-
golang-1.21 (1.21.9-1ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: denial of service issue
- debian/patches/CVE-2024-24789.patch: archive/zip: treat truncated
EOCDR comment as an error
- debian/source/include-binaries: Add zip testdata file
- CVE-2024-24789
* SECURITY UPDATE: incorrect IPv4-mapped IPv6 addresses issue
- debian/patches/CVE-2024-24790.patch: net/netip: check if address is
v6 mapped in Is methods
- CVE-2024-24790
-- Nishit Majithia <email address hidden> Mon, 08 Jul 2024 17:17:17 +0530
-
golang-1.21 (1.21.9-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.9
+ CVE-2023-45288: http2: close connections when receiving too many headers
-- Shengjing Zhu <email address hidden> Thu, 04 Apr 2024 04:16:59 +0800
-
golang-1.21 (1.21.8-1build1) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- William Grant <email address hidden> Mon, 01 Apr 2024 16:58:25 +1100
-
golang-1.21 (1.21.8-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.8
+ CVE-2024-24783: crypto/x509: Verify panics on certificates with an
unknown public key algorithm
+ CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm
+ CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of
sensitive headers and cookies on HTTP redirect
+ CVE-2024-24785: html/template: errors returned from MarshalJSON methods
may break template escaping
+ CVE-2024-24784: net/mail: comments in display names are incorrectly
handled
* Update upstream signing key
-- Shengjing Zhu <email address hidden> Wed, 06 Mar 2024 15:14:10 +0800
-
golang-1.21 (1.21.7-2) unstable; urgency=medium
* Team upload
* Skip flaky TestCrashDumpsAllThreads on mips64le
-- Shengjing Zhu <email address hidden> Mon, 26 Feb 2024 17:13:31 +0800
-
golang-1.21 (1.21.7-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.7
-- Shengjing Zhu <email address hidden> Wed, 21 Feb 2024 16:35:15 +0800
-
golang-1.21 (1.21.6-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.6
-- Shengjing Zhu <email address hidden> Thu, 11 Jan 2024 18:46:44 +0800
-
golang-1.21 (1.21.5-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.5
+ CVE-2023-39326: net/http: limit chunked data overhead
+ CVE-2023-45285: cmd/go: go get may unexpectedly fallback to insecure git
+ CVE-2023-45283: path/filepath: retain trailing \ when cleaning paths
like \\?\c:\
-- Shengjing Zhu <email address hidden> Wed, 06 Dec 2023 15:32:23 +0800
-
golang-1.21 (1.21.4-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.4
+ CVE-2023-45283: path/filepath: recognize \??\ as a Root Local Device
path prefix.
+ CVE-2023-45284: path/filepath: recognize device names with trailing
spaces and superscripts.
-- Shengjing Zhu <email address hidden> Wed, 08 Nov 2023 03:40:30 +0800
-
golang-1.21 (1.21.3-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.3
+ CVE-2023-44487/CVE-2023-39325: net/http: rapid stream resets can cause
excessive work
-- Shengjing Zhu <email address hidden> Wed, 11 Oct 2023 14:53:53 +0800
-
golang-1.21 (1.21.1-1) unstable; urgency=medium
* Team upload
* New upstream version 1.21.1
+ CVE-2023-39320: cmd/go: go.mod toolchain directive allows arbitrary
execution
+ CVE-2023-39318: html/template: improper handling of HTML-like comments
within script contexts
+ CVE-2023-39319: html/template: improper handling of special tags within
script contexts
+ CVE-2023-39321/CVE-2023-39322: crypto/tls: panic when processing
post-handshake message on QUIC connections
-- Shengjing Zhu <email address hidden> Thu, 07 Sep 2023 11:51:55 +0800
