From: Sylvain Beucler <beuc@debian.org>
Date: Fri, 21 Jan 2022 18:45:18 +0000 (+0000)
Subject: golang-1.7 (1.7.4-2+deb9u4) stretch-security; urgency=high
X-Git-Tag: archive/raspbian/1.7.4-2+rpi1+deb9u4^2~19
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=50d0b5dcbc8a98e2fb684b9539581bc389aa7e70;p=golang-1.7.git

golang-1.7 (1.7.4-2+deb9u4) stretch-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2021-36221: Go has a race condition that can lead to a
    net/http/httputil ReverseProxy panic upon an ErrAbortHandler
    abort. (Closes: #991961)
  * CVE-2021-33196: in archive/zip, a crafted file count (in an archive's
    header) can cause a NewReader or OpenReader panic. (Closes: #989492)
  * CVE-2021-39293: follow-up fix to CVE-2021-33196
  * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat)
    accesses a Memory Location After the End of a Buffer, aka an
    out-of-bounds slice situation.
  * CVE-2021-44716: net/http allows uncontrolled memory consumption in the
    header canonicalization cache via HTTP/2 requests.
  * CVE-2021-44717: Go on UNIX allows write operations to an unintended
    file or unintended network connection as a consequence of erroneous
    closing of file descriptor 0 after file-descriptor exhaustion.

[dgit import unpatched golang-1.7 1.7.4-2+deb9u4]
---

50d0b5dcbc8a98e2fb684b9539581bc389aa7e70