golang-1.12: CVE-2019-6486

Debian Bug report logs - #920548
golang-1.12: CVE-2019-6486

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: golang-1.12: CVE-2019-6486

Date: Sat, 26 Jan 2019 21:05:27 +0100

Source: golang-1.12
Version: 1.12~beta2-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/29903

Hi,

The following vulnerability was published for golang-1.12, which was
already fixed for the released version 1.11.5 and 1.10.8 upstream.

CVE-2019-6486[0]:
| Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384
| elliptic curves, which allows attackers to cause a denial of service
| (CPU consumption) or possibly conduct ECDH private key recovery
| attacks.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-6486
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486
[1] https://github.com/golang/go/issues/29903

Regards,
Salvatore

Message #8 received at 920548-submitter@bugs.debian.org (full text, mbox, reply):

From: Tobias Quathamer <toddy@debian.org>

To: 920548-submitter@bugs.debian.org

Subject: Bug #920548 in golang marked as pending

Date: Sun, 27 Jan 2019 19:28:43 +0000

Control: tag -1 pending

Hello,

Bug #920548 in golang reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/compiler/golang/commit/24d42f6edede7b7cced1d1ced96b8e11b977e380

------------------------------------------------------------------------
Add patch to fix CVE-2019-6486.

Closes: #920548
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/920548

Message #15 received at 920548-close@bugs.debian.org (full text, mbox, reply):

From: toddy@debian.org (Dr. Tobias Quathamer)

To: 920548-close@bugs.debian.org

Subject: Bug#920548: fixed in golang-1.12 1.12~beta2-2

Date: Sun, 27 Jan 2019 19:50:07 +0000

Source: golang-1.12
Source-Version: 1.12~beta2-2

We believe that the bug you reported is fixed in the latest version of
golang-1.12, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920548@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-1.12 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 27 Jan 2019 20:05:59 +0100
Source: golang-1.12
Architecture: source
Version: 1.12~beta2-2
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 920548
Changes:
 golang-1.12 (1.12~beta2-2) unstable; urgency=medium
 .
   * Refresh patch Reproducible BUILD_PATH_PREFIX_MAP.
     Thanks to Michael Stapelberg!
   * Add patch to fix CVE-2019-6486. (Closes: #920548)
Checksums-Sha1:
 f7ee221e2c5ec216f82d516952d957e35d39fab5 2611 golang-1.12_1.12~beta2-2.dsc
 a08edb3d89002aee229007948d44d0e6328393bc 29832 golang-1.12_1.12~beta2-2.debian.tar.xz
 9c570ec90b9b0338264a3a8dbc59640fd63f3afa 6494 golang-1.12_1.12~beta2-2_amd64.buildinfo
Checksums-Sha256:
 ac07dfcf8611b0380c2d3b9f5428cfc57bd02f872415de9cd9935ce021d09315 2611 golang-1.12_1.12~beta2-2.dsc
 c8ff699bb540de782998690fe794d1d7ea2134b863030e8ff53634286ba70144 29832 golang-1.12_1.12~beta2-2.debian.tar.xz
 233e7c738452f6ae5f935c4e8cb10eba83a50b63877f93236ed513601467518a 6494 golang-1.12_1.12~beta2-2_amd64.buildinfo
Files:
 f2cf4915830e4b3db407a07fb88efeb4 2611 devel optional golang-1.12_1.12~beta2-2.dsc
 07efc8e8120b611aa4eeb01b73b2ec6c 29832 devel optional golang-1.12_1.12~beta2-2.debian.tar.xz
 2a696920cec8a351f096d043781dfa26 6494 devel optional golang-1.12_1.12~beta2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlxOBk4ACgkQEwLx8Dbr
6xmzJBAAk+2ihr0j4Hq7aHFxM6Lqm+YHnqo+omz+DtETvvl3BEBs4cmF87F5eElU
woUCAvvsW4XsEHxpVqbgrNSDBAZJXhO0dXoqmmGcEqKR1fjYLwBbUPkKOZeBx8Xd
tbuAfIqNowXiwzo+eFYxLmz92cOUMbQU2MFncoiEQokWFMEA2JVatRpZ+CUSVZSL
biDgkWRdQoUjInKVsaFnXKtlvhNLIWSkYASxA7hJwtYoH+PV6ksdNwrUuMJw8+SD
zEfRuWuPmSXJKnJORIXz+T5iKsBVVAZR3g2rkydiVdaUyjRmxoitv9R1ueEF872P
/CcrfiNBlNr7DSTj0L7Lh5hGlH3LOnaG7rYq2MTeV3QzCxI4/upicRaqO51lU+4X
POts9Bn9VLhHVES9LKb4t0IVLC4reATnz23NE+mniLSdK5/nmP+QiIkZCUQSf9w5
BNPiFgaTcXasiNEx54r4IO8rcsZrV6uo+5o9gbkLhds9aHdzKnSKwDrZT5Z2rO+w
lGnramVvPttKvSAfNDKIxwbYlq4WbT9fUJ/tnAeq/JgL18/wLmUkYOZroGEslzxZ
UYTD4G/MInIOP1mSduv3iYwzTVcdP/09woThcmQzlUiZvnyF4hzoHK5JJOa5aCND
0aoGb+wpgeUcacNuuKg7aYBHSxiWgK4pCumxt+E88dvEI8rTPHM=
=58OR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.