Debian Bug report logs -
#911795
CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 24 Oct 2018 21:21:01 UTC
Severity: grave
Tags: security
Fixed in version golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
Done: Drew Parsons <dparsons@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#911795; Package src:golang-golang-x-net-dev.
(Wed, 24 Oct 2018 21:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>.
(Wed, 24 Oct 2018 21:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-golang-x-net-dev
Severity: important
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17846
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17848
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#911795; Package src:golang-golang-x-net-dev.
(Wed, 24 Oct 2018 21:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Martín Ferrari <tincho@tincho.org>:
Extra info received and forwarded to list. Copy sent to Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>.
(Wed, 24 Oct 2018 21:27:02 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
On 24/10/18 22:17, Moritz Muehlenhoff wrote:
> Source: golang-golang-x-net-dev
> Severity: important
> Tags: security
>
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17846
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17847
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17848
>
Thanks for the heads up!
Sadly, it seems it has not yet been fixed upstream.
--
Martín Ferrari (Tincho)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#911795; Package src:golang-golang-x-net-dev.
(Wed, 24 Oct 2018 21:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Martín Ferrari <tincho@tincho.org>:
Extra info received and forwarded to list. Copy sent to Debian Go packaging team <pkg-go-maintainers@lists.alioth.debian.org>.
(Wed, 24 Oct 2018 21:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#911795; Package src:golang-golang-x-net-dev.
(Sun, 17 Mar 2019 19:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Sun, 17 Mar 2019 19:30:02 GMT) (full text, mbox, link).
Message #20 received at 911795@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 24, 2018 at 10:26:10PM +0100, Martín Ferrari wrote:
> On 24/10/18 22:17, Moritz Muehlenhoff wrote:
> > Source: golang-golang-x-net-dev
> > Severity: important
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17846
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17847
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17848
> >
>
> Thanks for the heads up!
>
> Sadly, it seems it has not yet been fixed upstream.
This is now fixed upstream, see the respective links in the
Security Tracker at
https://security-tracker.debian.org/tracker/source-package/golang-golang-x-net-dev
Please upload a targeted fix and ask for an unblock with the release
team.
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Sat, 20 Apr 2019 22:36:08 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#911795.
(Tue, 30 Apr 2019 08:39:06 GMT) (full text, mbox, link).
Message #25 received at 911795-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #911795 in golang-go.net reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/go-team/packages/golang-go.net/commit/10d331640e9961385dca362998344a0f520decc5
------------------------------------------------------------------------
Apply security patches (upstream commits)
CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
https://github.com/golang/go/issues/27842
CVE-2018-17847, CVE-2018-17848:
commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
https://github.com/golang/go/issues/27846
Closes: #911795.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/911795
Added tag(s) pending.
Request was from Drew Parsons <noreply@salsa.debian.org>
to 911795-submitter@bugs.debian.org.
(Tue, 30 Apr 2019 08:39:06 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#911795.
(Tue, 30 Apr 2019 08:54:02 GMT) (full text, mbox, link).
Message #30 received at 911795-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #911795 in golang-go.net reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/go-team/packages/golang-go.net/commit/10d331640e9961385dca362998344a0f520decc5
------------------------------------------------------------------------
Apply security patches (upstream commits)
CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
https://github.com/golang/go/issues/27842
CVE-2018-17847, CVE-2018-17848:
commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
https://github.com/golang/go/issues/27846
Closes: #911795.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/911795
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#911795.
(Tue, 30 Apr 2019 09:00:03 GMT) (full text, mbox, link).
Message #33 received at 911795-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #911795 in golang-go.net reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/go-team/packages/golang-go.net/commit/10d331640e9961385dca362998344a0f520decc5
------------------------------------------------------------------------
Apply security patches (upstream commits)
CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
https://github.com/golang/go/issues/27842
CVE-2018-17847, CVE-2018-17848:
commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
https://github.com/golang/go/issues/27846
Closes: #911795.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/911795
Reply sent
to Drew Parsons <dparsons@debian.org>:
You have taken responsibility.
(Tue, 30 Apr 2019 09:06:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 30 Apr 2019 09:06:04 GMT) (full text, mbox, link).
Message #38 received at 911795-close@bugs.debian.org (full text, mbox, reply):
Source: golang-golang-x-net-dev
Source-Version: 1:0.0+git20181201.351d144+dfsg-3
We believe that the bug you reported is fixed in the latest version of
golang-golang-x-net-dev, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Drew Parsons <dparsons@debian.org> (supplier of updated golang-golang-x-net-dev package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 30 Apr 2019 16:42:08 +0800
Source: golang-golang-x-net-dev
Architecture: source
Version: 1:0.0+git20181201.351d144+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Drew Parsons <dparsons@debian.org>
Closes: 911795
Changes:
golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-3) unstable; urgency=medium
.
* Team upload.
* Apply security patches (upstream commits). Closes: #911795.
- CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
- CVE-2018-17847, CVE-2018-17848:
commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
Checksums-Sha1:
dcc114db8c03f47b658e4b1bd405970c968ac5f7 2505 golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc
a0093085ed58507bd5de5e4bfdf217a3d7fb4257 14820 golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.debian.tar.xz
Checksums-Sha256:
f3201d93e1a3b984ea4b7b8f0c62d31510c571b3e3f4183ea3f4cef11049ea72 2505 golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc
9c059bdffd3275671cc7b18cb5ebd33168a917366d8100d873fa9ecdd67e61a8 14820 golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.debian.tar.xz
Files:
398d48adb3c7507ce42abe2afde8f050 2505 devel optional golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc
f8b71e06c308d88815f8c5407016fc5a 14820 devel optional golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEI8mpPlhYGekSbQo2Vz7x5L1aAfoFAlzIC4EACgkQVz7x5L1a
AfoTShAAsAIuSEBgq7I96GgpTVs+2Xr3dTuIXBqAf3y0d5a7bYO2ZyI7dHOvtxOV
lOBMrqjYLDPqqcCk/GjwAvCmI4QO8OB0H+jNZpK9nnOGmy8wlz9Cw1v6N/5RgvYK
lc9bIUQEVZ0EjPnIcm/nFcsf1sn/D+fW5BcBl2KYaoPLPmJ1IgXux1BAWYTkigZ3
scMiAlSFZkLeMnJAMgmtcmXeZr++SoysTP11tO2u5+cD5cjeTJX+3ELWftVo5SpV
81QhFuKKUDkvAEf8PgzjIpISM2srpggCyBLNbU8FRbbxF67B1cxYiR2DBS8Uu25Y
eWk2WiFi+s0rUZpNaL1dN6Uc0KiTRIeywbE25rU1BZe1sF8xR9DgoYV2faeaz8wB
jq0989WWY9P5JyW4IMv91Fll5ddrW0suFTfrl9fiFPOO0qV2NfIuA7I8U1sjHrPc
aywiX4Z1wpO7JnLmDCqPdAKieoaUx07hVloEjs236uT36cYGkoBiknWWdxWhTW5+
i25gZwsfwAMi68hwl4ZSTqOpvE6qa1RtcNlu+lBt6/xoOrXRma8CCXBJfdWWEisJ
My4TJfEibrjkp9JdVYL/wb0VeRSsoqX63mEsVn8j5zLYtkiSSG/NMh4diXDERwYv
egfK9S7y3ZDxDYEe4Q2vyfSvvI+1bliN5ef6LJD+9/YWW/AQ1dI=
=B2UG
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:48:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon