Register | Log in

golang-1.8

Choose email to subscribe with

general

source: golang-1.8 (updates)
version: 1.8.1-1+deb9u3
maintainer: Go Compiler Team (archive) (DMD)
uploaders: Michael Stapelberg [DMD] – Michael Hudson-Doyle [DMD] – Tianon Gravi [DMD] – Paul Tagliamonte [DMD]
arch: all amd64 arm64 armel armhf i386 ppc64 ppc64el s390x
std-ver: 3.9.8
VCS: Git (Browse)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.8.1-1+deb9u1
o-o-sec: 1.8.1-1+deb9u3

versioned links

1.8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.1-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.1-1+deb9u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-1.8
golang-1.8-doc
golang-1.8-go
golang-1.8-src

package is gone

This package is not in any development repository. This probably means that the package has been removed (or has been renamed). Thus the information here is of little interest ... the package is going to disappear unless someone takes it over and reintroduces it.

action needed

20 security issues in stretch high

There are 20 open security issues in stretch.

3 important issues:

CVE-2021-29923: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
CVE-2021-36221: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
CVE-2021-39293:

7 issues postponed or untriaged:

CVE-2020-24553: (needs triaging) Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
CVE-2021-27918: (postponed; to be fixed through a stable update) encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
CVE-2021-31525: (postponed; to be fixed through a stable update) net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
CVE-2021-33195: (postponed; to be fixed through a stable update) Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format.
CVE-2021-33196: (postponed; to be fixed through a stable update) In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic.
CVE-2021-33197: (postponed; to be fixed through a stable update) In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
CVE-2021-34558: (postponed; to be fixed through a stable update) The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

10 ignored issues:

CVE-2017-15042: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
CVE-2017-8932: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
CVE-2018-16875: The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
CVE-2019-14809: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2020-28366: Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.
CVE-2020-29510: The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2020-29511: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVE-2021-3115: Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

Created: 2021-08-05 Last update: 2021-09-11 10:06

news

[2021-03-13] Accepted golang-1.8 1.8.1-1+deb9u3 (source) into oldstable (Sylvain Beucler)
[2020-11-21] Accepted golang-1.8 1.8.1-1+deb9u2 (source all amd64) into oldstable (Thorsten Alteholz)
[2020-07-09] Accepted golang-1.8 1.8.1-1+deb9u1 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Dr. Tobias Quathamer)
[2019-02-01] Accepted golang-1.8 1.8.1-1+deb9u1 (source all amd64) into stable->embargoed, stable (Dr. Tobias Quathamer)
[2018-12-04] Removed 1.8.5-1 from unstable (Debian FTP Masters)
[2018-12-04] Removed 1.8.4-1 from unstable (Debian FTP Masters)
[2018-12-04] Removed 1.8.3-1 from unstable (Debian FTP Masters)
[2017-12-06] golang-1.8 REMOVED from testing (Debian testing watch)
[2017-10-26] Accepted golang-1.8 1.8.5-1 (source) into unstable (Michael Hudson-Doyle)
[2017-10-06] Accepted golang-1.8 1.8.4-1 (source) into unstable (Michael Hudson-Doyle)
[2017-07-24] Accepted golang-1.8 1.8.3-2 (source) into unstable (Michael Stapelberg)
[2017-06-26] golang-1.8 1.8.3-1 MIGRATED to testing (Debian testing watch)
[2017-06-01] Accepted golang-1.8 1.8.3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-05-25] golang-1.8 1.8.1-1 MIGRATED to testing (Debian testing watch)
[2017-04-10] Accepted golang-1.8 1.8.1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-03-01] Accepted golang-1.8 1.8-1 (source) into unstable (Michael Hudson-Doyle)
[2017-02-06] golang-1.8 1.8~rc3-1 MIGRATED to testing (Debian testing watch)
[2017-01-26] Accepted golang-1.8 1.8~rc3-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-19] Accepted golang-1.8 1.8~rc2-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-16] Accepted golang-1.8 1.8~rc1-1 (source) into unstable (Michael Hudson-Doyle)
[2017-01-01] golang-1.8 1.8~beta2-1 MIGRATED to testing (Debian testing watch)
[2016-12-21] Accepted golang-1.8 1.8~beta2-1 (source) into unstable (Michael Hudson-Doyle)
[2016-12-12] Accepted golang-1.8 1.8~beta1-1 (source all amd64) into unstable, unstable (Michael Hudson-Doyle) (signed by: Tianon Gravi)

bugs [bug history graph]

all: 1
RC: 1
I&N: 0
M&W: 0
F&P: 0
patch: 0

links

homepage
buildd: logs, clang, cross
popcon
edit tags
security tracker
screenshots

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing