-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 02 Mar 2026 22:11:11 +0100 Source: golang-github-lucas-clemente-quic-go Architecture: source Version: 0.59.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org> Changed-By: Dr. Tobias Quathamer <toddy@debian.org> Closes: 1122814 1129117 Changes: golang-github-lucas-clemente-quic-go (0.59.0-1) unstable; urgency=medium . * Team upload. * New upstream version 0.59.0 - Refresh patch - New patch: Disable testing of postquantum handshake. The tests currently fail due to a wrong CurveID, specifying a TLS identifier for a key exchange mechanism. The postQuantum tests expect X25519MLKEM768, but the used curve is X25519. - New patch: Disable TestHandshakePacketBuffering for now - Remove unneeded build dependencies - Use versioned Build-Depends on golang-github-quic-go-qpack-dev - Use actual package name of golang-github-marten-seemann-qpack-dev - Fixes CVE-2025-64702 (Closes: #1122814) Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0. * Only use GOEXPERIMENT=synctest on Go 1.24 (Closes: #1129117) * Remove Priority: optional from d/control * Remove Rules-Requires-Root from d/control * Update Standards-Version to 4.7.3 Checksums-Sha1: cd12726b6603c3c6e59c8ca288e03bcd44bba688 2754 golang-github-lucas-clemente-quic-go_0.59.0-1.dsc c721d95aeee0742fcde67d6bd5a80f8a754d2cc3 719476 golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz 370e071277df0e6a9a3e9a74689d0ed2f182e83f 6992 golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz 395e62ca12af07e1c0b95abd2d5464bdfec44e38 11840 golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo Checksums-Sha256: 0888b6553491725de1511f0d8ca59b352693097186ef498ab31faf4c44117065 2754 golang-github-lucas-clemente-quic-go_0.59.0-1.dsc 4718236fab95f7dd6544ba411e68a66fc97fc2a12aad3da7c342e6e789343026 719476 golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz 4bd7fb85f771cf39369899f859c55feec80076ae7751bd1d874a6e123879263b 6992 golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz eb1a9fbdbe4166929f63b02256c28bc08c4182fdd37e6f873f1a05bfc7fbf08f 11840 golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo Files: 68ffaea94f3069367b269c1144ddc951 2754 golang optional golang-github-lucas-clemente-quic-go_0.59.0-1.dsc cacb1f32fb716a871730f54a77d5523a 719476 golang optional golang-github-lucas-clemente-quic-go_0.59.0.orig.tar.gz 61f3d621ab17d7dc5867ae2062498297 6992 golang optional golang-github-lucas-clemente-quic-go_0.59.0-1.debian.tar.xz 7438efdce3736d3499d758bfbc301a1f 11840 golang optional golang-github-lucas-clemente-quic-go_0.59.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmml/Y4ACgkQEwLx8Dbr 6xmuTg/6AvByLVSGTbYClX2/dE3LRLSIlp7DR/p11+kHus4VMVmrmegytZHqK89T CQnjPuibQcCHlqp18wh79oaluun0CAkGl6iW9USNiBr664KqR/Y0R7zP+Due4bJ8 G0Bmyw89pjgHl5+pQ19HRvtGa7x9XrVW6ksQEuqCGgi7yUIbv0/fxA8QxkH6V2pR YCKckjUVmRrtJfv28psZMNnW9wUbF/D24A7UrwBWz/BKwNz12/gYUB9aTBf72WGu +XyNmE0vOhwv8xNsJcFb4ddyFVIPu/Q5TVG6yy0QIpdiIkMgQGzXt57hOVpJcHrI vjhNsXK+V5e3tsrvm36JT6pO7Wi8TBnb1BUekY8GNZnWX6eGuKjCrCFz9jNvOBEI emkROX9bBm1EnT4LYNJ5hMUVaZ6QS+LKeb3/ThUiEMQwruBjC1Ezwq8sK4NE0+nZ zR/1cU88EY/L8lsRZa5GmsvjyJ81p1wVjscPjudXMHXbEOppbQxTqTKtxfDU1I1W rDViEKgJbxNdd8PJvQqeSh7b4n0CMNcFY4wuBkF0s9KwV8gjIlx0FsSSWBF0v45H Ia9l0RFsb/8fnz5S64sY78cI541WG09l5rVC+evasc5KS369XoeSJuqxkKxgtPtg wJbnJv0JP5jYt9FbLOEDs8VgN84IX+EKiuQGYZVQeRP3PDWkqCI= =58uB -----END PGP SIGNATURE-----
