-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 13 Jun 2023 09:32:18 CEST Source: golang-go.crypto Architecture: source Version: 1:0.0~git20181203.505ab14-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 458c0524f70ac837141f61a11ec1cd8d510eaf31 2544 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.dsc c5dc0db612ce40637e991f2adeb8c44489bf568e 1433388 golang-go.crypto_0.0~git20181203.505ab14.orig.tar.xz 3ce81fe08cd0f5a65c5690f20427010239d4074d 11580 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.debian.tar.xz 5b6336b48382220aa8cef82b3095a12252db87cf 6437 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1_amd64.buildinfo Checksums-Sha256: d21836c268830cb0cea6a439f5887910b7bb0ab0f13d58adf99ee47867c4e153 2544 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.dsc 3a0ac2725ad17fd25b269519ef6665d2a5ae566d00efdaa57cef96ea1979e254 1433388 golang-go.crypto_0.0~git20181203.505ab14.orig.tar.xz 948c4573710691a76f84c744c19a9fe37b643b32b3fa0f78d7c28f46a749ac20 11580 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.debian.tar.xz f2eb9478094889c0834d057d84cbef42f13e19c2fab71d94172c2345d4ee5b6b 6437 golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1_amd64.buildinfo Changes: golang-go.crypto (1:0.0~git20181203.505ab14-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-11840: An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. * Fix CVE-2019-11841: A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. Since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. * Fix CVE-2020-9283: golang.org/x/crypto allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. Files: 4d3c438da45e75b73168821e4719a096 2544 devel optional golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.dsc b01319c83dab7577167c57644bd15617 1433388 devel optional golang-go.crypto_0.0~git20181203.505ab14.orig.tar.xz b9e4ad2b670c85f3fb1e7804f928b49b 11580 devel optional golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1.debian.tar.xz d0ada1c9f647b314bb993716babef086 6437 devel optional golang-go.crypto_0.0~git20181203.505ab14-1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSIG/RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkz0UQAMt6jUmngJGylnH1bzzLy5OQ7aPyLH08tSWy guUDhS3QnVh7c7hT6Ciac2F+yN9sbUXhAH4dMpsH/NFTvvvtraeKfZp+dp2Z/WMP sMpW/0EMcutExnI/IKFriijPn07TuSJZ/apseg+tnOO2YaADtkmv09P7hvsbjmzc epGEd1odWNKQNatqU9FD3IZRDDnWSDhvWL59G3suBxJpiJR/1MqSd5cqGbVlHv2e HW5ZsSRsHztaLd/qL1px4bgPszu3CqRD4CaLlrQo0GunO7NFtFfKQg7DEU89Ooty oKvwlG6TdW1ZaAQjrWzD1+NbjVG0hcLG7Hoi1lQTisILhMBr2tfp8VXkY0iWU4U+ dQQUyuvbZoBhAzrxp8f6zMahYhSf379kHzetKehMJngRzhZa3fjw9SGzRFQG8WF/ FeuP5qOtn5C66LB3o/cNQF8TF9QZub5sgNwfCxADxEp+5Nv+oMap3nSuDhMsULgo VdX1brIKiSnYGLBCD0051aabyXlgIEje3m6ep3t0O06qx5cvs3WjQf+fSGXIjpMK D+IOM0z7P+IL5EYl7BfvboPXwaVz754QwkSbguFP7npY00l20gv1BYH1Ige5GRNP 10m4L3/xfuYddasP4PpFNdcYa/UI8l3cH4zp2fR9GwdQ5wva/mm8RhbYT7y9x2W4 rIi5Ujif =GbLw -----END PGP SIGNATURE-----