Your message dated Sun, 17 Mar 2019 21:34:53 +0000
with message-id <[email protected]>
and subject line Bug#924630: fixed in golang-1.11 1.11.6-1
has caused the Debian Bug report #924630,
regarding golang-1.11: CVE-2019-9741: CRLF injection in net/http
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924630: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924630
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-1.11
Version: 1.11.5-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for golang-1.11.
CVE-2019-9741[0]:
| An issue was discovered in net/http in Go 1.11.5. CRLF injection is
| possible if the attacker controls a url parameter, as demonstrated by
| the second argument to http.NewRequest with \r\n followed by an HTTP
| header or a Redis command.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1688230
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-1.11
Source-Version: 1.11.6-1
We believe that the bug you reported is fixed in the latest version of
golang-1.11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Hudson-Doyle <[email protected]> (supplier of updated golang-1.11
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 18 Mar 2019 09:37:17 +1300
Source: golang-1.11
Binary: golang-1.11-go golang-1.11-src golang-1.11-doc golang-1.11
Architecture: source
Version: 1.11.6-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <[email protected]>
Changed-By: Michael Hudson-Doyle <[email protected]>
Description:
golang-1.11 - Go programming language compiler - metapackage
golang-1.11-doc - Go programming language - documentation
golang-1.11-go - Go programming language compiler, linker, compiled stdlib
golang-1.11-src - Go programming language - source files
Closes: 924630
Changes:
golang-1.11 (1.11.6-1) unstable; urgency=medium
.
* New upstream version 1.11.6, fixing CVE-2019-9741. (Closes: #924630)
* Delete d/patches/0005-fix-MIPS-SGTconst-with-shift-rules.patch, applied
upstream.
* Refreshed other patches.
Checksums-Sha1:
ccfbbbbb8fa4ba8fb92c4d3a454047f5f6155b0c 2583 golang-1.11_1.11.6-1.dsc
3da44308ca85c4b78b62b735060ebb2479ec1dcf 21113406
golang-1.11_1.11.6.orig.tar.gz
65377dd926fc2ea317ad89bcf4e5f29a63a15809 29452
golang-1.11_1.11.6-1.debian.tar.xz
1292e3dece03973a4d17333ad93b2b982ef67a2b 6310
golang-1.11_1.11.6-1_source.buildinfo
Checksums-Sha256:
32f66ed7023c65cfd17f28d74c995b8e3ce73c9a3ae42258e5f5c18367275c65 2583
golang-1.11_1.11.6-1.dsc
a96da1425dcbec094736033a8a416316547f8100ab4b72c31d4824d761d3e133 21113406
golang-1.11_1.11.6.orig.tar.gz
cdcef4a84a37012c8eb30c4317ae3192f746bd83bcf801783e316450598c97b4 29452
golang-1.11_1.11.6-1.debian.tar.xz
fe7bf90fc14ca917dff9110dd92fa75fd9e8a720e8bbfa6704ba1eb7782cda91 6310
golang-1.11_1.11.6-1_source.buildinfo
Files:
8fcbe514aef4b58831ae20bef82297d6 2583 devel optional golang-1.11_1.11.6-1.dsc
1d1304eb9f2d0de162b46e17ed51baf1 21113406 devel optional
golang-1.11_1.11.6.orig.tar.gz
d745be6826b64a9039a61faabff955e1 29452 devel optional
golang-1.11_1.11.6-1.debian.tar.xz
66f95cf4084d700cef442c3b07690acf 6310 devel optional
golang-1.11_1.11.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEiiBE+E9xaoW3f/djEd9ClMyjmJMFAlyOtsAACgkQEd9ClMyj
mJPwlw//d/Ped+hFBkY8w6uhMmX8o6Wvz8qt67JpM+E/vvr53mPcbNtvwylLUHmT
8qm/6S14V4nrqRL97Z1Nb4qRbzC8iT7biNnzfIreeexxcf5yk1OMX5uPmfe1ZpUM
QFFHri83n+U1fYnk88iYez6UxIyismbgc+3sxqfeR2A1hj4Dzn/Dh+AM7rr2zN4b
rNQXCWg9Q1mD4MzSdl2iCn2+sX68rXhNb3j9+Bq5cNI0OhF/9kTKVjkanPeK4mYm
57BjU33fkCMZYp74//i7zMdtA0LkwsepWhq2qEbEInwGryQCEBEIpdzaWt2w3kwg
M77PdfaN+jXp+b5VS1Dz9mgvvrz1/rwp72MjF1/B682dnkJiwzaoJjKcC3mwodl2
dvxUpA/ou8d1/6SpStMRpstV9SvQOIWGNkcsg2K3z75OHBKRn6qgbjY5KSrLDJHX
Fp32sqshJkPEMW1dalYbGZfq5Lz4/wnBZ/0HlNMofLlDj0Srq+/mzyKYt3CtqUw0
tjzIYffWfxlNdiIERA9r5YmOM6TDM7SPshNupmQ9+UUjxoM5498K5nH0EaCnRElP
6QoRQoTCxiwOQft+MuzSvBvg0DP2//tjMJLXMWX77wt672kGAybRUYfJ15hf5Zks
GhkpoEWnns6n24rZZubjBTwgqTsbGeFjQEY2yJruK2heisxD+6c=
=juMY
-----END PGP SIGNATURE-----
--- End Message ---
