- golang-1.11 (1.11.6-1+rpi1+deb10u4) buster-staging; urgency=medium
++golang-1.11 (1.11.6-1+rpi1+deb10u7) buster-staging; urgency=medium
+
+ [changes brought forward from golang-1.10 1.10~rc2-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Sat, 24 Feb 2018 12:22:04 +0000]
+ * Build with GOARM=6
+ * Disable testsuite.
+ * Fix clean target.
+
- -- Raspbian forward porter <root@raspbian.org> Wed, 10 Feb 2021 04:36:24 +0000
++ -- Raspbian forward porter <root@raspbian.org> Fri, 12 May 2023 08:53:06 +0000
++
+ golang-1.11 (1.11.6-1+deb10u7) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Disable a few flaky tests on arm.
+
+ -- Sylvain Beucler <beuc@debian.org> Thu, 20 Apr 2023 16:32:58 +0200
+
+ golang-1.11 (1.11.6-1+deb10u6) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Drop CVE-2022-23772 fix which causes test suite failures on arm64
+ (even though the same backport approach worked for golang-1.7&1.8).
+
+ -- Sylvain Beucler <beuc@debian.org> Wed, 19 Apr 2023 22:12:30 +0200
+
+ golang-1.11 (1.11.6-1+deb10u5) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Always set $USER when running the testsuite to avoid build failure
+ (e.g. after 'debuild' environment sanitization)
+ * CVE-2020-28367: Code injection in the go command with cgo allows
+ arbitrary code execution at build time via malicious gcc flags
+ specified via a #cgo directive.
+ * CVE-2021-38297: Go has a Buffer Overflow via large arguments in a
+ function invocation from a WASM module, when GOARCH=wasm GOOS=js is
+ used.
+ * CVE-2021-33196: In archive/zip, a crafted file count (in an archive's
+ header) can cause a NewReader or OpenReader panic. (Closes: #989492)
+ * CVE-2021-39293: This issue exists because of an incomplete fix for
+ CVE-2021-33196.
+ * CVE-2021-36221: Go has a race condition that can lead to a
+ net/http/httputil ReverseProxy panic upon an ErrAbortHandler
+ abort. (Closes: #991961)
+ * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat)
+ Accesses a Memory Location After the End of a Buffer, aka an
+ out-of-bounds slice situation.
+ * CVE-2021-44716: net/http allows uncontrolled memory consumption in the
+ header canonicalization cache via HTTP/2 requests.
+ * CVE-2021-44717: Go on UNIX allows write operations to an unintended
+ file or unintended network connection as a consequence of erroneous
+ closing of file descriptor 0 after file-descriptor exhaustion.
+ * CVE-2022-23772: Rat.SetString in math/big has an overflow that can
+ lead to Uncontrolled Memory Consumption.
+ * CVE-2022-23806: Curve.IsOnCurve in crypto/elliptic can incorrectly
+ return true in situations with a big.Int value that is not a valid
+ field element.
+ * CVE-2022-24921: regexp.Compile allows stack exhaustion via a deeply
+ nested expression.
+
+ -- Sylvain Beucler <beuc@debian.org> Wed, 19 Apr 2023 12:15:40 +0200
golang-1.11 (1.11.6-1+deb10u4) buster-security; urgency=high
projects / golang-1.11.git / commitdiff