Debian Bug report logs -
#991961
golang-1.15: CVE-2021-36221
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#991961; Package src:golang-1.15.
(Fri, 06 Aug 2021 17:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Fri, 06 Aug 2021 17:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-1.15
Version: 1.15.9-6
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/46866
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for golang-1.15.
CVE-2021-36221[0]:
| net/http: panic due to racy read of persistConn after handler panic
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-36221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221
[1] https://github.com/golang/go/issues/46866
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#991961; Package src:golang-1.15.
(Fri, 06 Aug 2021 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zhsj@debian.org>:
Extra info received and forwarded to list. Copy sent to Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Fri, 06 Aug 2021 20:06:02 GMT) (full text, mbox, link).
Message #10 received at 991961@bugs.debian.org (full text, mbox, reply):
Hi,
On Sat, Aug 7, 2021 at 1:51 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> Source: golang-1.15
> Version: 1.15.9-6
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/golang/go/issues/46866
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for golang-1.15.
>
> CVE-2021-36221[0]:
> | net/http: panic due to racy read of persistConn after handler panic
>
The issue looks minor(upstream disclose it without pre-announce).
Should we fix it before the bullseye release?
Fixing issues in the compiler's std library needs to rebuild the whole
world, see #990825
Or we just postpone later, or just fix the compiler package along?
--
Shengjing Zhu
Information forwarded
to debian-bugs-dist@lists.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#991961; Package src:golang-1.15.
(Fri, 06 Aug 2021 20:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Gevers <elbrus@debian.org>:
Extra info received and forwarded to list. Copy sent to Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Fri, 06 Aug 2021 20:30:03 GMT) (full text, mbox, link).
Message #15 received at 991961@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Shengjing,
On 06-08-2021 22:01, Shengjing Zhu wrote:
> Should we fix it before the bullseye release?
No, at least not in 11.0.
Paul
[OpenPGP_signature (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Aug 7 16:17:47 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon