Bug#989492: marked as done (golang-1.16: CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion)

Debian Bug Tracking System Sat, 05 Jun 2021 04:36:17 -0700

Your message dated Sat, 05 Jun 2021 11:33:34 +0000
with message-id <e1lpuyy-000gox...@fasolo.debian.org>
and subject line Bug#989492: fixed in golang-1.16 1.16.5-1
has caused the Debian Bug report #989492,
regarding golang-1.16: CVE-2021-33196: archive/zip: malformed archive may cause 
panic or memory exhaustion
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
989492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989492
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: golang-1.16
Version: 1.16.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/golang/go/issues/46397
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for golang-1.16.

CVE-2021-33196[0]:
| archive/zip: malformed archive may cause panic or memory exhaustion

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33196
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33196
[1] https://github.com/golang/go/issues/46397

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-1.16
Source-Version: 1.16.5-1
Done: Shengjing Zhu <z...@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-1.16, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 989...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengjing Zhu <z...@debian.org> (supplier of updated golang-1.16 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 05 Jun 2021 19:03:59 +0800
Source: golang-1.16
Architecture: source
Version: 1.16.5-1
Distribution: unstable
Urgency: medium
Maintainer: Go Compiler Team <team+go-compi...@tracker.debian.org>
Changed-By: Shengjing Zhu <z...@debian.org>
Closes: 989492
Changes:
 golang-1.16 (1.16.5-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 1.16.5
     + CVE-2021-33195: net: Lookup functions may return invalid host names
     + CVE-2021-33196: archive/zip: malformed archive may cause panic or memory
       exhaustion (Closes: #989492)
     + CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection
       headers if first one is empty
     + CVE-2021-33198: math/big: (*Rat).SetString with 
"1.770p02041010010011001001"
       crashes with "makeslice: len out of range"
Checksums-Sha1:
 5d335ce05b7c1f4def0c5d04558fec8c2b1bbec3 1992 golang-1.16_1.16.5-1.dsc
 b3d00525ea5af180149fafca8da730c6f988f29f 20921372 
golang-1.16_1.16.5.orig.tar.gz
 306ac2691d7bc3aefd40939fdca7f9820837baee 39792 
golang-1.16_1.16.5-1.debian.tar.xz
 a94208702801b2e7baddebf6555b777ac84e5bdf 6059 
golang-1.16_1.16.5-1_amd64.buildinfo
Checksums-Sha256:
 cd9ca8bd10a64f338cd950f39661fec6b7a6e98e6859f1ed1cf43b6cb7b13c91 1992 
golang-1.16_1.16.5-1.dsc
 7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 20921372 
golang-1.16_1.16.5.orig.tar.gz
 ef7521fec00ee4a9fae6fe4ff55bb4964d3e5c6f66c11c433aed22cd2d742dea 39792 
golang-1.16_1.16.5-1.debian.tar.xz
 82744196c29bee7586f40c2c3ed761d62a385c025dc0874626ab6d16d4661020 6059 
golang-1.16_1.16.5-1_amd64.buildinfo
Files:
 6300a4b0e3f8a0d644dfdb244a5709e0 1992 golang optional golang-1.16_1.16.5-1.dsc
 f3c06704e536dcca1814b16dbcdc4a36 20921372 golang optional 
golang-1.16_1.16.5.orig.tar.gz
 5cda9bd119b714ad50039d850c416120 39792 golang optional 
golang-1.16_1.16.5-1.debian.tar.xz
 67b728457614ddb1c4188e0c2363afec 6059 golang optional 
golang-1.16_1.16.5-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIYEARYIAC4WIQSRhdT1d2eu7mxV1B5/RPol6lUUywUCYLte3BAcemhzakBkZWJp
YW4ub3JnAAoJEH9E+iXqVRTLFF0BAJ+m42aiD60ahtLzi0Z2Ec+ACNeARlHlCDfH
YIcADs5yAQC7mUyMXd41VzeJ0Nj9E2cBXlAZ+21UCCuQNkuVKtBNDw==
=6rsV
-----END PGP SIGNATURE-----

--- End Message ---

Bug#989492: marked as done (golang-1.16: CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion)

Reply via email to