golang-github-hashicorp-go-getter - Debian Package Tracker

general

source: golang-github-hashicorp-go-getter (main)
version: 1.4.1-1
maintainer: Debian Go Packaging Team (archive) (DMD)
uploaders: Dmitry Smirnov [DMD]
arch: all
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0~git20160316.0.575ec4e-1
oldstable: 1.4.1-1
stable: 1.4.1-1
unstable: 1.4.1-1

versioned links

0.0~git20160316.0.575ec4e-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-hashicorp-go-getter-dev

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/hashicorp/go-getter/releases .*/archive/v?(\d[\d\.]+)\.tar\.gz

Created: 2021-03-23 Last update: 2025-06-02 07:00

7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:

CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Created: 2022-07-04 Last update: 2025-02-27 05:02

7 security issues in trixie high

There are 7 open security issues in trixie.

7 important issues:

CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2024-3817: HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Created: 2023-06-11 Last update: 2024-10-03 01:30

6 security issues in buster high

There are 6 open security issues in buster.

1 important issue:

CVE-2024-6257: HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.

5 issues postponed or untriaged:

CVE-2023-0475: (postponed; to be fixed through a stable update) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: (postponed; to be fixed through a stable update) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Created: 2024-06-26 Last update: 2024-06-27 17:57

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2024-11-01 Last update: 2025-06-02 11:02

5 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit e7d874db15fce99185275b907ce9bde3db05c971
Author: Damian Szuberski <szuberskidamian@gmail.com>
Date:   Sat Apr 29 15:34:46 2023 +1000

    Correct debian/watch
    
    Gbp-Dch: Ignore

commit 89f35cf43d6d8d2d47736e139849b7c7203ab9db
Author: Thorsten Alteholz <debian@alteholz.de>
Date:   Sun Jun 19 13:19:15 2022 +0200

    update watch file

commit f357fc002ba4ac5eb7dcdcaa823e23f02d37b7b1
Author: Aloïs Micard <creekorful@debian.org>
Date:   Wed Dec 1 11:53:28 2021 +0000

    [skip ci] update debian/gitlab-ci.yml (using pkg-go-tools/ci-config)
    
    See: https://salsa.debian.org/go-team/infra/pkg-go-tools
    Gbp-Dch: Ignore

commit d414c610f3fc3f7c4876b4c5a41b38d418c66763
Merge: c74e687 93c4f02
Author: Jelmer Vernooĳ <jelmer@debian.org>
Date:   Thu Jul 9 23:25:04 2020 +0000

    Merge branch 'lintian-fixes' into 'master'
    
    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse
    
    See merge request go-team/packages/golang-github-hashicorp-go-getter!1

commit 93c4f02d50560a29480ded23da408db6fd2ad066
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Tue Jul 7 20:51:39 2020 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
    Fixes: lintian: upstream-metadata-missing-bug-tracking
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-bug-tracking.html
    Fixes: lintian: upstream-metadata-missing-repository
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-repository.html

Created: 2020-07-10 Last update: 2025-05-29 04:34

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2023-02-02 01:03

7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:

CVE-2023-0475: (needs triaging) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2024-3817: (needs triaging) HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.
CVE-2024-6257: (needs triaging) HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
CVE-2022-26945: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: (needs triaging) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-02-27 05:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.4.1).

Created: 2020-01-21 Last update: 2025-02-27 13:24

testing migrations

excuses:
- Migration status for golang-github-hashicorp-go-getter (- to 1.4.1-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating golang-github-hashicorp-go-getter would introduce bugs in testing: #1083184
- ∙ ∙ blocked by freeze: is not in testing
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/golang-github-hashicorp-go-getter.html
- ∙ ∙ autopkgtest for golang-github-hashicorp-go-getter/1.4.1-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Reproducible on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- ∙ ∙ 1970 days old (needed 20 days)
- Not considered

news

[rss feed]

[2024-11-02] golang-github-hashicorp-go-getter REMOVED from testing (Debian testing watch)
[2020-01-12] golang-github-hashicorp-go-getter 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2020-01-10] Accepted golang-github-hashicorp-go-getter 1.4.1-1 (source) into unstable (Dmitry Smirnov)
[2019-09-28] golang-github-hashicorp-go-getter 1.4.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-26] Accepted golang-github-hashicorp-go-getter 1.4.0-1 (source) into unstable (Dmitry Smirnov)
[2016-10-14] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
[2016-10-12] golang-github-hashicorp-go-getter REMOVED from testing (Debian testing watch)
[2016-03-25] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
[2016-03-19] Accepted golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 (source all) into unstable, unstable (Dmitry Smirnov)

bugs [bug history graph]

all: 4
RC: 1
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.4.1-1