Debian Bug report logs -
#809168
golang: CVE-2015-8618: Carry propagation in Int.Exp Montgomery code in math/big library
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 27 Dec 2015 19:18:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version golang/2:1.5.1-4
Fixed in version golang/2:1.5.3-1
Done: Tianon Gravi <tianon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>:
Bug#809168; Package src:golang.
(Sun, 27 Dec 2015 19:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>.
(Sun, 27 Dec 2015 19:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang
Version: 2:1.5.1-4
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for golang.
CVE-2015-8618[0]:
math/big: fix carry propagation in Int.Exp Montgomery code
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8618
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1293448
[2] https://go-review.googlesource.com/#/c/17672/
Regards,
Salvatore
Reply sent
to Tianon Gravi <tianon@debian.org>:
You have taken responsibility.
(Thu, 14 Jan 2016 16:27:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Jan 2016 16:27:08 GMT) (full text, mbox, link).
Message #10 received at 809168-close@bugs.debian.org (full text, mbox, reply):
Source: golang
Source-Version: 2:1.5.3-1
We believe that the bug you reported is fixed in the latest version of
golang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 809168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tianon Gravi <tianon@debian.org> (supplier of updated golang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Jan 2016 07:41:44 -0800
Source: golang
Binary: golang-go golang-src golang-doc golang
Architecture: source
Version: 2:1.5.3-1
Distribution: unstable
Urgency: high
Maintainer: Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
Changed-By: Tianon Gravi <tianon@debian.org>
Description:
golang - Go programming language compiler - metapackage
golang-doc - Go programming language - documentation
golang-go - Go programming language compiler, linker, compiled stdlib
golang-src - Go programming language - source files
Closes: 809168 810595
Changes:
golang (2:1.5.3-1) unstable; urgency=high
.
* Update to 1.5.3 upstream release
- Fix CVE-2015-8618: Carry propagation in Int.Exp Montgomery code in
math/big library (Closes: #809168)
* Add "Breaks" to properly complement our "Replaces" (Closes: #810595)
Checksums-Sha1:
25017e69a0eb1c7648bc1f01c6d7b6b2967d5ba6 2299 golang_1.5.3-1.dsc
c17563a84df8aefb6a1e703a42f1e2842615e4a6 12057623 golang_1.5.3.orig.tar.gz
05d97d19e57e354d912c01400fdf9dbaf4d268db 37040 golang_1.5.3-1.debian.tar.xz
Checksums-Sha256:
9b11bcaa7ba2fcc53e4140a9fc9dbce7da9197767ba0796f178dbb87a5537263 2299 golang_1.5.3-1.dsc
754e06dab1c31ab168fc9db9e32596734015ea9e24bc44cae7f237f417ce4efe 12057623 golang_1.5.3.orig.tar.gz
621f98f4704b1b3ee364cbf90a2e45a60269e1a0e1dde4381fd4ba08442ae85b 37040 golang_1.5.3-1.debian.tar.xz
Files:
8902d1b6be3245a74239863d523fc058 2299 devel optional golang_1.5.3-1.dsc
80a0eac7ab750b01b3f7096a1d4667b8 12057623 devel optional golang_1.5.3.orig.tar.gz
59019c8b877fc3b154d6ca25f9d25c31 37040 devel optional golang_1.5.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWl8NPAAoJEANqnCW/NX3UIXwP/11HB/xufZLVDmOzrJTeUGmN
SQWZCEWyZgJmjLORCFzAi7xd4DOOCjpKpSebzI5B/AXE61y/jyynJL19zORe/Ldn
JLi+XQKkO+jQZpQeHsHGsif9z6E44gXBXMjlGgBYyjw2qB0tmxhVztos+V1PEst+
+eSKYrnTlxA9glX83jClTTB+Mj2T6g8lkef4hpXiLEkMp6ofZsXjrKXLkx91sA/1
33SLs2hCwGOlSbwoXr6kLcm4THB7erI6HXg/CwELni1HBe4ZGt29Tlqnrl4S+uM2
KP+WdUjw+8p0dEwdE1br+raEPpTn6G24Rp/zPazXbfP8HNdxUHjbhP/QRmABYG0I
7Lq7lgCMQsyAo6Po/UjT00ccIr7C9GHcNIhCCmy8f66xOc95hiANtzhWacjF06mV
hky86wR6qIuhvS1GpA/Hxh84UOYXOM6hvVwkUXOouHUu67yfhPdEx8Y8h4osUeAh
5YQUf91ypZq5ENAOE4gJqVIQyjNmK/QRU5uvCtmk6H923TckToTuKiJGouVx1ERC
jk52Ud371aVsqZ+HKr5ka5AfHo0OHHWgL18LyexkRWZN7QwAyHsmEXsEmanCkCPO
z2+3ogW0+1PjSbdwiYeRHj2mqt//NnhOJyy5BiqntIKG+wp/wzTGdvup/kPf0roR
qIph4vn0LhxWi+UBi5vE
=VRQ0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Feb 2016 07:34:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon