golang-github-gin-gonic-gin - Debian Package Tracker

general

source: golang-github-gin-gonic-gin (main)
version: 1.8.1-2
maintainer: Debian Go Packaging Team (DMD)
uploaders: Shengjing Zhu [DMD]
arch: all
std-ver: 4.2.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.3.0+dfsg1-3
oldstable: 1.6.3-3
stable: 1.8.1-1
testing: 1.8.1-2
unstable: 1.8.1-2

versioned links

1.3.0+dfsg1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.6.3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-gin-gonic-gin-dev

action needed

A new upstream version is available: 1.10.0 high

A new upstream version 1.10.0 is available, you should consider packaging it.

Created: 2022-12-24 Last update: 2024-11-17 06:33

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2023-26125: Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
CVE-2023-29401: The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Created: 2023-06-11 Last update: 2024-08-15 08:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2023-26125: Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
CVE-2023-29401: The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

Created: 2023-05-04 Last update: 2024-08-15 08:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2023-26125: (needs triaging) Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
CVE-2023-29401: (needs triaging) The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-09 Last update: 2024-08-15 08:30

debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 1.8.1-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-11-19 09:39

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.2.1).

Created: 2018-12-23 Last update: 2024-04-07 13:15

news

[rss feed]

[2023-11-02] golang-github-gin-gonic-gin 1.8.1-2 MIGRATED to testing (Debian testing watch)
[2023-10-30] Accepted golang-github-gin-gonic-gin 1.8.1-2 (source) into unstable (Nilesh Patra)
[2022-10-16] golang-github-gin-gonic-gin 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2022-10-13] Accepted golang-github-gin-gonic-gin 1.8.1-1 (source) into unstable (Cyril Brulebois)
[2021-09-18] golang-github-gin-gonic-gin 1.6.3-4 MIGRATED to testing (Debian testing watch)
[2021-09-16] Accepted golang-github-gin-gonic-gin 1.6.3-4 (source) into unstable (Michael Hudson-Doyle)
[2021-01-12] golang-github-gin-gonic-gin 1.6.3-3 MIGRATED to testing (Debian testing watch)
[2021-01-10] Accepted golang-github-gin-gonic-gin 1.6.3-3 (source) into unstable (Cyril Brulebois)
[2021-01-09] Accepted golang-github-gin-gonic-gin 1.6.3-2 (source) into unstable (Cyril Brulebois)
[2021-01-08] Accepted golang-github-gin-gonic-gin 1.6.3-1 (source) into unstable (Cyril Brulebois)
[2018-12-07] golang-github-gin-gonic-gin 1.3.0+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2018-12-04] Accepted golang-github-gin-gonic-gin 1.3.0+dfsg1-3 (source) into unstable (Paride Legovini) (signed by: Michael Stapelberg)
[2018-09-20] golang-github-gin-gonic-gin 1.3.0+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2018-09-18] Accepted golang-github-gin-gonic-gin 1.3.0+dfsg1-2 (source) into unstable (Shengjing Zhu)
[2018-09-18] Accepted golang-github-gin-gonic-gin 1.3.0+dfsg1-1 (source) into unstable (Shengjing Zhu)
[2018-04-07] golang-github-gin-gonic-gin REMOVED from testing (Debian testing watch)
[2017-08-26] golang-github-gin-gonic-gin 1.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2017-08-21] Accepted golang-github-gin-gonic-gin 1.2+dfsg1-2 (source all) into unstable (Shengjing Zhu) (signed by: Sascha Steinbiss)
[2017-08-18] Accepted golang-github-gin-gonic-gin 1.2+dfsg1-1 (source all) into unstable, unstable (Shengjing Zhu) (signed by: Sascha Steinbiss)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.8.1-2