Bug#1112054: trixie-pu: golang-github-gin-contrib-cors/1.4.0-1+deb13u1

Mon, 25 Aug 2025 10:31:15 -0700 

Package: release.debian.org
Severity: normal
Tags: trixie
User: [email protected]
Usertags: pu


The attached debdiff for golang-github-gin-contrib-cor fixes
CVE-2019-25211 in Trixie. The CVE is marked as no-dsa by the
security team.

golang-github-gin-contrib-cor is a leaf package with no rdeps within
Debian and the fix was already done by upstream a few years ago.
There should be not much hassle with this fix.

  Thorsten


diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/changelog 
golang-github-gin-contrib-cors-1.4.0/debian/changelog
--- golang-github-gin-contrib-cors-1.4.0/debian/changelog       2022-12-03 
10:49:55.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/changelog       2025-08-25 
14:49:55.000000000 +0200
@@ -1,3 +1,10 @@
+golang-github-gin-contrib-cors (1.4.0-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2019-25211
+    fix handling of wildcards
+
+ -- Thorsten Alteholz <[email protected]>  Mon, 25 Aug 2025 14:49:55 +0200
+
 golang-github-gin-contrib-cors (1.4.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru 
golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch 
golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch    
1970-01-01 01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch    
2025-08-25 14:49:55.000000000 +0200
@@ -0,0 +1,22 @@
+From 27b723a473efd80d5a498fa9f5933c80204c850d Mon Sep 17 00:00:00 2001
+From: Benjamin Mitzkus <[email protected]>
+Date: Wed, 6 Mar 2024 06:28:12 +0100
+Subject: [PATCH] fixe(domain): wildcard parse bug (#106)
+
+---
+ cors.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: golang-github-gin-contrib-cors-1.4.0/cors.go
+===================================================================
+--- golang-github-gin-contrib-cors-1.4.0.orig/cors.go  2025-08-25 
16:03:59.883858578 +0200
++++ golang-github-gin-contrib-cors-1.4.0/cors.go       2025-08-25 
16:03:59.883858578 +0200
+@@ -132,7 +132,7 @@
+                       continue
+               }
+               if i == (len(o) - 1) {
+-                      wRules = append(wRules, []string{o[:i-1], "*"})
++                      wRules = append(wRules, []string{o[:i], "*"})
+                       continue
+               }
+ 
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/series 
golang-github-gin-contrib-cors-1.4.0/debian/patches/series
--- golang-github-gin-contrib-cors-1.4.0/debian/patches/series  1970-01-01 
01:00:00.000000000 +0100
+++ golang-github-gin-contrib-cors-1.4.0/debian/patches/series  2025-08-25 
14:49:55.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-25211.patch

Reply via email to