golang-github-dvsekhvalnov-jose2go - Debian Package Tracker

general

source: golang-github-dvsekhvalnov-jose2go (main)
version: 1.5-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Tianon Gravi [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.5-1
oldstable: 1.5-1
stable: 1.5-1
testing: 1.5-1
unstable: 1.5-1

versioned links

1.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-dvsekhvalnov-jose2go-dev

action needed

A new upstream version is available: 1.8.0 high

A new upstream version 1.8.0 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2025-11-27 00:03

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2023-50658: The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2025-63811: An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

Created: 2023-12-27 Last update: 2025-11-16 21:31

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2023-50658: The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2025-63811: An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

Created: 2025-08-09 Last update: 2025-11-16 21:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1.5-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d412246988aad0b492486cc7df744e60812aa6db
Author: Tianon Gravi <tianon@debian.org>
Date:   Wed Feb 23 12:26:44 2022 -0800

    Remove self from Uploaders

commit a13317e273fda6fb0fcafa1c5d5159165f8285f5
Merge: 770ac61 3a5be93
Author: Jelmer Vernooĳ <jelmer@debian.org>
Date:   Thu Feb 17 18:58:57 2022 +0000

    Merge branch 'lintian-fixes' into 'master'
    
    Fix some issues reported by lintian
    
    See merge request go-team/packages/golang-github-dvsekhvalnov-jose2go!3

commit 3a5be93f97c5befebf207ac2455b03888d54644f
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Wed Feb 2 16:57:04 2022 +0000

    Update standards version to 4.6.0, no changes needed.
    
    Changes-By: lintian-brush
    Fixes: lintian: out-of-date-standards-version
    See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html

commit 9ec7fdb27c26ae4a9d8d5cf77849b01cf08e0d86
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Wed Feb 2 16:57:04 2022 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-missing-bug-tracking
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-bug-tracking.html

commit 770ac61aa0f47b2cfb2c5beb9d40eb6e68d06030
Author: Aloïs Micard <creekorful@debian.org>
Date:   Wed Dec 1 11:58:45 2021 +0000

    [skip ci] update debian/gitlab-ci.yml (using pkg-go-tools/ci-config)
    
    See: https://salsa.debian.org/go-team/infra/pkg-go-tools
    Gbp-Dch: Ignore

commit 4db69bf735e4e25c16cafae1cf6e32767ac86ba8
Merge: a4e417a b009304
Author: Jelmer Vernooĳ <jelmer@debian.org>
Date:   Thu Sep 30 00:11:15 2021 +0000

    Merge branch 'lintian-fixes' into 'master'
    
    Set upstream metadata fields: Repository, Repository-Browse
    
    See merge request go-team/packages/golang-github-dvsekhvalnov-jose2go!2

commit b0093042ce6d09ecc1ea32fba23bda75a1d015a9
Author: Jenkins <jenkins@jenkins.debian.net>
Date:   Fri Sep 24 04:40:43 2021 +0000

    Set upstream metadata fields: Repository, Repository-Browse.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
    Fixes: lintian: upstream-metadata-missing-repository
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-repository.html

Created: 2021-09-30 Last update: 2025-11-24 21:17

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2023-50658: (needs triaging) The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2025-63811: (needs triaging) An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-12-27 Last update: 2025-11-16 21:31

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2023-50658: (needs triaging) The jose2go component before 1.6.0 for Go allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
CVE-2025-63811: (needs triaging) An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-12-27 Last update: 2025-11-16 21:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.1).

Created: 2021-08-18 Last update: 2025-02-27 13:24

news

[rss feed]

[2021-01-31] golang-github-dvsekhvalnov-jose2go 1.5-1 MIGRATED to testing (Debian testing watch)
[2021-01-28] Accepted golang-github-dvsekhvalnov-jose2go 1.5-1 (source) into unstable (Shengjing Zhu)
[2018-04-28] golang-github-dvsekhvalnov-jose2go 1.3-1 MIGRATED to testing (Debian testing watch)
[2018-04-22] Accepted golang-github-dvsekhvalnov-jose2go 1.3-1 (source) into unstable (Alexandre Viau)
[2015-10-25] golang-github-dvsekhvalnov-jose2go 1.2-1 MIGRATED to testing (Britney)
[2015-10-19] Accepted golang-github-dvsekhvalnov-jose2go 1.2-1 (source) into unstable (Tianon Gravi) (signed by: Andrew Page)
[2015-10-17] golang-github-dvsekhvalnov-jose2go 1.1-1 MIGRATED to testing (Britney)
[2015-10-11] Accepted golang-github-dvsekhvalnov-jose2go 1.1-1 (source all) into unstable, unstable (Tianon Gravi) (signed by: Andrew Page)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.5-1