Debian Bug report logs -
#980002
golang-golang-x-text: CVE-2020-28852
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#980002; Package src:golang-golang-x-text.
(Tue, 12 Jan 2021 18:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Tue, 12 Jan 2021 18:15:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-golang-x-text
Version: 0.3.4-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/golang/go/issues/42536
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for golang-golang-x-text.
CVE-2020-28852[0]:
| In x/text in Go 1.15.4, a "slice bounds out of range" panic occurs in
| language.ParseAcceptLanguage while processing a BCP 47 tag.
| (x/text/language is supposed to be able to parse an HTTP Accept-
| Language header.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-28852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28852
[1] https://github.com/golang/go/issues/42536
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 18 Jan 2021 17:48:05 GMT) (full text, mbox, link).
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Mon, 18 Jan 2021 18:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 18 Jan 2021 18:36:03 GMT) (full text, mbox, link).
Message #12 received at 980002-close@bugs.debian.org (full text, mbox, reply):
Source: golang-golang-x-text
Source-Version: 0.3.5-1
Done: Shengjing Zhu <zhsj@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-golang-x-text, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 980002@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated golang-golang-x-text package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 19 Jan 2021 02:11:19 +0800
Source: golang-golang-x-text
Architecture: source
Version: 0.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 980002
Changes:
golang-golang-x-text (0.3.5-1) unstable; urgency=medium
.
* Team upload.
* New upstream release v0.3.5 (Closes: #980002, CVE-2020-28852)
* Update Section to golang
* Update Standards-Version to 4.5.1 (no changes)
Checksums-Sha1:
11d02a45d806ad9aa9ac35b9fb2e84114006b5ee 1618 golang-golang-x-text_0.3.5-1.dsc
29f2fccd74066c995a59d329a66591bfdec7b70c 8348127 golang-golang-x-text_0.3.5.orig.tar.gz
bba0ef0cc010f3d06497cd52b0f3ad672a9b0270 5860 golang-golang-x-text_0.3.5-1.debian.tar.xz
6b710dd81cf21e0562ef5be25a747f6483140f7c 5303 golang-golang-x-text_0.3.5-1_amd64.buildinfo
Checksums-Sha256:
1cb8f1bd38c4ae9ef7a19836fe0d5622d7a46bbcc2eeabc3b648cf8d81dc7c52 1618 golang-golang-x-text_0.3.5-1.dsc
f85d1185ba116cd40ef8cf702fe1d960ed41d039c08fd314dbeb5866f3166f27 8348127 golang-golang-x-text_0.3.5.orig.tar.gz
b76918b84588009a6d1ce5cec543351ac066dee0dd06a612e01e0968fd4fd484 5860 golang-golang-x-text_0.3.5-1.debian.tar.xz
e03b00d0ae86041133ceec49373ce33854850dd2c3e042ccd4a28f48ea2c24f9 5303 golang-golang-x-text_0.3.5-1_amd64.buildinfo
Files:
ff4540b1c48f9c0f4ac51b612903c9dc 1618 golang optional golang-golang-x-text_0.3.5-1.dsc
70cb6783d969e9a92b39d40c4309930d 8348127 golang optional golang-golang-x-text_0.3.5.orig.tar.gz
b5e783572fbc00cad145a633b52e9f51 5860 golang optional golang-golang-x-text_0.3.5-1.debian.tar.xz
f46b82711cf5270c3ec5c1da7199c37f 5303 golang optional golang-golang-x-text_0.3.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIYEARYIAC4WIQTiXc95jUQrjt9HgU3EhUo4GOCwFgUCYAXRNxAcemhzakBkZWJp
YW4ub3JnAAoJEMSFSjgY4LAWxE4BAKQBoidZmZUdqSMV77gqPk8RvtSu/Blanoom
OUkjCMwSAP9H3bc51dWaUi1pJ/dIZB6b7AQJZ9uMTxuMipbHv32GCA==
=Ut+y
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jan 25 07:32:39 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon