golang-github-go-resty-resty - Debian Package Tracker

general

versioned links

2.4.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.6.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.10.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

A new upstream version is available: 2.16.0 high

A new upstream version 2.16.0 is available, you should consider packaging it.

Created: 2023-12-31 Last update: 2024-11-21 07:30

1 security issue in trixie high

1 important issue:

CVE-2023-45286: A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

Created: 2023-11-29 Last update: 2024-08-15 08:30

1 security issue in sid high

1 important issue:

CVE-2023-45286: A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

Created: 2023-11-29 Last update: 2024-08-15 08:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2021-05-27 Last update: 2023-01-31 21:32

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2023-45286: (needs triaging) A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-11-29 Last update: 2024-08-15 08:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.6.2).

Created: 2024-04-07 Last update: 2024-04-07 13:15

[2023-11-12] golang-github-go-resty-resty 2.10.0-1 MIGRATED to testing (Debian testing watch)
[2023-11-09] Accepted golang-github-go-resty-resty 2.10.0-1 (source) into unstable (Shengjing Zhu)
[2021-08-25] golang-github-go-resty-resty 2.6.0-1 MIGRATED to testing (Debian testing watch)
[2021-08-23] Accepted golang-github-go-resty-resty 2.6.0-1 (source) into unstable (Aloïs Micard)
[2021-01-16] golang-github-go-resty-resty 2.4.0-1 MIGRATED to testing (Debian testing watch)
[2021-01-14] Accepted golang-github-go-resty-resty 2.4.0-1 (source) into unstable (Aloïs Micard)
[2020-12-02] golang-github-go-resty-resty 2.3.0-3 MIGRATED to testing (Debian testing watch)
[2020-11-29] Accepted golang-github-go-resty-resty 2.3.0-3 (source) into unstable (Aloïs Micard)
[2020-10-27] golang-github-go-resty-resty 2.3.0-2 MIGRATED to testing (Debian testing watch)
[2020-10-25] Accepted golang-github-go-resty-resty 2.3.0-2 (source) into unstable (Aloïs Micard)
[2020-10-24] Accepted golang-github-go-resty-resty 2.3.0-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Alexandre Viau)

bugs [bug history graph]

links

ubuntu