Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

golang-github-buger-jsonparser: CVE-2020-35381

Related Vulnerabilities: CVE-2020-35381  

Source

Debian Bug report logs - #978445
golang-github-buger-jsonparser: CVE-2020-35381

version graph

Package: src:golang-github-buger-jsonparser; Maintainer for src:golang-github-buger-jsonparser is Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 27 Dec 2020 16:06:02 UTC

Severity: important

Tags: security, upstream

Found in versions golang-github-buger-jsonparser/0.0~git20170705.0.9addec9-2, golang-github-buger-jsonparser/1.0.0-1

Fixed in version golang-github-buger-jsonparser/1.1.1-1

Done: Sascha Steinbiss <satta@debian.org>

Forwarded to https://github.com/buger/jsonparser/issues/219

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#978445; Package src:golang-github-buger-jsonparser. (Sun, 27 Dec 2020 16:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>. (Sun, 27 Dec 2020 16:06:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: golang-github-buger-jsonparser: CVE-2020-35381
Date: Sun, 27 Dec 2020 17:03:45 +0100
Source: golang-github-buger-jsonparser
Version: 1.0.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/buger/jsonparser/issues/219
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for golang-github-buger-jsonparser.

CVE-2020-35381[0]:
| jsonparser 1.0.0 allows attackers to cause a denial of service (panic:
| runtime error: slice bounds out of range) via a GET call.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-35381
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35381
[1] https://github.com/buger/jsonparser/issues/219

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions golang-github-buger-jsonparser/0.0~git20170705.0.9addec9-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 27 Dec 2020 16:09:04 GMT) (full text, mbox, link).

Reply sent to Sascha Steinbiss <satta@debian.org>:
You have taken responsibility. (Fri, 08 Jan 2021 10:51:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 08 Jan 2021 10:51:04 GMT) (full text, mbox, link).

Message #12 received at 978445-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 978445-close@bugs.debian.org
Subject: Bug#978445: fixed in golang-github-buger-jsonparser 1.1.1-1
Date: Fri, 08 Jan 2021 10:49:00 +0000
Source: golang-github-buger-jsonparser
Source-Version: 1.1.1-1
Done: Sascha Steinbiss <satta@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-buger-jsonparser, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sascha Steinbiss <satta@debian.org> (supplier of updated golang-github-buger-jsonparser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 08 Jan 2021 11:24:52 +0100
Source: golang-github-buger-jsonparser
Architecture: source
Version: 1.1.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Sascha Steinbiss <satta@debian.org>
Closes: 978445
Changes:
 golang-github-buger-jsonparser (1.1.1-1) unstable; urgency=medium
 .
   * New upstream release.
   * Includes upstream fix for CVE-2020-35381.
     Closes: #978445
Checksums-Sha1:
 db130c318c8432e0e27be3e518769963233c8c64 2243 golang-github-buger-jsonparser_1.1.1-1.dsc
 533577f26c0af3d833f05dd70e9b4b168314fa64 55200 golang-github-buger-jsonparser_1.1.1.orig.tar.gz
 2a3e29ae49497ab891f4acd75427c5c10b7bfc56 23624 golang-github-buger-jsonparser_1.1.1-1.debian.tar.xz
 1af7f3ea370a3ec2f945d9b17b3f91d0193f3b83 6181 golang-github-buger-jsonparser_1.1.1-1_amd64.buildinfo
Checksums-Sha256:
 c4665cb22ebb6c5a09c649386aca85f3b14e65ef0fa27e178e191df2b5df5232 2243 golang-github-buger-jsonparser_1.1.1-1.dsc
 cf208ab8af3ca20759d65f39e0a07891b13a8afeac2a2ee05216bef89e85d8e6 55200 golang-github-buger-jsonparser_1.1.1.orig.tar.gz
 7fdd67dbfd2ecc2fc1f66144a13723db8721a816add857ff47125522c6dbf9ec 23624 golang-github-buger-jsonparser_1.1.1-1.debian.tar.xz
 c9c8d66d118d19ffca82098801d6c8a67389c341a1680478e9b765e974c36802 6181 golang-github-buger-jsonparser_1.1.1-1_amd64.buildinfo
Files:
 627e68fe437043260d7a18604b7fa149 2243 devel optional golang-github-buger-jsonparser_1.1.1-1.dsc
 a09dee9398c3144e101a43ec45f60f40 55200 devel optional golang-github-buger-jsonparser_1.1.1.orig.tar.gz
 fc44223b2c4102c713732a3112565224 23624 devel optional golang-github-buger-jsonparser_1.1.1-1.debian.tar.xz
 bd02491a585c6cb347ec5d6c86784f79 6181 devel optional golang-github-buger-jsonparser_1.1.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWzS6WqtVB+kDQm6F6NN64vCfSHIFAl/4NKUACgkQ6NN64vCf
SHKX/A//fxEIYgzLkGRdQqKnx3Sx0bTW/jIiu2QCYI3eRy88QEa1lscNAEVlA5LN
qnB6Yj8vuSAO4LmBR5n2LWjXb1MFosyqdv7MAeLWZxli1CeEMIrX6XQkT1btB2LH
+D/vK3Mpn/flFtysk1t6KFA0mU2KSDV12dsiNou3GHwbv3YWc7FZtaUBwcXjg5ah
PP726KG4tjKmO2FkgDfpmI5ydMboMIKSQLK2iO+h9C7JIAqg0NAw4hJjlH9ymtvt
dTT5xVbW4z6s6bL0YNYWUgydDwFRQdIhi2rWEDatObHaX20rLeIR5YJxOZnaLkgE
mLvNdzSQNGw+7HYcRuQOiEI7DsswH51vqlInL4xLJ0nSZ1xlF+P0PzsPZZ/HZnpu
jT31AWBKOkSJ3oCbmF20VZ+hdtmAKHDKKg8Xot+DWOUg2q3Sph9WRxZXT5kkxyNP
XvZ70HJi03Osn4UhznqaWSf2xYjf7/l+3FoEGTKuu9kxG/U6L1DAtLLM7XxCfNik
x/rZZwjc3OybpiFkrXTOn1vWEw21Wjx3LYDksJqA3nHJvpwtqMD8BOTS5Rc0LY6q
LTFMHkVZnd2isJhdbp9DPOxg1COIRKXspjlyz0SZj+ezyuGBbVCubiulIK+eiBLm
RiWJ0YGUOydgxilXPbVAgJP+fVpDINPeZc037M06xSjK0ygfkvc=
=AzPx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 9 11:50:25 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started