Debian Package Tracker

general

source: golang-1.8 (updates)
version: 1.8.1-1+deb9u1
maintainer: Go Compiler Team (archive) (DMD)
uploaders: Michael Stapelberg [DMD] – Michael Hudson-Doyle [DMD] – Tianon Gravi [DMD] – Paul Tagliamonte [DMD]
arch: all amd64 arm64 armel armhf i386 ppc64 ppc64el s390x
std-ver: 3.9.8
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 1.8.1-1
stable-sec: 1.8.1-1+deb9u1

versioned links

1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-1.8
golang-1.8-doc
golang-1.8-go
golang-1.8-src

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

A new upstream version is available: 1.8.7 high

A new upstream version 1.8.7 is available, you should consider packaging it.

Created: 2018-01-26 Last update: 2019-09-15 19:16

7 security issues in stretch high

There are 7 open security issues in stretch.

3 important issues:

CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-14809: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

4 issues skipped by the security teams:

CVE-2017-15042: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
CVE-2017-8932: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
CVE-2017-15041: Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.

Please fix them.

Created: 2017-05-25 Last update: 2019-08-25 08:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.8.5-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

The Vcs URL is using anonscm.debian.org. Please update it for the move to salsa.debian.org.

Created: 2018-12-04 Last update: 2019-09-15 21:30

news

[rss feed]

[2019-02-01] Accepted golang-1.8 1.8.1-1+deb9u1 (source all amd64) into stable->embargoed, stable (Dr. Tobias Quathamer)
[2018-12-04] Removed 1.8.5-1 from unstable (Debian FTP Masters)
[2018-12-04] Removed 1.8.4-1 from unstable (Debian FTP Masters)
[2018-12-04] Removed 1.8.3-1 from unstable (Debian FTP Masters)
[2017-12-06] golang-1.8 REMOVED from testing (Debian testing watch)
[2017-10-26] Accepted golang-1.8 1.8.5-1 (source) into unstable (Michael Hudson-Doyle)
[2017-10-06] Accepted golang-1.8 1.8.4-1 (source) into unstable (Michael Hudson-Doyle)
[2017-07-24] Accepted golang-1.8 1.8.3-2 (source) into unstable (Michael Stapelberg)
[2017-06-26] golang-1.8 1.8.3-1 MIGRATED to testing (Debian testing watch)
[2017-06-01] Accepted golang-1.8 1.8.3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-05-25] golang-1.8 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2017-04-10] Accepted golang-1.8 1.8.1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-03-01] Accepted golang-1.8 1.8-1 (source) into unstable (Michael Hudson-Doyle)
[2017-02-06] golang-1.8 1.8~rc3-1 MIGRATED to testing (Debian testing watch)
[2017-01-26] Accepted golang-1.8 1.8~rc3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-19] Accepted golang-1.8 1.8~rc2-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-16] Accepted golang-1.8 1.8~rc1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-01] golang-1.8 1.8~beta2-1 MIGRATED to testing (Debian testing watch)
[2016-12-21] Accepted golang-1.8 1.8~beta2-1 (source) into unstable (Michael Hudson-Doyle)
[2016-12-12] Accepted golang-1.8 1.8~beta1-1 (source all amd64) into unstable, unstable (Michael Hudson-Doyle) (signed by: Tianon Gravi)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, cross
popcon
browse source code
edit tags
security tracker
screenshots