golang-1.11 - Debian Package Tracker

general

source: golang-1.11 (updates)
version: 1.11.6-1+deb10u7
maintainer: Go Compiler Team (DMD)
uploaders: Michael Stapelberg [DMD] – Paul Tagliamonte [DMD] – Dr. Tobias Quathamer [DMD] – Tianon Gravi [DMD] – Michael Hudson-Doyle [DMD]
arch: all amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el s390x
std-ver: 4.3.0
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.11.6-1+deb10u4
o-o-sec: 1.11.6-1+deb10u7

versioned links

1.11.6-1+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.11.6-1+deb10u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-1.11
golang-1.11-doc
golang-1.11-go
golang-1.11-src

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

A new upstream version is available: 1.11.13 high

A new upstream version 1.11.13 is available, you should consider packaging it.

Created: 2020-06-29 Last update: 2023-09-22 02:03

44 security issues in buster high

There are 44 open security issues in buster.

2 important issues:

CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
CVE-2023-39319: The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

39 issues postponed or untriaged:

CVE-2022-1962: (postponed; to be fixed through a stable update) Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
CVE-2022-2879: (postponed; to be fixed through a stable update) Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.
CVE-2022-2880: (postponed; to be fixed through a stable update) Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
CVE-2020-24553: (postponed; to be fixed through a stable update) Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
CVE-2020-28366: (postponed; to be fixed through a stable update) Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
CVE-2021-27918: (postponed; to be fixed through a stable update) encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-29923: (postponed; to be fixed through a stable update) Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVE-2021-31525: (postponed; to be fixed through a stable update) net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33195: (postponed; to be fixed through a stable update) Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33197: (postponed; to be fixed through a stable update) In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-33198: (postponed; to be fixed through a stable update) In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method.
CVE-2021-34558: (postponed; to be fixed through a stable update) The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
CVE-2022-27664: (postponed; to be fixed through a stable update) In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-28131: (postponed; to be fixed through a stable update) Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
CVE-2022-30629: (postponed; to be fixed through a stable update) Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-30631: (postponed; to be fixed through a stable update) Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
CVE-2022-30632: (postponed; to be fixed through a stable update) Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.
CVE-2022-30633: (postponed; to be fixed through a stable update) Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.
CVE-2022-30635: (postponed; to be fixed through a stable update) Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
CVE-2022-32148: (postponed; to be fixed through a stable update) Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
CVE-2022-32189: (postponed; to be fixed through a stable update) A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.
CVE-2022-41715: (postponed; to be fixed through a stable update) Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
CVE-2022-41717: (postponed; to be fixed through a stable update) An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVE-2022-41723: (postponed; to be fixed through a stable update) A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2022-41725: (postponed; to be fixed through a stable update) A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.
CVE-2023-24532: (postponed; to be fixed through a stable update) The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
CVE-2023-24534: (postponed; to be fixed through a stable update) HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
CVE-2023-24536: (postponed; to be fixed through a stable update) Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
CVE-2023-24537: (postponed; to be fixed through a stable update) Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
CVE-2023-24538: (postponed; to be fixed through a stable update) Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
CVE-2023-24539: (postponed; to be fixed through a stable update) Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
CVE-2023-24540: (postponed; to be fixed through a stable update) Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-29400: (postponed; to be fixed through a stable update) Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
CVE-2023-29402: (postponed; to be fixed through a stable update) The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVE-2023-29403: (postponed; to be fixed through a stable update) On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29404: (postponed; to be fixed through a stable update) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29405: (postponed; to be fixed through a stable update) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
CVE-2023-29406: (postponed; to be fixed through a stable update) The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
CVE-2023-29409: (postponed; to be fixed through a stable update) Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

3 ignored issues:

CVE-2021-3115: Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
CVE-2022-23772: Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
CVE-2022-23773: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Created: 2023-09-07 Last update: 2023-09-10 04:39

lintian reports 44 errors and 45 warnings high

Lintian reports 44 errors and 45 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-07-30 Last update: 2022-07-30 12:13

debian/patches: 4 patches to forward upstream low

Among the 5 debian patches available in version 1.11.5-1 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

news

[rss feed]

[2023-04-20] Accepted golang-1.11 1.11.6-1+deb10u7 (source) into oldstable (Sylvain Beucler)
[2023-04-19] Accepted golang-1.11 1.11.6-1+deb10u6 (source) into oldstable (Sylvain Beucler)
[2023-04-19] Accepted golang-1.11 1.11.6-1+deb10u5 (source) into oldstable (Sylvain Beucler)
[2021-06-13] Accepted golang-1.11 1.11.6-1+deb10u4 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters)
[2021-02-08] Accepted golang-1.11 1.11.6-1+deb10u4 (source) into stable->embargoed, stable (Debian FTP Masters) (signed by: Shengjing Zhu)
[2019-10-29] Accepted golang-1.11 1.11.6-1+deb10u3 (source) into proposed-updates->stable-new, proposed-updates (Dr. Tobias Quathamer)
[2019-10-25] Accepted golang-1.11 1.11.6-1+deb10u3 (source) into stable->embargoed, stable (Dr. Tobias Quathamer)
[2019-09-28] Accepted golang-1.11 1.11.6-1+deb10u2 (source) into proposed-updates->stable-new, proposed-updates (Dr. Tobias Quathamer)
[2019-09-27] Accepted golang-1.11 1.11.6-1+deb10u2 (source) into stable->embargoed, stable (Dr. Tobias Quathamer)
[2019-08-26] golang-1.11 REMOVED from testing (Debian testing watch)
[2019-08-25] Removed 1.11.13-1 from unstable (Debian FTP Masters)
[2019-08-25] golang-1.11 1.11.13-1 MIGRATED to testing (Debian testing watch)
[2019-08-21] Accepted golang-1.11 1.11.6-1+deb10u1 (source) into proposed-updates->stable-new, proposed-updates (Dr. Tobias Quathamer)
[2019-08-18] Accepted golang-1.11 1.11.6-1+deb10u1 (source) into stable->embargoed, stable (Dr. Tobias Quathamer)
[2019-08-15] Accepted golang-1.11 1.11.13-1 (source) into unstable (Dr. Tobias Quathamer)
[2019-08-13] Accepted golang-1.11 1.11.12-4 (source) into unstable (Anthony Fok)
[2019-08-10] Accepted golang-1.11 1.11.12-3 (source all amd64) into unstable (Anthony Fok)
[2019-07-15] Accepted golang-1.11 1.11.12-2 (source) into unstable (Dr. Tobias Quathamer)
[2019-07-09] Accepted golang-1.11 1.11.12-1 (source) into unstable (Dr. Tobias Quathamer)
[2019-03-28] golang-1.11 1.11.6-1 MIGRATED to testing (Debian testing watch)
[2019-03-17] Accepted golang-1.11 1.11.6-1 (source) into unstable (Michael Hudson-Doyle)
[2019-01-29] Accepted golang-1.11 1.11.5-1~bpo9+1 (all amd64 source) into stretch-backports (Dr. Tobias Quathamer)
[2019-01-26] golang-1.11 1.11.5-1 MIGRATED to testing (Debian testing watch)
[2019-01-24] Accepted golang-1.11 1.11.5-1 (source) into unstable (Michael Stapelberg)
[2019-01-11] Accepted golang-1.11 1.11.4-4~bpo9+1 (all amd64 source) into stretch-backports, stretch-backports (Dr. Tobias Quathamer)
[2019-01-03] golang-1.11 1.11.4-4 MIGRATED to testing (Debian testing watch)
[2018-12-28] Accepted golang-1.11 1.11.4-4 (source) into unstable (Anthony Fok)
[2018-12-26] Accepted golang-1.11 1.11.4-3 (source) into unstable (Anthony Fok)
[2018-12-23] Accepted golang-1.11 1.11.4-2 (source) into unstable (Dr. Tobias Quathamer)
[2018-12-16] Accepted golang-1.11 1.11.4-1 (source) into unstable (Dr. Tobias Quathamer)

bugs [bug history graph]

all: 0

links

homepage
lintian (44, 45)
buildd: logs, cross
popcon
edit tags
security tracker
screenshots
debian patches