Debian Package Tracker

general

source: golang-1.8 (main)
version: 1.8.5-1
maintainer: Go Compiler Team (archive) [DMD]
uploaders: Michael Stapelberg [DMD] – Michael Hudson-Doyle [DMD] – Tianon Gravi [DMD] – Paul Tagliamonte [DMD]
arch: all amd64 arm64 armel armhf i386 ppc64 ppc64el s390x
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.8.1-1
unstable: 1.8.5-1

versioned links

1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-1.8
golang-1.8-doc
golang-1.8-go
golang-1.8-src

action needed

A new upstream version is available: 1.8.7 high

A new upstream version 1.8.7 is available, you should consider packaging it.

Created: 2018-01-26 Last update: 2018-11-15 07:02

lintian reports 33 errors and 43 warnings high

Lintian reports 33 errors and 43 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2016-12-13 Last update: 2018-11-12 08:44

Standards version of the package is outdated. high

The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.2.1 instead of 3.9.8).

Created: 2017-07-25 Last update: 2018-08-26 08:16

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2018-6574: Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Please fix them.

Created: 2018-02-09 Last update: 2018-06-02 08:03

1 binary package has unsatisfiable dependencies normal

The dependencies of golang-1.8-go=1.8.3-1 cannot be satisfied on mips, mipsel, and mips64el because: unsatisfied dependency on golang-1.8-src (>= 1.8.3-1)

Created: 2018-09-13 Last update: 2018-11-15 12:08

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2018-10-01 Last update: 2018-11-15 11:29

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2017-11-01 Last update: 2018-11-15 11:25

5 ignored security issues in stretch low

There are 5 open security issues in stretch.

5 issues skipped by the security teams:

CVE-2018-6574: Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
CVE-2017-15042: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
CVE-2017-8932: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
CVE-2017-15041: Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Please fix them.

Created: 2017-05-25 Last update: 2018-06-02 08:03

testing migrations

excuses:
- 385 days old (5 needed)
- missing build on mips: golang-1.8-go (from 1.8.3-1)
- missing build on mips64el: golang-1.8-go (from 1.8.3-1)
- missing build on mipsel: golang-1.8-go (from 1.8.3-1)
- missing build on ppc64el: golang-1.8-go, golang-1.8-src (from 1.8.4-1)
- old binaries left on all: golang-1.8, golang-1.8-doc (from 1.8.4-1); golang-1.8, golang-1.8-doc (from 1.8.3-1) (but ignoring cruft, so nevermind)
- Updating golang-1.8 introduces new bugs: #867058, #867059, #867062
- Piuparts tested OK - https://piuparts.debian.org/sid/source/g/golang-1.8.html
- Not considered

news

[rss feed]

[2017-12-06] golang-1.8 REMOVED from testing (Debian testing watch)
[2017-10-26] Accepted golang-1.8 1.8.5-1 (source) into unstable (Michael Hudson-Doyle)
[2017-10-06] Accepted golang-1.8 1.8.4-1 (source) into unstable (Michael Hudson-Doyle)
[2017-07-24] Accepted golang-1.8 1.8.3-2 (source) into unstable (Michael Stapelberg)
[2017-06-26] golang-1.8 1.8.3-1 MIGRATED to testing (Debian testing watch)
[2017-06-01] Accepted golang-1.8 1.8.3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-05-25] golang-1.8 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2017-04-10] Accepted golang-1.8 1.8.1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-03-01] Accepted golang-1.8 1.8-1 (source) into unstable (Michael Hudson-Doyle)
[2017-02-06] golang-1.8 1.8~rc3-1 MIGRATED to testing (Debian testing watch)
[2017-01-26] Accepted golang-1.8 1.8~rc3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-19] Accepted golang-1.8 1.8~rc2-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-16] Accepted golang-1.8 1.8~rc1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-01] golang-1.8 1.8~beta2-1 MIGRATED to testing (Debian testing watch)
[2016-12-21] Accepted golang-1.8 1.8~beta2-1 (source) into unstable (Michael Hudson-Doyle)
[2016-12-12] Accepted golang-1.8 1.8~beta1-1 (source all amd64) into unstable, unstable (Michael Hudson-Doyle) (signed by: Tianon Gravi)

bugs [bug history graph]

all: 8
RC: 4
I&N: 3
M&W: 0
F&P: 1
patch: 1

links

homepage
lintian (33, 43)
buildd: logs, checks, clang, debcheck
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.8.3-2ubuntu1
4 bugs
patches for 1.8.3-2ubuntu1