Debian Package Tracker
Register | Log in
Subscribe

golang-github-hashicorp-go-getter

download from a URL using a variety of protocols

Choose email to subscribe with

general
  • source: golang-github-hashicorp-go-getter (main)
  • version: 1.4.1-1
  • maintainer: Debian Go Packaging Team (archive) (DMD)
  • uploaders: Dmitry Smirnov [DMD]
  • arch: all
  • std-ver: 4.4.1
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.0~git20160316.0.575ec4e-1
  • oldstable: 1.4.1-1
  • stable: 1.4.1-1
  • unstable: 1.4.1-1
versioned links
  • 0.0~git20160316.0.575ec4e-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • golang-github-hashicorp-go-getter-dev
action needed
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
In debian/watch no matching files for watch line
  https://github.com/hashicorp/go-getter/releases .*/archive/v?(\d[\d\.]+)\.tar\.gz
Created: 2021-03-23 Last update: 2025-06-02 07:00
7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:
  • CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
  • CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
  • CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
  • CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
Created: 2022-07-04 Last update: 2025-02-27 05:02
7 security issues in trixie high

There are 7 open security issues in trixie.

7 important issues:
  • CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
  • CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
  • CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
  • CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
Created: 2023-06-11 Last update: 2024-10-03 01:30
6 security issues in buster high

There are 6 open security issues in buster.

1 important issue:
  • CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
5 issues postponed or untriaged:
  • CVE-2023-0475: (postponed; to be fixed through a stable update) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
  • CVE-2022-26945: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30321: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30322: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30323: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
Created: 2024-06-26 Last update: 2024-06-27 17:57
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 20-day delay is over. Check why.
Created: 2024-11-01 Last update: 2025-06-02 11:02
5 new commits since last upload, is it time to release? normal
vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:
commit e7d874db15fce99185275b907ce9bde3db05c971
Author: Damian Szuberski <szuberskidamian@gmail.com>
Date:   Sat Apr 29 15:34:46 2023 +1000

    Correct debian/watch
    
    Gbp-Dch: Ignore

commit 89f35cf43d6d8d2d47736e139849b7c7203ab9db
Author: Thorsten Alteholz <debian@alteholz.de>
Date:   Sun Jun 19 13:19:15 2022 +0200

    update watch file

commit f357fc002ba4ac5eb7dcdcaa823e23f02d37b7b1
Author: Aloïs Micard <creekorful@debian.org>
Date:   Wed Dec 1 11:53:28 2021 +0000

    [skip ci] update debian/gitlab-ci.yml (using pkg-go-tools/ci-config)
    
    See: https://salsa.debian.org/go-team/infra/pkg-go-tools
    Gbp-Dch: Ignore

commit d414c610f3fc3f7c4876b4c5a41b38d418c66763
Merge: c74e687 93c4f02
Author: Jelmer Vernooij <jelmer@debian.org>
Date:   Thu Jul 9 23:25:04 2020 +0000

    Merge branch 'lintian-fixes' into 'master'
    
    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse
    
    See merge request go-team/packages/golang-github-hashicorp-go-getter!1

commit 93c4f02d50560a29480ded23da408db6fd2ad066
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Tue Jul 7 20:51:39 2020 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
    Fixes: lintian: upstream-metadata-missing-bug-tracking
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-bug-tracking.html
    Fixes: lintian: upstream-metadata-missing-repository
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-repository.html
Created: 2020-07-10 Last update: 2025-05-29 04:34
lintian reports 2 warnings normal
Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2020-07-29 Last update: 2023-02-02 01:03
7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:
  • CVE-2023-0475: (needs triaging) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
  • CVE-2024-3817: (needs triaging) HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
  • CVE-2024-6257: (needs triaging) HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
  • CVE-2022-26945: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30321: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30322: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
  • CVE-2022-30323: (needs triaging) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-02-27 05:02
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.4.1).
Created: 2020-01-21 Last update: 2025-02-27 13:24
testing migrations
  • excuses:
    • Migration status for golang-github-hashicorp-go-getter (- to 1.4.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Updating golang-github-hashicorp-go-getter would introduce bugs in testing: #1083184
    • ∙ ∙ blocked by freeze: is not in testing
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/golang-github-hashicorp-go-getter.html
    • ∙ ∙ autopkgtest for golang-github-hashicorp-go-getter/1.4.1-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Reproducible on amd64 - info ♻
    • ∙ ∙ Reproducible on arm64 - info ♻
    • ∙ ∙ Reproducible on armhf - info ♻
    • ∙ ∙ Reproducible on i386 - info ♻
    • ∙ ∙ 1970 days old (needed 20 days)
    • Not considered
news
[rss feed]
  • [2024-11-02] golang-github-hashicorp-go-getter REMOVED from testing (Debian testing watch)
  • [2020-01-12] golang-github-hashicorp-go-getter 1.4.1-1 MIGRATED to testing (Debian testing watch)
  • [2020-01-10] Accepted golang-github-hashicorp-go-getter 1.4.1-1 (source) into unstable (Dmitry Smirnov)
  • [2019-09-28] golang-github-hashicorp-go-getter 1.4.0-1 MIGRATED to testing (Debian testing watch)
  • [2019-09-26] Accepted golang-github-hashicorp-go-getter 1.4.0-1 (source) into unstable (Dmitry Smirnov)
  • [2016-10-14] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
  • [2016-10-12] golang-github-hashicorp-go-getter REMOVED from testing (Debian testing watch)
  • [2016-03-25] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
  • [2016-03-19] Accepted golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 (source all) into unstable, unstable (Dmitry Smirnov)
bugs [bug history graph]
  • all: 4
  • RC: 1
  • I&N: 3
  • M&W: 0
  • F&P: 0
  • patch: 0
links
  • homepage
  • lintian (0, 2)
  • buildd: logs
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.4.1-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing