Sync golang-1.19 1.19.6-1 (main) from Debian unstable (main)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| golang-1.19 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Please sync golang-1.19 1.19.5-1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
- 0001-cmd-
disable internal linking when dynamically linking and CGO_CFLAGS
contains flags that might make host object files that the internal
linkers ELF reader does not support. This fixes lots of package builds
when LTO is enabled by default via dpkg-buildflags.
This is fixed in dpkg and dh-golang. See LP#2002076 and LP#2002201.
So it's obsoleted in Ubuntu.
- d/rules: Add NO_PNG_PKG_MANGLE to prevent a test file from being
compressed.
This is applied in 1.19.5-1 in Debian.
Changelog entries since current lunar version 1.19.4-1ubuntu1:
golang-1.19 (1.19.5-1) unstable; urgency=medium
* Team upload
* Add NO_PNG_PKG_MANGLE to prevent mangling testdata.
This is Ubuntu specific behaviour so they can sync the package without
vendor patch.
* New upstream version 1.19.5
-- Shengjing Zhu <email address hidden> Wed, 11 Jan 2023 15:35:00 +0800
CVE References
| Shengjing Zhu (zhsj) wrote | #1 |
| summary: |
- Sync golang-1.19 1.19.5-1 (main) from Debian unstable (main) + Sync golang-1.19 1.19.6-1 (main) from Debian unstable (main) |
| Changed in golang-1.19 (Ubuntu): | |
| status: | New → Fix Released |
golang-1.19 (1.19.6-1) experimental; urgency=medium
* Team upload
* New upstream version 1.19.6
+ CVE-2022-41722: path/filepath: path traversal in filepath.Clean on
Windows
+ CVE-2022-41725: net/http, mime/multipart: denial of service from
excessive resource consumption
+ CVE-2022-41724: crypto/tls: large handshake records may cause panics
+ CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding
-- Shengjing Zhu <email address hidden> Wed, 15 Feb 2023 10:09:02 +0800
Please sync 1.19.6