New upstream version 1.18.8
+ CVE-2022-41716: syscall, os/exec: unsanitized NUL in environment variables
On Windows, syscall.StartProcess and os/exec.Cmd did not properly check
for invalid environment variable values. A malicious environment variable
value could exploit this behavior to set a value for a different
environment variable.
-- William 'jawn-smith' Wilson <email address hidden> Thu, 03 Nov 2022 08:20:54 -0500
-
golang-1.18 (1.18.7-1) unstable; urgency=medium
* New upstream version 1.18.7
+ CVE-2022-2879: archive/tar: unbounded memory consumption when reading
headers
+ CVE-2022-2880: net/http/httputil: ReverseProxy should not forward
unparseable query parameters
+ CVE-2022-41715: regexp/syntax: limit memory used by parsing regexps
-- William 'jawn-smith' Wilson <email address hidden> Tue, 04 Oct 2022 15:34:34 -0500