Your message dated Sun, 16 May 2021 09:18:29 +0000 with message-id <e1licur-000alq...@fasolo.debian.org> and subject line Bug#988243: fixed in golang-github-ulikunitz-xz 0.5.6-2 has caused the Debian Bug report #988243, regarding golang-github-ulikunitz-xz: CVE-2021-29482 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 988243: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988243 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-ulikunitz-xz Version: 0.5.6-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for golang-github-ulikunitz-xz. CVE-2021-29482[0]: | xz is a compression and decompression library focusing on the xz | format completely written in Go. The function readUvarint used to read | the xz container format may not terminate a loop provide malicous | input. The problem has been fixed in release v0.5.8. As a workaround | users can limit the size of the compressed file input to a reasonable | size for their use case. The standard library had recently the same | issue and got the CVE-2020-16845 allocated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29482 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29482 [1] https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27 [2] https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-ulikunitz-xz Source-Version: 0.5.6-2 Done: Shengjing Zhu <z...@debian.org> We believe that the bug you reported is fixed in the latest version of golang-github-ulikunitz-xz, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 988...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Shengjing Zhu <z...@debian.org> (supplier of updated golang-github-ulikunitz-xz package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 16 May 2021 17:10:45 +0800 Source: golang-github-ulikunitz-xz Architecture: source Version: 0.5.6-2 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Shengjing Zhu <z...@debian.org> Closes: 988243 Changes: golang-github-ulikunitz-xz (0.5.6-2) unstable; urgency=medium . * Team upload. . [ Debian Janitor ] * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository, Repository-Browse. * Update standards version to 4.5.0, no changes needed. * Apply multi-arch hints. + golang-github-ulikunitz-xz-dev: Add Multi-Arch: foreign. . [ Shengjing Zhu ] * Backport patch for CVE-2021-29482. Fixes readUvarint denial of service (Closes: #988243) Checksums-Sha1: 43d993c17bad3dc45da832940d64bddfca46f7b7 1662 golang-github-ulikunitz-xz_0.5.6-2.dsc 76969e0e8e81f9241b8eda72bf4b10fd1a6f78c7 3368 golang-github-ulikunitz-xz_0.5.6-2.debian.tar.xz fc69099ab356b7eff168a33b05a652153ce7c809 5369 golang-github-ulikunitz-xz_0.5.6-2_amd64.buildinfo Checksums-Sha256: e42990cef92b472a42f7d7f907fbdd05552e0c5889d793f7839bf08cae46ef9e 1662 golang-github-ulikunitz-xz_0.5.6-2.dsc 86f7205ef6393a30109425c1aea296b921f3420d7635aad47f7e9ebdcf845a4a 3368 golang-github-ulikunitz-xz_0.5.6-2.debian.tar.xz b4d8962b86b27f4038fad21a7ce3a563be9f9b0a7da8dcba16b9cb45442c28a6 5369 golang-github-ulikunitz-xz_0.5.6-2_amd64.buildinfo Files: 92a3b855e8d4953a82a7fe6a813f16b5 1662 devel optional golang-github-ulikunitz-xz_0.5.6-2.dsc c907b92e09ee3edc9935003a1b740ea1 3368 devel optional golang-github-ulikunitz-xz_0.5.6-2.debian.tar.xz 2eaf25c2120d0b852e85fbb38f92073e 5369 devel optional golang-github-ulikunitz-xz_0.5.6-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iIYEARYIAC4WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCYKDh7xAcemhzakBkZWJp YW4ub3JnAAoJEH9E+iXqVRTLOx0A/2n2Sq1QfvsSBsqZsm2uV2i9DyOvYZ15Ryfx iSxZ7OTYAP9rEe4D28cIKwJg1SW5EuiHQfnRRTK53wVWkeocHsxYAg== =Uy8P -----END PGP SIGNATURE-----
--- End Message ---
