-
golang-1.19 (1.19.8-1ubuntu0.1) lunar-security; urgency=medium
* SECURITY UPDATE: html injection vulnerability
- debian/patches/CVE-2023-24539.patch: disallow angle brackets in CSS
values
- debian/patches/CVE-2023-29400.patch: emit filterFailsafe for empty
unquoted attr value
- CVE-2023-24539
- CVE-2023-29400
* SECURITY UPDATE: javascript injection vulnerability
- debian/patches/CVE-2023-24540.patch: handle all JS whitespace
characters
- CVE-2023-24540
-- Nishit Majithia <email address hidden> Mon, 05 Jun 2023 15:11:27 +0530
-
golang-1.19 (1.19.8-1) experimental; urgency=medium
* Team upload
* New upstream version 1.19.8
+ CVE-2023-24537: go/parser: infinite loop in parsing
+ CVE-2023-24538: html/template: backticks not treated as string delimiters
+ CVE-2023-24534: net/http, net/textproto: denial of service from excessive
memory allocation
+ CVE-2023-24536: net/http, net/textproto, mime/multipart: denial of
service from excessive resource consumption
-- Shengjing Zhu <email address hidden> Wed, 05 Apr 2023 02:15:56 +0800
-
golang-1.19 (1.19.7-1) experimental; urgency=medium
* Team upload
* New upstream version 1.19.7
+ CVE-2023-24532: crypto/elliptic: incorrect P-256 ScalarMult and
ScalarBaseMult results
-- Shengjing Zhu <email address hidden> Wed, 08 Mar 2023 13:54:08 +0800
-
golang-1.19 (1.19.6-2) unstable; urgency=medium
* Team upload
* Upload to unstable
-- Shengjing Zhu <email address hidden> Fri, 17 Feb 2023 17:56:44 +0800
-
golang-1.19 (1.19.6-1) experimental; urgency=medium
* Team upload
* New upstream version 1.19.6
+ CVE-2022-41722: path/filepath: path traversal in filepath.Clean on
Windows
+ CVE-2022-41725: net/http, mime/multipart: denial of service from
excessive resource consumption
+ CVE-2022-41724: crypto/tls: large handshake records may cause panics
+ CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding
-- Shengjing Zhu <email address hidden> Wed, 15 Feb 2023 10:09:02 +0800
-
golang-1.19 (1.19.4-1ubuntu1) lunar; urgency=medium
* Merge from Debian unstable. Remaining changes:
- 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
-- William 'jawn-smith' Wilson <email address hidden> Mon, 12 Dec 2022 09:24:12 -0600
-
golang-1.19 (1.19.3-1ubuntu1) lunar; urgency=medium
* Merge from Debian unstable. Remaining changes:
- 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
-- William 'jawn-smith' Wilson <email address hidden> Tue, 15 Nov 2022 12:19:06 -0600
-
golang-1.19 (1.19.2-1ubuntu1) kinetic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- 0001-cmd-link-check-CGO_CFLAGS-for-non-g-I-O-options-befo.patch
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
-- William 'jawn-smith' Wilson <email address hidden> Wed, 05 Oct 2022 15:02:12 -0500
