-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 10 Sep 2021 22:23:57 -0600 Source: golang-1.17 Architecture: source Version: 1.17.1-1~bpo11+1 Distribution: bullseye-backports Urgency: high Maintainer: Debian Go Compiler Team <team+go-compiler@tracker.debian.org> Changed-By: Anthony Fok <foka@debian.org> Changes: golang-1.17 (1.17.1-1~bpo11+1) bullseye-backports; urgency=medium . * New upstream version 1.17.1 + CVE-2021-39293: security fix to the archive/zip package * Rebuild for bullseye-backports. . golang-1.17 (1.17.1-1) unstable; urgency=high . * New upstream version 1.17.1 + CVE-2021-39293: security fix to the archive/zip package The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. + bug fixes to the archive/zip, go/internal/gccgoimporter, html/template, net/http, and runtime/pprof packages * Re-add "Multi-Arch: foreign" hint * Rename Maintainer from "Go Compiler Team" to "Debian Go Compiler Team" * Bump Standards-Version to 4.6.0 (no change) Checksums-Sha1: 0bd66e6bd61771f3ad1e68c31f6e0d26e2dd43d2 2896 golang-1.17_1.17.1-1~bpo11+1.dsc 4d107d150ad691b536610e2ca143285016041111 38776 golang-1.17_1.17.1-1~bpo11+1.debian.tar.xz 7c8aa3a2c4057444522b42548b4f84e6b2269fb7 6846 golang-1.17_1.17.1-1~bpo11+1_amd64.buildinfo Checksums-Sha256: 0a5565deae4bd9c4e77c73f56d14939d9dae57ba6330302a19f8991460a7029c 2896 golang-1.17_1.17.1-1~bpo11+1.dsc 0efc072a7eea0465b2a2b6c6d0799242980aeba2f0d8689e32682f0b30234f9d 38776 golang-1.17_1.17.1-1~bpo11+1.debian.tar.xz 926bcf4034de8d00e9961243d4304fafcee7f5302c4d4ebdc24f9e20b6982fcb 6846 golang-1.17_1.17.1-1~bpo11+1_amd64.buildinfo Files: b24d7e2402db2433ac4f74720c6e1791 2896 golang optional golang-1.17_1.17.1-1~bpo11+1.dsc 1a07d2ef6d2e35007254f6b2b9c9b693 38776 golang optional golang-1.17_1.17.1-1~bpo11+1.debian.tar.xz 96aa0078eaa491571d93182a546358ec 6846 golang optional golang-1.17_1.17.1-1~bpo11+1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmE8NlkQHGZva2FAZGVi aWFuLm9yZwAKCRDqJQC0EsWaz2QMEACyP10JP450H7nY8Da/liq7aKg+6t9Noztv S/hrfSB1dnkN6lSc29Yn5gdN5Bm41AFEq/DBIDC5Qb7RLyXC7aKpHKSZpiKuP9aF 19/xWg+cvjEObbXzqyTlUIsOQb2RT1Je1VKDAJcsxUsP3/uJ2jLimXBQpGOzFQLk ZRtjVygJX/d/nXv3Zo3OENfkNjlavvRneIj6lyVxQn29Y6uhk2KS6dwYEpmIxZ8x f53HpDcXZ50XD4DVV1L8K0WuhzSFd2GgIvSPYKcI9E2gm8ddniK2hJs+U+GMPHHA sD2AVsuaOF0E6vjYAnQfuvG20sckElfT9kIUfDclldep/9nkyaiwVLcmZ1b4TM16 /w2uJPIx84lMVWtrWdn+1TtskJhhgymLppEHLdaUy3l+p4cYCTWLXT/ucbaaT2uP 9V4w2aLV+FQhzc82JnEF0gy6IiKxkUf+mDzDHOko4rcvKQr0YtbIboZAOzOhnoaH 9kjk+5eWNjxyKwM3jfzNIDlVlr07qwF9c3XJYOxeCGETeAfUFxsVA1KA/i5r+6aD bR2vEx5rRMeXGQyc/JjlO8fAp4heI/HZkDnArar6miZ2AO7BY1EASqTVc+ZXy+eW cWU9TGN/dqIMlGltn4lWxq75WR/yMktEIHiTKLNt9RqVpsZo6jM2GIKkcMiSVNUG M6fsVTmJlA== =y7aw -----END PGP SIGNATURE-----