Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu
The attached debdiff for golang-github-gin-contrib-cor fixes CVE-2019-25211 in Bookworm. The CVE is marked as no-dsa by the security team.
golang-github-gin-contrib-cor is a leaf package with no rdeps within Debian and the fix was already done by upstream a few years ago.
There should be not much hassle with this fix. Thorsten
diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/changelog golang-github-gin-contrib-cors-1.4.0/debian/changelog --- golang-github-gin-contrib-cors-1.4.0/debian/changelog 2022-12-03 10:49:55.000000000 +0100 +++ golang-github-gin-contrib-cors-1.4.0/debian/changelog 2025-08-25 14:49:55.000000000 +0200 @@ -1,3 +1,10 @@ +golang-github-gin-contrib-cors (1.4.0-1+deb12u1) bookworm; urgency=medium + + * CVE-2019-25211 + fix handling of wildcards + + -- Thorsten Alteholz <[email protected]> Mon, 25 Aug 2025 14:49:55 +0200 + golang-github-gin-contrib-cors (1.4.0-1) unstable; urgency=medium * New upstream release. diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch --- golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-gin-contrib-cors-1.4.0/debian/patches/CVE-2019-25211.patch 2025-08-25 14:49:55.000000000 +0200 @@ -0,0 +1,22 @@ +From 27b723a473efd80d5a498fa9f5933c80204c850d Mon Sep 17 00:00:00 2001 +From: Benjamin Mitzkus <[email protected]> +Date: Wed, 6 Mar 2024 06:28:12 +0100 +Subject: [PATCH] fixe(domain): wildcard parse bug (#106) + +--- + cors.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: golang-github-gin-contrib-cors-1.4.0/cors.go +=================================================================== +--- golang-github-gin-contrib-cors-1.4.0.orig/cors.go 2025-08-25 16:03:59.883858578 +0200 ++++ golang-github-gin-contrib-cors-1.4.0/cors.go 2025-08-25 16:03:59.883858578 +0200 +@@ -132,7 +132,7 @@ + continue + } + if i == (len(o) - 1) { +- wRules = append(wRules, []string{o[:i-1], "*"}) ++ wRules = append(wRules, []string{o[:i], "*"}) + continue + } + diff -Nru golang-github-gin-contrib-cors-1.4.0/debian/patches/series golang-github-gin-contrib-cors-1.4.0/debian/patches/series --- golang-github-gin-contrib-cors-1.4.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ golang-github-gin-contrib-cors-1.4.0/debian/patches/series 2025-08-25 14:49:55.000000000 +0200 @@ -0,0 +1 @@ +CVE-2019-25211.patch
