golang-github-gorilla-schema - Debian Package Tracker

general

source: golang-github-gorilla-schema (main)
version: 1.4.1-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Reinhard Tartler [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.2.0-2
testing: 1.2.0-2
unstable: 1.4.1-1

versioned links

1.2.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-gorilla-schema-dev

action needed

Marked for autoremoval on 27 May: #1075973 high

Version 1.2.0-2 of golang-github-gorilla-schema is marked for autoremoval from testing on Tue 27 May 2025. It is affected by #1075973. The removal of golang-github-gorilla-schema will also cause the removal of (transitive) reverse dependencies: cockpit-podman, debcraft, distrobox, golang-github-containers-toolbox, pkg-rocm-tools, podman, rust-repro-env. You should try to prevent the removal by fixing these RC bugs.

Created: 2025-04-22 Last update: 2025-05-04 16:32

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2024-37298: gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

Created: 2024-07-03 Last update: 2025-04-28 04:00

9 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 608198feb0d54f2642e4d933b7721b28ffdafafb
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Apr 27 09:40:05 2025 -0400

    debian/changelog: update

commit d3b762f0214ee424ff9b58d56a381c0697a09645
Merge: 19d5c7c 4bb0220
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Apr 27 09:39:20 2025 -0400

    Update upstream source from tag 'upstream/1.4.1'
    
    Update to upstream version '1.4.1'
    with Debian dir 5ace2c18a422432a1521e6be09ec827748dacc3a

commit 4bb0220d1d16d85ff1ddacb50fa596b096ab4cdb
Merge: 22f39e3 cd59f2f
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Sun Apr 27 09:39:20 2025 -0400

    New upstream version 1.4.1

commit 19d5c7cbd916fb3f4fbff7abe04c6a2daa3498bf
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Nov 28 07:32:59 2022 -0500

    debian/changelog: update

commit a46706753dd304328fdcf4680aa02f757b9908d4
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Mon Nov 28 07:33:52 2022 -0500

    Bump standards version

commit 86a618a0a25ba3a904a5aa5758d6802f55cc97f2
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Thu May 19 08:18:12 2022 -0400

    add itp

commit 083de05db5dc0cedbc8388db6e230c13c8a61f65
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Thu May 19 08:05:08 2022 -0400

    initial packaging

commit 22f39e3c2acec8b0f048729eb889412e930e4df8
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Thu May 19 08:01:17 2022 -0400

    New upstream version 1.2.0

commit 7d6eff9f0fe0480ada57308e42225547957ce653
Author: Reinhard Tartler <siretart@tauware.de>
Date:   Thu May 19 08:01:17 2022 -0400

    Ignore _build and quilt .pc dirs via .gitignore

Created: 2022-05-29 Last update: 2025-04-27 21:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2024-37298: (needs triaging) gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

You can find information about how to handle this issue in the security team's documentation.

Created: 2024-07-03 Last update: 2025-04-28 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-04-28 02:31

testing migrations

excuses:
- Migration status for golang-github-gorilla-schema (1.2.0-2 to 1.4.1-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 6 of 10 days old
- Additional info:
- ∙ ∙ Updating golang-github-gorilla-schema will fix bugs in testing: #1075973
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/golang-github-gorilla-schema.html
- ∙ ∙ autopkgtest for golang-github-gorilla-schema/1.4.1-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- Not considered

news

[rss feed]

[2025-04-27] Accepted golang-github-gorilla-schema 1.4.1-1 (source) into unstable (Reinhard Tartler)
[2022-11-30] golang-github-gorilla-schema 1.2.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-28] Accepted golang-github-gorilla-schema 1.2.0-2 (source) into unstable (Reinhard Tartler)
[2022-05-29] Accepted golang-github-gorilla-schema 1.2.0-1 (all source) into unstable, unstable (Debian FTP Masters) (signed by: Reinhard Tartler)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.4.1-1