golang-github-hashicorp-go-getter - Debian Package Tracker

general

source: golang-github-hashicorp-go-getter (main)
version: 1.4.1-1
maintainer: Debian Go Packaging Team (archive) (DMD)
uploaders: Dmitry Smirnov [DMD]
arch: all
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.0~git20160316.0.575ec4e-1
oldstable: 1.4.1-1
stable: 1.4.1-1
testing: 1.4.1-1
unstable: 1.4.1-1

versioned links

0.0~git20160316.0.575ec4e-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-github-hashicorp-go-getter-dev

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/hashicorp/go-getter/releases .*/archive/v?(\d[\d\.]+)\.tar\.gz

Created: 2021-03-23 Last update: 2023-12-10 23:38

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Created: 2022-07-04 Last update: 2023-06-11 06:30

5 security issues in trixie high

There are 5 open security issues in trixie.

5 important issues:

CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

Created: 2023-06-11 Last update: 2023-06-11 06:30

5 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit e7d874db15fce99185275b907ce9bde3db05c971
Author: Damian Szuberski <szuberskidamian@gmail.com>
Date:   Sat Apr 29 15:34:46 2023 +1000

    Correct debian/watch
    
    Gbp-Dch: Ignore

commit 89f35cf43d6d8d2d47736e139849b7c7203ab9db
Author: Thorsten Alteholz <debian@alteholz.de>
Date:   Sun Jun 19 13:19:15 2022 +0200

    update watch file

commit f357fc002ba4ac5eb7dcdcaa823e23f02d37b7b1
Author: Aloïs Micard <creekorful@debian.org>
Date:   Wed Dec 1 11:53:28 2021 +0000

    [skip ci] update debian/gitlab-ci.yml (using pkg-go-tools/ci-config)
    
    See: https://salsa.debian.org/go-team/infra/pkg-go-tools
    Gbp-Dch: Ignore

commit d414c610f3fc3f7c4876b4c5a41b38d418c66763
Merge: c74e687 93c4f02
Author: Jelmer Vernooĳ <jelmer@debian.org>
Date:   Thu Jul 9 23:25:04 2020 +0000

    Merge branch 'lintian-fixes' into 'master'
    
    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse
    
    See merge request go-team/packages/golang-github-hashicorp-go-getter!1

commit 93c4f02d50560a29480ded23da408db6fd2ad066
Author: Debian Janitor <janitor@jelmer.uk>
Date:   Tue Jul 7 20:51:39 2020 +0000

    Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse.
    
    Changes-By: lintian-brush
    Fixes: lintian: upstream-metadata-file-is-missing
    See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
    Fixes: lintian: upstream-metadata-missing-bug-tracking
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-bug-tracking.html
    Fixes: lintian: upstream-metadata-missing-repository
    See-also: https://lintian.debian.org/tags/upstream-metadata-missing-repository.html

Created: 2020-07-10 Last update: 2023-12-10 13:42

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2020-07-29 Last update: 2023-02-02 01:03

5 low-priority security issues in bullseye low

There are 5 open security issues in bullseye.

5 issues left for the package maintainer to handle:

CVE-2023-0475: (needs triaging) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: (needs triaging) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-06-11 06:30

5 low-priority security issues in bookworm low

There are 5 open security issues in bookworm.

5 issues left for the package maintainer to handle:

CVE-2023-0475: (needs triaging) HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVE-2022-26945: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30321: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30322: (needs triaging) go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
CVE-2022-30323: (needs triaging) go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2023-06-11 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.4.1).

Created: 2020-01-21 Last update: 2022-12-17 19:18

news

[rss feed]

[2020-01-12] golang-github-hashicorp-go-getter 1.4.1-1 MIGRATED to testing (Debian testing watch)
[2020-01-10] Accepted golang-github-hashicorp-go-getter 1.4.1-1 (source) into unstable (Dmitry Smirnov)
[2019-09-28] golang-github-hashicorp-go-getter 1.4.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-26] Accepted golang-github-hashicorp-go-getter 1.4.0-1 (source) into unstable (Dmitry Smirnov)
[2016-10-14] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
[2016-10-12] golang-github-hashicorp-go-getter REMOVED from testing (Debian testing watch)
[2016-03-25] golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 MIGRATED to testing (Debian testing watch)
[2016-03-19] Accepted golang-github-hashicorp-go-getter 0.0~git20160316.0.575ec4e-1 (source all) into unstable, unstable (Dmitry Smirnov)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.4.1-1