-
golang-1.20 (1.20.10-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.20.10
+ CVE-2023-44487/CVE-2023-39325: net/http: rapid stream resets can cause
excessive work
-- Shengjing Zhu <email address hidden> Wed, 11 Oct 2023 14:49:01 +0800
-
golang-1.20 (1.20.9-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.20.9
+ CVE-2023-39323: cmd/go: line directives allows arbitrary execution during
build
-- Shengjing Zhu <email address hidden> Fri, 06 Oct 2023 19:40:40 +0800
-
golang-1.20 (1.20.8-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.20.8
+ CVE-2023-39318: html/template: improper handling of HTML-like comments
within script contexts
+ CVE-2023-39319: html/template: improper handling of special tags within
script contexts
-- Shengjing Zhu <email address hidden> Thu, 07 Sep 2023 11:58:16 +0800
-
golang-1.20 (1.20.7-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.7
+ CVE-2023-29409: crypto/tls: restrict RSA keys in certificates
to <= 8192 bits
-- Shengjing Zhu <email address hidden> Wed, 02 Aug 2023 11:30:27 +0800
-
golang-1.20 (1.20.6-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.6
+ CVE-2023-29406: net/http: insufficient sanitization of Host header
* Add autopkgtest
-- Shengjing Zhu <email address hidden> Wed, 12 Jul 2023 13:34:53 +0800
-
golang-1.20 (1.20.5-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.5
+ CVE-2023-29402: cmd/go: cgo code injection
+ CVE-2023-29403: runtime: unexpected behavior of setuid/setgid binaries
+ CVE-2023-29404/CVE-2023-29405: cmd/go: improper sanitization of LDFLAGS
-- Shengjing Zhu <email address hidden> Wed, 07 Jun 2023 12:05:11 +0800
-
golang-1.20 (1.20.4-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.4
+ CVE-2023-24539: html/template: improper sanitization of CSS values
+ CVE-2023-24540: html/template: improper handling of JavaScript whitespace
+ CVE-2023-29400: html/template: improper handling of empty HTML attributes
-- Shengjing Zhu <email address hidden> Wed, 03 May 2023 14:56:49 +0800
-
golang-1.20 (1.20.3-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.3
+ CVE-2023-24537: go/parser: infinite loop in parsing
+ CVE-2023-24538: html/template: backticks not treated as string delimiters
+ CVE-2023-24534: net/http, net/textproto: denial of service from excessive
memory allocation
+ CVE-2023-24536: net/http, net/textproto, mime/multipart: denial of
service from excessive resource consumption
-- Shengjing Zhu <email address hidden> Wed, 05 Apr 2023 02:04:08 +0800
-
golang-1.20 (1.20.2-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.2
+ CVE-2023-24532: crypto/elliptic: incorrect P-256 ScalarMult and
ScalarBaseMult results
-- Shengjing Zhu <email address hidden> Wed, 08 Mar 2023 13:57:35 +0800
-
golang-1.20 (1.20.1-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20.1
+ CVE-2022-41722: path/filepath: path traversal in filepath.Clean on
Windows
+ CVE-2022-41725: net/http, mime/multipart: denial of service from
excessive resource consumption
+ CVE-2022-41724: crypto/tls: large handshake records may cause panics
+ CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding
-- Shengjing Zhu <email address hidden> Wed, 15 Feb 2023 09:53:55 +0800
-
golang-1.20 (1.20-1) unstable; urgency=medium
* Team upload
* New upstream release 1.20
* Remove patches applied upstream:
- d/patches/0005-Revert-internal-fsys-follow-root-symlink-in-fsys.Wal.patch
- d/patches/0006-time-revert-strict-parsing-of-RFC-3339.patch
-- Michael Hudson-Doyle <email address hidden> Thu, 02 Feb 2023 13:54:15 +1300
-
golang-1.20 (1.20~rc3-2) unstable; urgency=medium
* Team upload
* Revert strict parsing of RFC 3339.
See https://github.com/golang/go/issues/54580
-- Shengjing Zhu <email address hidden> Thu, 19 Jan 2023 16:45:22 +0800
-
golang-1.20 (1.20~rc3-1) unstable; urgency=medium
[ William 'jawn-smith' Wilson ]
* New upstream version 1.20 rc3
[ Shengjing Zhu ]
* Drop 0005-syscall-skip-TestUseCgroupFD-if-cgroupfs-not-mounted.patch,
merged in new version.
-- Shengjing Zhu <email address hidden> Fri, 13 Jan 2023 09:51:55 +0800
-
golang-1.20 (1.20~rc2-2) unstable; urgency=medium
* Team upload
* Add NO_PNG_PKG_MANGLE to prevent mangling testdata.
This is Ubuntu specific behaviour so they can sync the package without
vendor patch.
* Revert "internal/fsys: follow root symlink in fsys.Walk"
Fix https://github.com/golang/go/issues/57754
-- Shengjing Zhu <email address hidden> Thu, 12 Jan 2023 22:27:08 +0800
-
golang-1.20 (1.20~rc2-1) unstable; urgency=medium
* Team upload
* New upstream version 1.20~rc2
* Bump bootstrap Go to 1.17.
See https://github.com/golang/go/issues/44505
* Drop i386 bootstrap workaround with Go < 1.16
* Add patch to skip TestUseCgroupFD for schroot
* Update Standards-Version to 4.6.2 (no changes)
* $GOROOT/pkg no longer stores pre-compiled package archives for the standard library
* Make all scripts in src directory executable. To silence lintian.
* Refresh lintian overrides
-- Shengjing Zhu <email address hidden> Thu, 05 Jan 2023 16:01:28 +0800