-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 12 Jul 2022 19:08:18 -0500 Source: golang-1.18 Built-For-Profiles: noudeb Architecture: source Version: 1.18.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Compiler Team <team+go-compiler@tracker.debian.org> Changed-By: William 'jawn-smith' Wilson <jawn-smith@ubuntu.com> Changes: golang-1.18 (1.18.4-1) unstable; urgency=medium . * New upstream version 1.18.4 + CVE-2022-1705: net/http: improper sanitization of Transfer-Encoding header + CVE-2022-32148: When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. + CVE-2022-30631: compress/gzip: stack exhaustion in Reader.Read + CVE-2022-30633: encoding/xml: stack exhaustion in Unmarshal + CVE-2022-28131: encoding/xml: stack exhaustion in Decoder.Skip + CVE-2022-30635: encoding/gob: stack exhaustion in Decoder.Decode + CVE-2022-30632: path/filepath: stack exhaustion in Glob + CVE-2022-30630: io/fs: stack exhaustion in Glob + CVE-2022-1962: go/parser: stack exhaustion in all Parse* functions Checksums-Sha1: e0ed67f4db5534ffd44556512e45606ddbc64c23 2836 golang-1.18_1.18.4-1.dsc 208a17fefae4d97bfa3b5da890010308d7866137 22845866 golang-1.18_1.18.4.orig.tar.gz 917006ed99fb249ed99a62426ba9a0b542f43138 819 golang-1.18_1.18.4.orig.tar.gz.asc a6991452f8e945395055d6509d0b2539f2fc28da 41436 golang-1.18_1.18.4-1.debian.tar.xz 55ce4111bb2345189e584bdb502485e3ff9bea4a 6951 golang-1.18_1.18.4-1_source.buildinfo 5e013a6bbc935fd91f628b707aa5d4167f113e7b 6951 golang-1.19_1.19~rc2-1_source.buildinfo Checksums-Sha256: 3ce949090eb43245d824b30a34924d791e1af872efbf39448df340a9c32cfd39 2836 golang-1.18_1.18.4-1.dsc 4525aa6b0e3cecb57845f4060a7075aafc9ab752bb7b6b4cf8a212d43078e1e4 22845866 golang-1.18_1.18.4.orig.tar.gz b1639d585237cf932670179a9e43130ebf0315726974661e69e186d07f8dec72 819 golang-1.18_1.18.4.orig.tar.gz.asc d3140357271bdb4804ae69d967b437e8c1f9d06f6a3cf732c9da5d0ddbcc285b 41436 golang-1.18_1.18.4-1.debian.tar.xz 82f14c7e5223bedb2f297e6ab157e5f8ad9dd9f3a1a9a91e798242035aec8b47 6951 golang-1.18_1.18.4-1_source.buildinfo b468659c90bd362d84d2f0e1882c3dbfdf2d325e88b033036d401a3c9828c817 6951 golang-1.19_1.19~rc2-1_source.buildinfo Files: 89b085f6fe5c198054cdf775e06470ef 2836 golang optional golang-1.18_1.18.4-1.dsc 55118fa3e4de517075fe6223618b70fc 22845866 golang optional golang-1.18_1.18.4.orig.tar.gz be039ff38fe561c3df54bfc04c45eb07 819 golang optional golang-1.18_1.18.4.orig.tar.gz.asc bc5a6b9fa47501cfae7d506b001ae327 41436 golang optional golang-1.18_1.18.4-1.debian.tar.xz 077c528cc5aa00992859311fffca1a81 6951 golang optional golang-1.18_1.18.4-1_source.buildinfo 4eab3c5f00f006f93e832a4ec55f44f5 6951 golang optional golang-1.19_1.19~rc2-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEiiBE+E9xaoW3f/djEd9ClMyjmJMFAmLONjgACgkQEd9ClMyj mJMzOhAAihSWqa8HFG7yFGl+9tjEndpk5oIepQdIAqY3DnpHqpy5fLzVl4DjW/k1 adWZeQKPBbNAVLv/IHz0AACTwWhVdArWYgFae/L/krTNEy/XswIGYSQoTbs29PhW ROdXeePw/T9xOCBU3cKK5TkAac2jLhjdfywmNTvAlsz7KneU7+f9NxfkQ4r4BJ4S MZ95UvOpex9pk9E1CKo8aZyxYPVQBuRISSklgU4bDtg8w0qX3SvtzFctd14Nxi+p Aw5qaGa6D+AjoHQ4n4MXleJbeq59SpqV9fb7tlFqgx34XAGByysw1fMKiu2pp98D kayhtH8JacP5kndQ40+LjzZW5fG5acR+SzsDKJSRCPUZt4fYHqnfv3FSarenhOug FlSePCi2yJoQNsLlHSLcUdcAXiLZt2IC66pNZ1hfw+0yaVS6U5jRhJhhA8hufb28 wXPWSYTJ6BiKf3lGenTM2otEfXwjjpW+dir38PEP2NMYu4hj8aV17V86pbgZHXRP v1wyJlW8N0lrcbBYEW6emPm6T3Bn+XRJEdQLAyzX2N9XYbYeKAQzQXum9tu0SS9e J6g8BoTkraXewm75rfpf8XmuU9Vx3wDp/QAItLB+GTPcBQ+odoiQXLT/bWyUr3jE Bs52kh+c15tZRh0CH60fap9jR7Dera/3lmJoodnT1mRM4+hXBDU= =pSeb -----END PGP SIGNATURE-----