From: Raspbian automatic forward porter <root@raspbian.org>
Date: Tue, 25 Jan 2022 21:48:14 +0000 (+0000)
Subject: Merge version 1.7.4-2+rpi1+deb9u3 and 1.7.4-2+deb9u4 to produce 1.7.4-2+rpi1+deb9u4
X-Git-Tag: archive/raspbian/1.7.4-2+rpi1+deb9u4^0
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=98736844330abda9a0266ac1351446bf666bb5e4;p=golang-1.7.git

Merge version 1.7.4-2+rpi1+deb9u3 and 1.7.4-2+deb9u4 to produce 1.7.4-2+rpi1+deb9u4
---

98736844330abda9a0266ac1351446bf666bb5e4
diff --cc debian/changelog
index 056984a,3f548aa..2109864
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,12 -1,22 +1,32 @@@
- golang-1.7 (1.7.4-2+rpi1+deb9u3) stretch-staging; urgency=medium
++golang-1.7 (1.7.4-2+rpi1+deb9u4) stretch-staging; urgency=medium
 +
 +  [changes brought forward from golang 2:1.5.3-1+rpi1 by Peter Michael Green <plugwash@raspbian.org> at Thu, 21 Jan 2016 20:49:39 +0000]
 +  * Force build for armv6.
 +  
 +  [changes introduced in golang 2:1.6.1-2+rpi1 by Peter Michael Green]
 +  * Disable testsuite.
 +
-  -- Raspbian forward porter <root@raspbian.org>  Tue, 16 Mar 2021 16:13:07 +0000
++ -- Raspbian forward porter <root@raspbian.org>  Tue, 25 Jan 2022 21:48:13 +0000
++
+ golang-1.7 (1.7.4-2+deb9u4) stretch-security; urgency=high
+ 
+   * Non-maintainer upload by the LTS Security Team.
+   * CVE-2021-36221: Go has a race condition that can lead to a
+     net/http/httputil ReverseProxy panic upon an ErrAbortHandler
+     abort. (Closes: #991961)
+   * CVE-2021-33196: in archive/zip, a crafted file count (in an archive's
+     header) can cause a NewReader or OpenReader panic. (Closes: #989492)
+   * CVE-2021-39293: follow-up fix to CVE-2021-33196
+   * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat)
+     accesses a Memory Location After the End of a Buffer, aka an
+     out-of-bounds slice situation.
+   * CVE-2021-44716: net/http allows uncontrolled memory consumption in the
+     header canonicalization cache via HTTP/2 requests.
+   * CVE-2021-44717: Go on UNIX allows write operations to an unintended
+     file or unintended network connection as a consequence of erroneous
+     closing of file descriptor 0 after file-descriptor exhaustion.
+   
+  -- Sylvain Beucler <beuc@debian.org>  Fri, 21 Jan 2022 19:45:18 +0100
  
  golang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high