golang-golang-x-net - Debian Package Tracker

general

source: golang-golang-x-net (main)
version: 1:0.27.0-2
maintainer: Debian Go Packaging Team (DMD)
uploaders: Anthony Fok [DMD] – Tim Potter [DMD] – Martín Ferrari [DMD] – Michael Stapelberg [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1:0.0+git20210119.5f4716e+dfsg-4
old-bpo: 1:0.0+git20221012.0b7e1fb+dfsg-1~bpo11+1
stable: 1:0.7.0+dfsg-1
testing: 1:0.27.0-2
unstable: 1:0.27.0-2

versioned links

1:0.0+git20210119.5f4716e+dfsg-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:0.0+git20221012.0b7e1fb+dfsg-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:0.7.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:0.27.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

golang-golang-x-net-dev (1 bugs: 0, 1, 0, 0)

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:01:46
Last run: 2025-07-04T13:44:16.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:01:28
Last run: 2025-06-25T12:31:21.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:11:08
Last run: 2025-06-28T10:39:49.000Z
Previous status: unknown

Created: 2025-06-28 Last update: 2025-07-06 19:03

A new upstream version is available: 0.41.0 high

A new upstream version 0.41.0 is available, you should consider packaging it.

Created: 2024-06-06 Last update: 2025-07-06 14:33

8 security issues in bullseye high

There are 8 open security issues in bullseye.

1 important issue:

CVE-2025-22872: The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

7 issues postponed or untriaged:

CVE-2023-3978: (needs triaging) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2021-44716: (needs triaging) net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
CVE-2022-27664: (needs triaging) In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-41717: (needs triaging) An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVE-2022-41723: (needs triaging) A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2023-45288: (needs triaging) An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
CVE-2024-45338: (postponed; to be fixed through a stable update) An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Created: 2025-04-17 Last update: 2025-05-29 15:00

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-06-25 Last update: 2025-07-06 19:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:0.33.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit c919ce136a21db988d28e569f27f0e015971516e
Author: Ananthu C V <weepingclown@debian.org>
Date:   Sat May 3 16:48:12 2025 +0530

    Update changelog

commit 081a8b286c2a1b2697d3cd146946a35411b92f7c
Author: Ananthu C V <weepingclown@debian.org>
Date:   Sat May 3 15:20:47 2025 +0530

    Upload to unstable

commit a369c5756c2e3cd53b013d73eebf4ce9980e1347
Author: Ananthu C V <weepingclown@debian.org>
Date:   Sat May 3 15:18:20 2025 +0530

    Skip more publicsuffix tests (Closes: #1089192)

commit 82677257a8eeac9e4c1d6ea0320d5d43b510cf3e
Author: Maytham Alsudany <maytha8thedev@gmail.com>
Date:   Mon Jan 6 16:33:24 2025 +0800

    Update changelog

commit e24c95c04f45e7db568e1a18e13c84e8b94fd43c
Author: Maytham Alsudany <maytha8thedev@gmail.com>
Date:   Mon Jan 6 16:30:36 2025 +0800

    Skip publicsuffix tests TestPublicSuffix, TestSlowPublicSuffix, and TestNumICANNRules
    
    These tests are hardcoded by upstream to check against parts of the test data,
    but break when the test data is regenerated from the latest publicsuffix data,
    which is constantly changing.
    
    This patch skips TestPublicSuffix, TestSlowPublicSuffix, and
    TestNumICANNRules, which are all affected by this problem and resulted in test
    failures.
    
    Closes: #1089192

commit 6ab3ef3bcdb38811556409fe388fb798f9746e51
Author: Maytham Alsudany <maytha8thedev@gmail.com>
Date:   Mon Jan 6 16:17:56 2025 +0800

    Refresh patches
    
    Gbp-Dch: ignore

commit 776c4533e226083b04a6cba9194fde3d9ddfd148
Merge: 29fa448 c799c32
Author: Maytham Alsudany <maytha8thedev@gmail.com>
Date:   Mon Jan 6 15:50:54 2025 +0800

    Update upstream source from tag 'upstream/0.33.0'
    
    Update to upstream version '0.33.0'
    with Debian dir bdad16f95163796012e76b8b8aa29bb15dbf180f

commit 29fa44814a122cd87eafa914ed8275600b96b26b
Author: Anthony Fok <foka@debian.org>
Date:   Sun Sep 1 08:41:37 2024 -0600

    Update changelog for 1:0.27.0-1 release

commit 528627e0b426197cd63598ff35457036d9ee1fdd
Author: Anthony Fok <foka@debian.org>
Date:   Sun Sep 1 08:41:16 2024 -0600

    Bump versioned dependencies as per go.mod

commit f65ffbbc76d05f858fbcd85b1073100b99648025
Merge: 376fa07 5eb5618
Author: Anthony Fok <foka@debian.org>
Date:   Sun Sep 1 08:29:46 2024 -0600

    Update upstream source from tag 'upstream/0.27.0'
    
    Update to upstream version '0.27.0'
    with Debian dir ba5b4a049ae925b457ef184cb7f18261306274a5

commit 376fa0737584abfbc4c64decccb764a13bc1da8d
Author: Anthony Fok <foka@debian.org>
Date:   Sat Aug 10 03:02:44 2024 -0600

    Update changelog for 1:0.26.0+dfsg-2 release

commit c605ad6fd236ac382495921dc0f59c7e406dea9a
Author: Anthony Fok <foka@debian.org>
Date:   Sat Aug 10 03:02:25 2024 -0600

    Bump to golang-golang-x-text-dev (>= 0.16.0) as per go.mod

commit 8fdd99e494fe3e107e515a14957a00eed99ecdf6
Author: Anthony Fok <foka@debian.org>
Date:   Wed Jul 31 11:28:42 2024 -0600

    Update changelog for 1:0.26.0+dfsg-1 release

commit df24525238863841c0307ebbc575f151101ea3c4
Author: Anthony Fok <foka@debian.org>
Date:   Wed Jul 31 11:27:56 2024 -0600

    Bump versioned dependencies as per go.mod
    
    except for golang-golang-x-text-dev (>= 0.16.0)
    which still needs to be packaged

commit 9deda08c4ae8504007eb08a3af2c8336c9cedd9c
Merge: f5b0204 fce6bad
Author: Anthony Fok <foka@debian.org>
Date:   Wed Jul 31 09:15:13 2024 -0600

    Update upstream source from tag 'upstream/0.26.0+dfsg'
    
    Update to upstream version '0.26.0+dfsg'
    with Debian dir 350849fe8a4dd3224276c830078bf499edd0aa59

commit f5b0204ca295ea4a2f6ba2b384e141fe5b4bc78a
Author: Anthony Fok <foka@debian.org>
Date:   Mon May 20 18:51:13 2024 -0600

    Update changelog for 1:0.25.0+dfsg-1 release

commit 9c3c72e980af09bfb1520c876d8b868580e8e7b5
Author: Anthony Fok <foka@debian.org>
Date:   Mon May 20 18:50:46 2024 -0600

    Bump versioned dependencies as per go.mod

commit 9c1b575ac12aa8d58b2a7d8d3cda35c5df65c704
Merge: 8c9a1f2 07d9f38
Author: Anthony Fok <foka@debian.org>
Date:   Mon May 20 18:49:09 2024 -0600

    Update upstream source from tag 'upstream/0.25.0+dfsg'
    
    Update to upstream version '0.25.0+dfsg'
    with Debian dir 2e6461846d0a15cad618625bc61a658b0a342550

commit 8c9a1f2a532677c9ffdb0cca2ccb4c641805788a
Author: Anthony Fok <foka@debian.org>
Date:   Fri Apr 26 03:23:29 2024 -0600

    Update changelog for 1:0.24.0+dfsg-1 release

commit bb4f002c691649dab74b6da5c37feb7061658d2e
Author: Anthony Fok <foka@debian.org>
Date:   Fri Apr 26 03:23:05 2024 -0600

    Bump Standards-Version to 4.7.0 (no change)

commit e2b617bef1e248347cc6bff46aa81f1eb3cddd96
Author: Anthony Fok <foka@debian.org>
Date:   Fri Apr 26 03:22:48 2024 -0600

    Bump versioned dependencies as per go.mod

commit ae7443c634c29d5e3856ea4eb38d2372a7f260f8
Merge: af7e9ca 9b9f6bc
Author: Anthony Fok <foka@debian.org>
Date:   Fri Apr 26 03:19:09 2024 -0600

    Update upstream source from tag 'upstream/0.24.0+dfsg'
    
    Update to upstream version '0.24.0+dfsg'
    with Debian dir 4a1f1b576f0c6af610d16ac18655bbe68f45efc1

commit af7e9caf17b6ff978e418e0c75b3078dd60a1cd1
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Apr 4 04:39:52 2024 +0800

    Update changelog for 1:0.23.0+dfsg-1 release

commit c7863418fd83fc2d5baeedd0b98d12a2fc88789e
Merge: 6b20012 675e292
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Apr 4 04:36:16 2024 +0800

    Update upstream source from tag 'upstream/0.23.0+dfsg'
    
    Update to upstream version '0.23.0+dfsg'
    with Debian dir 1cbed2a87190fe9d5dbe5a6fab6aceec0ead23b2

commit 6b20012b902ca14fdf22ebcfb8be1a5f568acfb8
Author: Anthony Fok <foka@debian.org>
Date:   Sun Mar 24 18:00:12 2024 -0600

    Update changelog for 1:0.22.0+dfsg-1 release

commit 8c5d7cbc06ca7295822602b5108e3cd8195bad75
Author: Anthony Fok <foka@debian.org>
Date:   Sun Mar 24 18:00:01 2024 -0600

    Bump versioned dependencies as per go.mod

commit edd00f0aabee2c5b06d80d87b99aacd63d672abd
Merge: 7b2906d 3d73f91
Author: Anthony Fok <foka@debian.org>
Date:   Sun Mar 24 17:46:47 2024 -0600

    Update upstream source from tag 'upstream/0.22.0+dfsg'
    
    Update to upstream version '0.22.0+dfsg'
    with Debian dir 61b1fbf203a3a2179d1bd4eb3d69855b4474b147

commit 7b2906daedee6d2ba820a7d726affa1f4473bf74
Author: Anthony Fok <foka@debian.org>
Date:   Fri Feb 23 19:31:16 2024 -0700

    Update changelog for 1:0.21.0+dfsg-1 release

commit 25bf70f38ec7966b725e64dfd1eb10ffba162316
Author: Anthony Fok <foka@debian.org>
Date:   Fri Feb 23 19:31:02 2024 -0700

    Bump versioned dependencies as per go.mod

commit 44b56419230ae991c035c233f59d8a0171439411
Merge: b0a2929 e3ec65b
Author: Anthony Fok <foka@debian.org>
Date:   Fri Feb 23 19:18:07 2024 -0700

    Update upstream source from tag 'upstream/0.21.0+dfsg'
    
    Update to upstream version '0.21.0+dfsg'
    with Debian dir 34be6e4851e72f37ba6d3647e08027fa80d40059

commit b0a292910b70ed65ff1f0a0ffbd6b4c409468f6b
Author: Anthony Fok <foka@debian.org>
Date:   Mon Jan 29 14:52:49 2024 -0700

    Update changelog for 1:0.20.0+dfsg-1 release

commit 76586f33911d98769d310abc171a995c951b67a9
Author: Anthony Fok <foka@debian.org>
Date:   Mon Jan 29 14:52:32 2024 -0700

    Bump versioned dependencies as per go.mod

commit e3296d7d4d92d75ad895d6257f9d38d1de1f0c46
Merge: 65195eb 517af42
Author: Anthony Fok <foka@debian.org>
Date:   Mon Jan 29 14:50:51 2024 -0700

    Update upstream source from tag 'upstream/0.20.0+dfsg'
    
    Update to upstream version '0.20.0+dfsg'
    with Debian dir b724df09dac2fcf3edd1c916721b97490aaea6e3

commit 65195eb8d474f9ee615229e6fafec802a348ccb8
Author: Anthony Fok <foka@debian.org>
Date:   Fri Dec 8 15:16:08 2023 -0700

    Update changelog for 1:0.19.0+dfsg-1 release

commit 4b643f62933ee9efe2c6820fd7dbee140749d124
Author: Anthony Fok <foka@debian.org>
Date:   Fri Dec 8 15:13:13 2023 -0700

    Append internal/quic/cmd to DH_GOLANG_EXCLUDES
    
    to avoid building the new QUIC interop test runner

commit c40803329f6a9611c3d882c3f6820e4f2b66a4ec
Author: Anthony Fok <foka@debian.org>
Date:   Fri Dec 8 14:40:34 2023 -0700

    Bump versioned dependencies as per go.mod

commit 6bb5afbc5d101ac279d3aa0a4d462783d80bd692
Merge: 2900752 c89574b
Author: Anthony Fok <foka@debian.org>
Date:   Fri Dec 8 14:29:09 2023 -0700

    Update upstream source from tag 'upstream/0.19.0+dfsg'
    
    Update to upstream version '0.19.0+dfsg'
    with Debian dir 7625d8c0cc41f6f54d71ba9830679b495cf95c1d

commit 290075209172b3bf4c570f54618f80474e49817a
Author: Anthony Fok <foka@debian.org>
Date:   Wed Nov 1 02:22:40 2023 -0600

    Update changelog for 1:0.17.0+dfsg-1 release

commit c175a450effdba5469a043ba5289858f1f335b29
Author: Anthony Fok <foka@debian.org>
Date:   Wed Nov 1 02:21:15 2023 -0600

    Bump versioned dependencies as per go.mod

commit 32296451daf4a1567c84cbece30b2a7de5685a61
Merge: 43abc4f cd8f753
Author: Anthony Fok <foka@debian.org>
Date:   Wed Nov 1 02:18:36 2023 -0600

    Update upstream source from tag 'upstream/0.17.0+dfsg'
    
    Update to upstream version '0.17.0+dfsg'
    with Debian dir a3b61d17d986ec47b82c6eb50e1095b920bb89eb

commit 43abc4f3e69498dff3d5be47c419b91d8ed58ee7
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 12:55:49 2023 -0600

    Update changelog for 1:0.15.0-2 release

commit c8428bccc3cf94124fd8decef2d1fcb4d56a2798
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 12:29:30 2023 -0600

    Bump build-dependency publicsuffix (>= 20230804.1533)
    
    as golang.org/x/net v0.15.0 updated its copy of publicsuffix, especially
    "New policy for .museum, without all the SLD (Second-Level Domains)"

commit f264f35ac1f17bb75d3b3f0dad7f0ec3ffd4555a
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 01:36:39 2023 -0600

    Update changelog for 1:0.15.0-1 release

commit 44a32b6cafbac16841f19b4088e4ffb23edba6ca
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 01:35:18 2023 -0600

    Remove 0001-quic-fix-testConn.uncheckedHandshake.patch
    
    which was backported from this version
    
    Revert "Backport "quic: fix testConn.uncheckedHandshake" from v0.15.0"
    
    This reverts commit 534333d48852f2b71a8ac6f2e0079d06a585a9bb.

commit 1f314dcdea07dae6ecea5a1dce931d883464e0c0
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 01:32:29 2023 -0600

    Bump versioned dependencies as per go.mod

commit 38d7ece7c2ede19dac49cb92994415ad34a7eaa3
Merge: 09d0adf 5c99de0
Author: Anthony Fok <foka@debian.org>
Date:   Thu Oct 12 01:15:48 2023 -0600

    Update upstream source from tag 'upstream/0.15.0'
    
    Update to upstream version '0.15.0'
    with Debian dir c26a274683512306cf364b8f35bf590c4712e605

commit 09d0adf90ec1214d1ac917d3004a6b12875a8c7b
Author: Anthony Fok <foka@debian.org>
Date:   Tue Oct 10 05:59:44 2023 -0600

    Update changelog for 1:0.14.0-1 release

commit 534333d48852f2b71a8ac6f2e0079d06a585a9bb
Author: Anthony Fok <foka@debian.org>
Date:   Tue Oct 10 05:58:15 2023 -0600

    Backport "quic: fix testConn.uncheckedHandshake" from v0.15.0

commit e8374075b18a1bf8e2c19859f2ceb23a1e718905
Author: Anthony Fok <foka@debian.org>
Date:   Mon Oct 9 18:57:53 2023 -0600

    Update changelog for 1:0.14.0-1 release

commit 219a4794b52cab64c94712c7d83b3ec574aad8cf
Author: Anthony Fok <foka@debian.org>
Date:   Mon Oct 9 18:57:32 2023 -0600

    Bump versioned dependencies as per go.mod

commit 26f07b897797e89b91521737e1f97d92f2c55d06
Merge: 54562d2 48201bd
Author: Anthony Fok <foka@debian.org>
Date:   Mon Oct 9 17:21:44 2023 -0600

    Update upstream source from tag 'upstream/0.14.0'
    
    Update to upstream version '0.14.0'
    with Debian dir 3db39fdd7ac815b9b8595a82ad03a47214f0ec45

commit 54562d24869cc88ab3e6e3f41bd63f081588bb09
Author: Anthony Fok <foka@debian.org>
Date:   Thu Sep 21 05:09:43 2023 -0600

    Update changelog for 1:0.11.0-1 release

commit f7d675c056960d2bc3d8d61f0ee080b62c483119
Author: Anthony Fok <foka@debian.org>
Date:   Thu Sep 21 05:07:06 2023 -0600

    Bump versioned dependencies as per go.mod
    
    with new dependency on golang-golang-x-crypto-dev (>= 0.10.0),
    which no longer depends on golang-golang-x-net-dev, hence no circular
    dependency.

commit 02b4194bb49985d67d23df45c69498e6cb6f0f6c
Merge: 316ec0f e5f0953
Author: Anthony Fok <foka@debian.org>
Date:   Thu Sep 21 02:55:52 2023 -0600

    Update upstream source from tag 'upstream/0.11.0'
    
    Update to upstream version '0.11.0'
    with Debian dir 77934299dafe2abbba8f2b3c588a6535d879842c

commit 316ec0f2d2b70a0185a64aac41542e88fa0a760a
Author: Anthony Fok <foka@debian.org>
Date:   Thu Jun 15 15:45:22 2023 -0600

    Update changelog for 1:0.10.0-1 release

commit 906220ddac1a64a35b51c3296f74374c7bea935f
Author: Anthony Fok <foka@debian.org>
Date:   Thu Jun 15 15:44:37 2023 -0600

    Update versioned dependencies as per go.mod

commit 36f70f84e9bf08f398b9e6695a83f4fcc15c21e1
Merge: 310d563 717cab7
Author: Anthony Fok <foka@debian.org>
Date:   Wed Jun 14 18:06:27 2023 -0600

    Update upstream source from tag 'upstream/0.10.0'
    
    Update to upstream version '0.10.0'
    with Debian dir bc58e05d6049ca4052b5d82bbbe997512f08aa3f

commit 310d5639943e2bfc433cee974387ff81fc803b55
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Feb 15 15:33:57 2023 +0800

    Update changelog for 1:0.7.0+dfsg-1 release

commit 694a5132d1c174e4d056d7539520d423fd4bf5fd
Merge: 09d4730 f75fecf
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Feb 15 15:29:31 2023 +0800

    Update upstream source from tag 'upstream/0.7.0+dfsg'
    
    Update to upstream version '0.7.0+dfsg'
    with Debian dir d2af5429a60cb0fd897465ac9f8a5d2545e23d43

commit 09d4730fd591c6efee88b852e08a28c1ee168c68
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Mon Jan 2 23:14:34 2023 +0800

    Update changelog for 1:0.4.0+dfsg-1 release

commit e405ed5654d107173c776b408f28416226f879ae
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Tue Jan 3 00:03:21 2023 +0800

    Enable most http2 tests and fix generating publicsuffix data

commit 7c70260c39755362283270a41c6266075c61c854
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Mon Jan 2 23:13:06 2023 +0800

    Update Standards-Version to 4.6.2 (no changes)

commit 905dedf46362519ae996960a2ab03dc63a55bbfd
Merge: 3b6c975 e494eb5
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Mon Jan 2 23:12:09 2023 +0800

    Update upstream source from tag 'upstream/0.4.0+dfsg'
    
    Update to upstream version '0.4.0+dfsg'
    with Debian dir 1d9b3317dde3eb30768fe430570494c775eaa98c

commit 3b6c975991c24962f1084fb967f689cb3392e9e6
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Oct 26 16:51:29 2022 +0800

    Update changelog for 1:0.1.0+dfsg-1 release

commit dc705ec2d91802a49f22bea246471fb1272a95f3
Merge: c88b5f8 3ff5341
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Oct 26 16:50:13 2022 +0800

    Update upstream source from tag 'upstream/0.1.0+dfsg'
    
    Update to upstream version '0.1.0+dfsg'
    with Debian dir ad87471413b1c3a759f9d7ab7db594a35ac54508

commit c88b5f81861a42d0b0b6e213164d708dc95263f3
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Oct 26 16:49:36 2022 +0800

    Switch to upstream tag version in uscan

commit 4075c5896f276a235e2148623228950510ab229a
Author: Anthony Fok <foka@debian.org>
Date:   Wed Oct 12 11:26:03 2022 -0600

    Update changelog for 1:0.0+git20221012.0b7e1fb+dfsg-1 release

commit 26ad5bce7ba21fea4b299cb37195ab8fdb17b554
Author: Anthony Fok <foka@debian.org>
Date:   Wed Oct 12 11:24:14 2022 -0600

    Drop unneeded dependency on ${shlibs:Depends}

commit 23b777b7b7126c34194434e788e7c51aa858089c
Author: Anthony Fok <foka@debian.org>
Date:   Wed Oct 12 11:20:32 2022 -0600

    Add debian/source/lintian-overrides
    
    to override false-positive source-is-missing errors probably due to
    long lines in html/charset/testdata/*.html test files.

commit ff63fdd29004130e0b1394612540c5908d34953b
Merge: bbd326d 8279d51
Author: Anthony Fok <foka@debian.org>
Date:   Wed Oct 12 10:54:56 2022 -0600

    Update upstream source from tag 'upstream/0.0+git20221012.0b7e1fb+dfsg'
    
    Update to upstream version '0.0+git20221012.0b7e1fb+dfsg'
    with Debian dir ea27aee710e33df6906a0a047c8bb63d16b598ce

commit bbd326d758ee90f64e2134281796c721b087b604
Author: Anthony Fok <foka@debian.org>
Date:   Thu Sep 29 11:18:13 2022 -0600

    Build-depend explicitly on golang-any (>= 2:1.17~) as per go.mod

commit 76e59732bd1477346566146431f714a7d6af4ec6
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Aug 4 10:50:50 2022 +0800

    Update changelog for 1:0.0+git20220728.c7608f3+dfsg-2 release

commit 2aed06bd951474b9f5979fcba175969f04b2c25a
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Aug 4 10:50:29 2022 +0800

    Fix autopkgtest

commit 297904e0c8b0afc8b508242b111baa067d2053b9
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 04:06:59 2022 +0800

    Update changelog for 1:0.0+git20220728.c7608f3+dfsg-1 release

commit c553744bdfb6a702c551c9745c5d4209df569160
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 04:05:51 2022 +0800

    Remove obsoleted code.google.com from package description

commit a4086754f1e535f873c8915553e1708ca7eb6ce2
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 02:41:41 2022 +0800

    Bump golang-golang-x-sys to 0.0~git20220731.a90be44

commit c78d930f8b67e0c082892c594e7d8c49340a3eb5
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 02:27:28 2022 +0800

    Clean up d/rules
    
    Gbp-Dch: Ignore

commit 4921007eea4d48b5dd2e7baaf69780a4f5256597
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 02:26:16 2022 +0800

    Update Homepage to golang.org

commit 07da282dbb01421214c922ce3b42cb075ffc2efd
Merge: bafaaa3 bd93668
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Wed Aug 3 02:21:19 2022 +0800

    Update upstream source from tag 'upstream/0.0+git20220728.c7608f3+dfsg'
    
    Update to upstream version '0.0+git20220728.c7608f3+dfsg'
    with Debian dir fd4b1a56825f910faf4771cb2a9782651259ff18

commit bafaaa35e10c308696459f19d0326da3e5e4c141
Author: Anthony Fok <foka@debian.org>
Date:   Tue Jun 28 06:50:56 2022 -0600

    Update changelog for 1:0.0+git20220624.1bab6f3+dfsg-1 release

commit 69db4d19968446681962fe0687ce86fd7d6cc38d
Merge: 8f5bb66 1d5d127
Author: Anthony Fok <foka@debian.org>
Date:   Tue Jun 28 06:50:11 2022 -0600

    Update upstream source from tag 'upstream/0.0+git20220624.1bab6f3+dfsg'
    
    Update to upstream version '0.0+git20220624.1bab6f3+dfsg'
    with Debian dir 428c4d672ebbc539164adb395fe3e97574004fda

commit 8f5bb66a3d7caeb2a902e2cc3fc0a4c1dd4d8f68
Author: Anthony Fok <foka@debian.org>
Date:   Sun Jun 5 06:04:05 2022 -0600

    Update changelog for 1:0.0+git20220531.c960675+dfsg-1 release

commit f8cea79b96360868204588efcb1d79f74f2dd4de
Author: Anthony Fok <foka@debian.org>
Date:   Sun Jun 5 06:03:45 2022 -0600

    Bump Standards-Version to 4.6.1 (no change)

commit 2e7a578a47ca3dd5ceeb9f87b376af86ef4ad38d
Author: Anthony Fok <foka@debian.org>
Date:   Sun Jun 5 06:03:26 2022 -0600

    Bump versioned dependencies as per go.mod

commit 30228582d2a8db82aad03b0eade0658a8bba9ad4
Merge: 1f1e750 f89174d
Author: Anthony Fok <foka@debian.org>
Date:   Sun Jun 5 05:31:40 2022 -0600

    Update upstream source from tag 'upstream/0.0+git20220531.c960675+dfsg'
    
    Update to upstream version '0.0+git20220531.c960675+dfsg'
    with Debian dir 6a2fc25846554d70a033470fbf11ee8a41ca38bf

commit 1f1e750bf0f19494f62ea47c33b703a72eae6bee
Author: Anthony Fok <foka@debian.org>
Date:   Sat Mar 19 21:08:31 2022 -0600

    Update changelog for 1:0.0+git20220225.27dd868+dfsg-1 release

commit 754f22522f70eefa475a1d8e819d3dc42c98c3c2
Author: Anthony Fok <foka@debian.org>
Date:   Sat Mar 19 21:02:29 2022 -0600

    Refresh debian/golang-golang-x-net-dev.lintian-overrides
    
    to match latest Lintian output

commit 84ca09ca8276883fe3391a23698f7890e82970f0
Author: Anthony Fok <foka@debian.org>
Date:   Sat Mar 19 20:55:52 2022 -0600

    Reorder fields in debian/control and debian/copyright
    
    as would be generated in the next dh-make-golang release after 0.6.0-1

commit 1883061bf12d28e78e9cb88acff49cd0872fdbe7
Author: Anthony Fok <foka@debian.org>
Date:   Sat Mar 19 20:53:50 2022 -0600

    Use dh-sequence-golang instead of dh-golang and --with=golang

commit 64c8e501e6ac254bc2cca47393b69182e1e9a9b0
Merge: bc6cf27 dff63b5
Author: Anthony Fok <foka@debian.org>
Date:   Sat Mar 19 20:51:52 2022 -0600

    Update upstream source from tag 'upstream/0.0+git20220225.27dd868+dfsg'
    
    Update to upstream version '0.0+git20220225.27dd868+dfsg'
    with Debian dir 0d1453c1afe75f6dfbe48ff4804247ee6c92cd47

commit bc6cf276470e0b17752620daa8f509f207b68de6
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Dec 9 23:41:43 2021 +0800

    Update changelog for 1:0.0+git20211209.491a49a+dfsg-1 release

commit 842c37d2971b257335ba71c9b0559b38eb6e32ca
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Dec 9 23:38:48 2021 +0800

    Update Standards-Version to 4.6.0 (no changes)

commit 2cfee1988791404ad72576cfcc633c66d0f70bc2
Merge: 314ef9e e822df7
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Thu Dec 9 23:37:55 2021 +0800

    Update upstream source from tag 'upstream/0.0+git20211209.491a49a+dfsg'
    
    Update to upstream version '0.0+git20211209.491a49a+dfsg'
    with Debian dir 6fe4652f6e6573d4b6e0e5275c33dea0df9545f1

commit 314ef9e0bd852bdb9429c89dd17ce00d55133e1b
Author: Aloïs Micard <creekorful@debian.org>
Date:   Wed Dec 1 11:35:04 2021 +0000

    [skip ci] update debian/gitlab-ci.yml (using pkg-go-tools/ci-config)
    
    See: https://salsa.debian.org/go-team/infra/pkg-go-tools
    Gbp-Dch: Ignore

commit 23d78009e9b15a20cc5d800c52c06a3c60156f1f
Author: Anthony Fok <foka@debian.org>
Date:   Sun Aug 8 05:01:44 2021 -0600

    Update changelog for 1:0.0+git20210805.aaa1db6+dfsg-1 release

commit b8ad387a400f8301aa6a7d166673f29335c54592
Author: Anthony Fok <foka@debian.org>
Date:   Sun Aug 8 05:00:12 2021 -0600

    Update versioned dependencies as per go.mod

commit bcb88877e66c0556df92f309c4a1052746f7020f
Author: Anthony Fok <foka@debian.org>
Date:   Sun Aug 8 04:58:38 2021 -0600

    Remove CVE-2021-31525.patch and CVE-2021-33194.patch
    
    which have been applied prior to this upstream version

commit 2fd799ec3ed1e50269195cb8ce7b3c5b16254422
Merge: 50f0a87 23b1d9e
Author: Anthony Fok <foka@debian.org>
Date:   Sun Aug 8 04:54:45 2021 -0600

    Update upstream source from tag 'upstream/0.0+git20210805.aaa1db6+dfsg'
    
    Update to upstream version '0.0+git20210805.aaa1db6+dfsg'
    with Debian dir 8a18159df3713113aa88454c14440e632980784e

commit 50f0a87effe255a0d721bdd70e58ed7fa2e23f29
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Sat May 22 22:01:20 2021 +0800

    Update changelog for 1:0.0+git20210119.5f4716e+dfsg-4 release

commit dfa8b297d312e64d8a5f9b674b470de99a0545bc
Author: Shengjing Zhu <zhsj@debian.org>
Date:   Sat May 22 22:00:22 2021 +0800

    Backport patch for CVE-2021-33194

Created: 2025-01-05 Last update: 2025-07-04 22:01

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2023-3978: (needs triaging) Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2023-45288: (needs triaging) An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
CVE-2024-45338: (needs triaging) An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2025-22872: (needs triaging) The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-08-03 Last update: 2025-05-29 15:00

debian/patches: 2 patches to forward upstream low

Among the 4 debian patches available in version 1:0.27.0-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-05-21 Last update: 2025-05-21 20:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-05-21 17:04

news

[rss feed]

[2025-05-25] golang-golang-x-net 1:0.27.0-2 MIGRATED to testing (Debian testing watch)
[2025-05-21] Accepted golang-golang-x-net 1:0.27.0-2 (source) into unstable (Jochen Sprickerhof)
[2024-09-04] golang-golang-x-net 1:0.27.0-1 MIGRATED to testing (Debian testing watch)
[2024-09-01] Accepted golang-golang-x-net 1:0.27.0-1 (source) into unstable (Anthony Fok)
[2024-08-13] golang-golang-x-net 1:0.26.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-08-10] Accepted golang-golang-x-net 1:0.26.0+dfsg-2 (source) into unstable (Anthony Fok)
[2024-08-04] golang-golang-x-net 1:0.26.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-07-31] Accepted golang-golang-x-net 1:0.26.0+dfsg-1 (source) into unstable (Anthony Fok)
[2024-05-27] golang-golang-x-net 1:0.25.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-21] Accepted golang-golang-x-net 1:0.25.0+dfsg-1 (source) into unstable (Anthony Fok)
[2024-05-03] golang-golang-x-net 1:0.24.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-04-26] Accepted golang-golang-x-net 1:0.24.0+dfsg-1 (source) into unstable (Anthony Fok)
[2024-04-07] golang-golang-x-net 1:0.23.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-04-07] golang-golang-x-net 1:0.23.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-04-03] Accepted golang-golang-x-net 1:0.23.0+dfsg-1 (source) into unstable (Shengjing Zhu)
[2024-03-29] golang-golang-x-net 1:0.22.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-03-25] Accepted golang-golang-x-net 1:0.22.0+dfsg-1 (source) into unstable (Anthony Fok)
[2024-02-27] golang-golang-x-net 1:0.21.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-02-24] Accepted golang-golang-x-net 1:0.21.0+dfsg-1 (source) into unstable (Anthony Fok)
[2024-02-08] golang-golang-x-net 1:0.20.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-02-08] golang-golang-x-net 1:0.20.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-01-29] Accepted golang-golang-x-net 1:0.20.0+dfsg-1 (source) into unstable (Anthony Fok)
[2023-12-14] golang-golang-x-net 1:0.19.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-12-08] Accepted golang-golang-x-net 1:0.19.0+dfsg-1 (source) into unstable (Anthony Fok)
[2023-11-05] golang-golang-x-net 1:0.17.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-11-05] golang-golang-x-net 1:0.17.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-11-01] Accepted golang-golang-x-net 1:0.17.0+dfsg-1 (source) into unstable (Anthony Fok)
[2023-10-15] golang-golang-x-net 1:0.15.0-2 MIGRATED to testing (Debian testing watch)
[2023-10-12] Accepted golang-golang-x-net 1:0.15.0-2 (source) into unstable (Anthony Fok)
[2023-10-12] Accepted golang-golang-x-net 1:0.15.0-1 (source) into unstable (Anthony Fok)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:0.27.0-2