From: Raspbian automatic forward porter Date: Fri, 12 May 2023 08:53:07 +0000 (+0100) Subject: Merge version 1.11.6-1+rpi1+deb10u4 and 1.11.6-1+deb10u7 to produce 1.11.6-1+rpi1... X-Git-Tag: archive/raspbian/1.11.6-1+rpi1+deb10u7^0 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=2fd8f06447c182bcc4673529a34ffd6aeb430d67;p=golang-1.11.git Merge version 1.11.6-1+rpi1+deb10u4 and 1.11.6-1+deb10u7 to produce 1.11.6-1+rpi1+deb10u7 --- 2fd8f06447c182bcc4673529a34ffd6aeb430d67 diff --cc debian/changelog index 1ea16cf,ef1902a..191dff6 --- a/debian/changelog +++ b/debian/changelog @@@ -1,11 -1,53 +1,62 @@@ - golang-1.11 (1.11.6-1+rpi1+deb10u4) buster-staging; urgency=medium ++golang-1.11 (1.11.6-1+rpi1+deb10u7) buster-staging; urgency=medium + + [changes brought forward from golang-1.10 1.10~rc2-1+rpi1 by Peter Michael Green at Sat, 24 Feb 2018 12:22:04 +0000] + * Build with GOARM=6 + * Disable testsuite. + * Fix clean target. + - -- Raspbian forward porter Wed, 10 Feb 2021 04:36:24 +0000 ++ -- Raspbian forward porter Fri, 12 May 2023 08:53:06 +0000 ++ + golang-1.11 (1.11.6-1+deb10u7) buster-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Disable a few flaky tests on arm. + + -- Sylvain Beucler Thu, 20 Apr 2023 16:32:58 +0200 + + golang-1.11 (1.11.6-1+deb10u6) buster-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Drop CVE-2022-23772 fix which causes test suite failures on arm64 + (even though the same backport approach worked for golang-1.7&1.8). + + -- Sylvain Beucler Wed, 19 Apr 2023 22:12:30 +0200 + + golang-1.11 (1.11.6-1+deb10u5) buster-security; urgency=high + + * Non-maintainer upload by the LTS Security Team. + * Always set $USER when running the testsuite to avoid build failure + (e.g. after 'debuild' environment sanitization) + * CVE-2020-28367: Code injection in the go command with cgo allows + arbitrary code execution at build time via malicious gcc flags + specified via a #cgo directive. + * CVE-2021-38297: Go has a Buffer Overflow via large arguments in a + function invocation from a WASM module, when GOARCH=wasm GOOS=js is + used. + * CVE-2021-33196: In archive/zip, a crafted file count (in an archive's + header) can cause a NewReader or OpenReader panic. (Closes: #989492) + * CVE-2021-39293: This issue exists because of an incomplete fix for + CVE-2021-33196. + * CVE-2021-36221: Go has a race condition that can lead to a + net/http/httputil ReverseProxy panic upon an ErrAbortHandler + abort. (Closes: #991961) + * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) + Accesses a Memory Location After the End of a Buffer, aka an + out-of-bounds slice situation. + * CVE-2021-44716: net/http allows uncontrolled memory consumption in the + header canonicalization cache via HTTP/2 requests. + * CVE-2021-44717: Go on UNIX allows write operations to an unintended + file or unintended network connection as a consequence of erroneous + closing of file descriptor 0 after file-descriptor exhaustion. + * CVE-2022-23772: Rat.SetString in math/big has an overflow that can + lead to Uncontrolled Memory Consumption. + * CVE-2022-23806: Curve.IsOnCurve in crypto/elliptic can incorrectly + return true in situations with a big.Int value that is not a valid + field element. + * CVE-2022-24921: regexp.Compile allows stack exhaustion via a deeply + nested expression. + + -- Sylvain Beucler Wed, 19 Apr 2023 12:15:40 +0200 golang-1.11 (1.11.6-1+deb10u4) buster-security; urgency=high