Debian Bug report logs -
#942628
golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>
:
Bug#942628
; Package src:golang-1.13
.
(Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Go Compiler Team <team+go-compiler@tracker.debian.org>
.
(Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: golang-1.13
Version: 1.13.1-1
Severity: grave
Tags: security upstream
Control: clone -1 -2
Control: reassign -2 src:golang-1.12 1.12.10-1
Control: retitle -2 golang-1.13: CVE-2019-17596: invalid public key causes panic in dsa.Verify
Control: forwarded -1 https://github.com/golang/go/issues/34962
Control: forwarded -2 https://github.com/golang/go/issues/34961
Hi,
The following vulnerability was published for golang-1.13.
CVE-2019-17596[0]:
crypto/dsa: invalid public key causes panic in dsa.Verify
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596
[1] https://github.com/golang/go/issues/34962
[2] https://github.com/golang/go/issues/34961
[3] https://github.com/golang/go/issues/34960
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Bug 942628 cloned as bug 942629
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Sat, 19 Oct 2019 06:27:04 GMT) (full text, mbox, link).
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer)
:
You have taken responsibility.
(Sat, 19 Oct 2019 12:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 19 Oct 2019 12:09:03 GMT) (full text, mbox, link).
Message #14 received at 942628-close@bugs.debian.org (full text, mbox, reply):
Source: golang-1.13
Source-Version: 1.13.3-1
We believe that the bug you reported is fixed in the latest version of
golang-1.13, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 942628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated golang-1.13 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Oct 2019 13:30:36 +0200
Source: golang-1.13
Architecture: source
Version: 1.13.3-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 942628
Changes:
golang-1.13 (1.13.3-1) unstable; urgency=medium
.
* New upstream version 1.13.3
- Refresh patch
- crypto/dsa: invalid public key causes panic in dsa.Verify.
Fixes CVE-2019-17596. Closes: #942628
* Update Standards-Version to 4.4.1, no changes needed
Checksums-Sha1:
ffd4f399be0b601b6d19f367423bb334408d00de 2848 golang-1.13_1.13.3-1.dsc
1fdfd1586888d4d24f5dadee6016092f89e6049e 21618379 golang-1.13_1.13.3.orig.tar.gz
71354e37d6380fca61ee10a0922661fe8fe5c7b7 819 golang-1.13_1.13.3.orig.tar.gz.asc
9282a793d3a750967c8825978dcd3c01ea7ccc59 34168 golang-1.13_1.13.3-1.debian.tar.xz
27ddba6e9c0e2edd4c5e2f76061aabd589de9a18 6542 golang-1.13_1.13.3-1_amd64.buildinfo
Checksums-Sha256:
1af77d2830097e986e50d8952a3d6c6bad60b1adec27d237d91c305d8b8e7d66 2848 golang-1.13_1.13.3-1.dsc
4f7123044375d5c404280737fbd2d0b17064b66182a65919ffe20ffe8620e3df 21618379 golang-1.13_1.13.3.orig.tar.gz
2a7c3786a48ec76790f780d35def629e8b773362ea1b85f4ebebd8538c55df91 819 golang-1.13_1.13.3.orig.tar.gz.asc
7c7cf2ffce8028eb1669748d60e5918b039940b0b093b29f9a297f854780a38c 34168 golang-1.13_1.13.3-1.debian.tar.xz
f2370a67c474fb3e5445ba84194bbfd98096c9d8bc9a157e2094169256354bd2 6542 golang-1.13_1.13.3-1_amd64.buildinfo
Files:
c322cf6fbc7352036701e050aef23bf8 2848 devel optional golang-1.13_1.13.3-1.dsc
94ae8bf6a4fe623e34cb8b0db2a71ec0 21618379 devel optional golang-1.13_1.13.3.orig.tar.gz
35a89bc604faed9bc3a2caba6d897b53 819 devel optional golang-1.13_1.13.3.orig.tar.gz.asc
655497421e2ee72c9279614ea78b3b60 34168 devel optional golang-1.13_1.13.3-1.debian.tar.xz
80911b1ba1224f109e26695d17fa14d2 6542 devel optional golang-1.13_1.13.3-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAl2q9uoACgkQEwLx8Dbr
6xmU6A/+O6L7UcbJqKjCDQ8EQRjGvKZIQlTDuqf0WWgp6JrYfKIgZB50MzNloVfH
2g08XH9N6uzJWdZs2DoR0P4XN9pG5jMJm8fgC5LMFrwQ7SmNV85OU4gu44Lh9yJm
+neon+D9GtD4MNy1VtKD+yVKZ+fmfeN5aF4wSTHaBxwGO78v05so+7EV7lJSorpi
QW2oNSCj6kTmZogOWuQgoCnDQCunTHVVKE8DE7Pxfvo4YKXLdcQtrewtx31AxiD/
1lMwxscEXVMHih7dgWTL3hXriT33P8w/naDVh74NVqX53ePIaybyP7vtFAzUc2Ap
wJq8uKKD64eftpCt/RS1qjr2v0ZacEszJea42/RbGm2lEEYBMr7QzgpTIm5hxpEg
2g+8F9xZ7G1tPeRNRIIigURfFC4WnSTG/uoXfq7zdRQDSgoQz7cHcmp/FErxVkkB
dDO5GZu2Glainjmo963jJDp6I5RglXLtKtOknOKX/V7UMjJhE7p+mNN3wDq3ALtk
UxiFMLXrWde3fdYJW1eTSbSB8vqeEL3CettDF2VosNYs2gH01CSHgUK+HZ4n6Ppf
VYcVP7N00WJ59Iv8ygUOzbNHgOXlXp0ZpUPyjkm9XjjC28Wccwu5TAspi1ydtPEM
nHvTmkQzZoVQuUSl3ii7LalBEKi4kBus/Ql5Mvqr7VTf5AZAxfo=
=2TOx
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 19 16:47:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.