Your message dated Wed, 26 Apr 2017 09:04:51 +0000 with message-id <e1d3isv-000dsd...@fasolo.debian.org> and subject line Bug#859655: fixed in golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 has caused the Debian Bug report #859655, regarding golang-go.crypto: CVE-2017-3204 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 859655: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-go.crypto Version: 1:0.0~git20161012.0.5f31782-1 Severity: grave Tags: upstream patch security Forwarded: https://github.com/golang/go/issues/19767 Hi, the following vulnerability was published for golang-go.crypto. CVE-2017-3204[0]: | The Go SSH library (x/crypto/ssh) by default does not verify host | keys, facilitating man-in-the-middle attacks. Default behavior changed | in commit e4e2799 to require explicitly registering a hostkey | verification mechanism. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-3204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204 [1] https://github.com/golang/go/issues/19767 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-go.crypto Source-Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 We believe that the bug you reported is fixed in the latest version of golang-go.crypto, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 859...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Lustfield <mich...@lustfield.net> (supplier of updated golang-go.crypto package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 26 Apr 2017 02:42:23 -0500 Source: golang-go.crypto Binary: golang-golang-x-crypto-dev golang-go.crypto-dev Architecture: source Version: 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <pkg-go-maintain...@lists.alioth.debian.org> Changed-By: Michael Lustfield <mich...@lustfield.net> Description: golang-go.crypto-dev - Transitional package for golang-golang-x-crypto-dev golang-golang-x-crypto-dev - Supplementary Go cryptography libraries Closes: 859655 Changes: golang-go.crypto (1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1) unstable; urgency=medium . * Reverts previous upload to permit freeze exception. * patches/0001-ssh-require-host-key-checking_CVE-2017-3204.patch: + CVE-2017-3204: Default behavior changed to require explicitly registering a hostkey verification mechanism. (Closes: #859655) Checksums-Sha1: af960bc0c10cc66e332636b27534733ba2369cf2 2750 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc ed416354f9339ceb33e5bdd60132398aecbdef79 1100132 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz 9beb5eb53533312c312187791b9f3a052388836b 8852 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz 695405c180fa8e3063eb5bc628236788af27fd41 6746 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo Checksums-Sha256: f4bd7051d643763723933f51a1f067f178ce880d6de31635fa59c325d31f158b 2750 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc a0697187211be58315cd5bf64831c6560295002676c41ef2a06d11536ca5f723 1100132 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz 6dad49fecf782b610c3ae9e74e0bc7b9740dfb16053b7b3c5a42e2b4c7e5ee97 8852 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz c42b9a8da338cbc8326c028e4b1a6950de2491a5da34bade21c3503dab8cd318 6746 golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo Files: d993dccb862f691979f15280f75b976e 2750 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.dsc e66ac1fd994db1dd282a3c64a6c3ae7c 1100132 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782.orig.tar.xz 73d71121cafb42c3adeb677e729949d5 8852 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1.debian.tar.xz b6f0011376e1886abea2f662e15eccce 6746 devel extra golang-go.crypto_0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJKBAEBCAA0FiEEBs1j101ZjEpH5CyWA6iJGnZa0IUFAlkAUKAWHG1pY2hhZWxA bHVzdGZpZWxkLm5ldAAKCRADqIkadlrQhU7BEACyPG1cjCpMP3J/FmM1AC392y0c Ko07ukya9XMcoIjIJS8US3mWJLGuB6WW3n7rhWXtTnbnbN2/JiCMSMc7AfOa6nUo EinKeb2L0aRmcBWc6MSW1NflzZ0haFzJ0DJdHVXZcHbAK+va/BYlASWaLeB5sNjN igK7Dp251O5KCuszHjH2EbBly6dWdCDWl3GGTBa8OFNVAkqb8I5oMNaTDlpKsZen gAjLnHgAMUaRhz8zbeZ40Kc8I8gb/7jYVRrUaICMnZwEUizE2rNJFMNSYR4uNBl9 E43PYM8jbZbIT9i5QPvzhoydjuUl479o+5aLRnKSyguvrYrD6Vs7xwww7F3i32+D DUr31vfusSt0mAHy+cUZYiVlTJNjJVMfBfStn1VtCJvPyUykyVpgO/dymkv11Nod dODW4pqjIbfAP4iQTT2mESi3Z10wfxqxt6b0TV/VtNbRaHJ/wIrb1M8HW30NTwlI Ofv4Hi6m1gBRNpHF3to5g8SvVMgju3rWc1QUuhvGP7fv9ZsM+nciCxhjK40SslLC KAaC46ROYom6R0RGPbTARBGC06lwTyRVUeFOvRGYlRkJ23C6HI9+v7Ut/TT4dRoz uC7F4x5HuV6afYApoKUDQRaV4fGmUBP3pZSUmuL5bQZctWx8r8cQ0Hj7UMufvbZ5 IbXLg8y46XsIAoNmBQ== =Kgmq -----END PGP SIGNATURE-----
--- End Message ---
