Debian Bug report logs -
#941173
[golang-1.12] Security patch for HTTP smuggling
Reported by: Tim Sattarov <stimur@gmail.com>
Date: Wed, 25 Sep 2019 22:33:02 UTC
Severity: normal
Tags: security
Found in version golang-1.12/1.12.9-2
Fixed in version golang-1.12/1.12.10-1
Done: toddy@debian.org (Dr. Tobias Quathamer)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#941173; Package golang-1.12.
(Wed, 25 Sep 2019 22:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Tim Sattarov <stimur@gmail.com>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Wed, 25 Sep 2019 22:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: golang-1.12
Version: 1.12.9-2
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
--- Please enter the report below this line. ---
Hello,
Golang team recently released new version of Go language fixing HTTP smuggling issue.
Details are at the link: https://github.com/golang/go/issues/34541
Thank you
--- System information. ---
Architecture:
Kernel: Linux 5.2.0-2-amd64
Debian Release: bullseye/sid
800 testing mirror.csclub.uwaterloo.ca
800 testing cloudfront.debian.net
500 stretch download.docker.com
500 stable repository.spotify.com
500 stable repo.skype.com
500 stable packages.microsoft.com
500 stable dl.google.com
500 stable artifacts.elastic.co
500 stable apt.agilebits.com
500 kubernetes-xenial apt.kubernetes.io
500 jessie packagecloud.io
500 cosmic brave-browser-apt-release.s3.brave.com
500 cloud-sdk-buster packages.cloud.google.com
500 buster linux.dropbox.com
500 bionic packages.gitlab.com
500 binary pkg.jenkins.io
100 unstable cloudfront.debian.net
100 experimental cloudfront.debian.net
--- Package information. ---
Depends (Version) | Installed
=================================-+-==============
golang-1.12-doc (>= 1.12.9-2) | 1.12.9-2
golang-1.12-go (>= 1.12.9-2) | 1.12.9-2
golang-1.12-src (>= 1.12.9-2) | 1.12.9-2
Package's Recommends field is empty.
Package's Suggests field is empty.
Information forwarded
to debian-bugs-dist@lists.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>:
Bug#941173; Package golang-1.12.
(Thu, 26 Sep 2019 09:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dr. Tobias Quathamer" <toddy@debian.org>:
Extra info received and forwarded to list. Copy sent to Go Compiler Team <team+go-compiler@tracker.debian.org>.
(Thu, 26 Sep 2019 09:33:03 GMT) (full text, mbox, link).
Message #10 received at 941173@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 26.09.19 um 00:29 schrieb Tim Sattarov:
> Hello,
>
> Golang team recently released new version of Go language fixing HTTP smuggling issue.
> Details are at the link: https://github.com/golang/go/issues/34541
Hi Tim,
thanks for the information, the new package is uploaded.
Regards,
Tobias
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility.
(Thu, 26 Sep 2019 09:51:15 GMT) (full text, mbox, link).
Notification sent
to Tim Sattarov <stimur@gmail.com>:
Bug acknowledged by developer.
(Thu, 26 Sep 2019 09:51:15 GMT) (full text, mbox, link).
Message #15 received at 941173-close@bugs.debian.org (full text, mbox, reply):
Source: golang-1.12
Source-Version: 1.12.10-1
We believe that the bug you reported is fixed in the latest version of
golang-1.12, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 941173@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-1.12 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 Sep 2019 11:18:04 +0200
Source: golang-1.12
Architecture: source
Version: 1.12.10-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 941173
Changes:
golang-1.12 (1.12.10-1) unstable; urgency=medium
.
* New upstream version 1.12.10
- net/textproto: don't normalize headers with spaces before the colon.
Fixes CVE-2019-16276. See https://github.com/golang/go/issues/34541
Closes: #941173
* Apply changes from cme fix dpkg
* Set Rules-Requires-Root: no
* Regenerate d/control
Checksums-Sha1:
d1d759e989025acd514a24f41ad37afba3e39aaf 2858 golang-1.12_1.12.10-1.dsc
6c11be6b4cef09457b2567bd078a203fad19d675 21980044 golang-1.12_1.12.10.orig.tar.gz
dc8e8abb5b4e1ef98848ed73cd3d6a409a7deed4 819 golang-1.12_1.12.10.orig.tar.gz.asc
fb32cf4d0f88274af25e7ef69c19aaef04310a7b 36340 golang-1.12_1.12.10-1.debian.tar.xz
a9d9030c04b813a88030ed6b12242150372a2f1d 6603 golang-1.12_1.12.10-1_amd64.buildinfo
Checksums-Sha256:
71d95993ae0eef1b26c70b084ce297dec8af46111988697c1c96f5ca7989ec66 2858 golang-1.12_1.12.10-1.dsc
f56e48fce80646d3c94dcf36d3e3f490f6d541a92070ad409b87b6bbb9da3954 21980044 golang-1.12_1.12.10.orig.tar.gz
c02bddb761540026bfdbcd7ff72021e0190a3f561dc26cc581506bd28e4c8f25 819 golang-1.12_1.12.10.orig.tar.gz.asc
6cea5e40498d087da58de87623962611c0e0ab118fda0808186e4148f52853bc 36340 golang-1.12_1.12.10-1.debian.tar.xz
1fc784df48c65e910ec3dea06591c76456a412826aa6017f2b61e57ad5edb918 6603 golang-1.12_1.12.10-1_amd64.buildinfo
Files:
a435c5e768dac5fd042c20b428ca0882 2858 devel optional golang-1.12_1.12.10-1.dsc
968b905ffe098528dee634cc876255b3 21980044 devel optional golang-1.12_1.12.10.orig.tar.gz
0de7a7e4bec0fc9ac39627f8d6f78e56 819 devel optional golang-1.12_1.12.10.orig.tar.gz.asc
fc62caae888a8c514f5047a1111c834a 36340 devel optional golang-1.12_1.12.10-1.debian.tar.xz
5723b3c40fc02a00c4ee867e6b334cbc 6603 devel optional golang-1.12_1.12.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAl2MhNwACgkQEwLx8Dbr
6xkwmA//Q/M4Y1ayd6YCNRTwIJb2F3nTcNmWUpC7DUHRoGNGNp6WbE/tzwLsxdbN
WT/Re0s0sYgR74e6Mxe4rCUffpiwvNEN69CzoLNU6LkFqMPZZ2Cux18Rcef5fDbD
xDVsP87NOwHjkMcW4Ve0tnZpkfSMmKoZuF9H63xv1t9crrII2aOzl3MaGZvwlvVe
9iXy25yBw9pGgCNLjXqWPES3UkClRgUd+QBhtXLggyefIKe59UAmsCMGmuvmsPAz
HFx/F0BVIZrLoWYxpvo3UNxlRI2ueUMk8f23knchFN+OhmrDz3ppwht/SopuGV71
c9QiMhGe/+SyVbp2UE55nImlQqYi3DKc4DjHC3ESIA9vkXk5Zu2yRg8774Sjk9ba
IyAh4IPznAgqo1k1HArs3tzLoGLCj+8dS21k0S5vujGmzf124RfYqYoV4MwaCN73
BASx2hT4GIrAXdZa/Jig5DmrdmugB/5yyx7nb0Og8g7kmFIwvSTZFdQhTS9wRrcV
slKBJ8TMLdSmX56XXEiSfbxR9U3l2VyMYYrxRozIJkRQoqZwdUyoZpw1VFHlKcvv
5K+WbmX9Itgo6rZ3ru1gb3wkFqlM0/9xizoPyJ2lR1BiosL4IFURbTNtvumbRGww
+Brd7Z/BJsG4lKptxUjAroSiLzdRJu7umeR3PWKiA4Ol9PNpqIc=
=jUNy
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Sep 26 16:46:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon