Your message dated Wed, 23 Apr 2025 03:20:02 +0000
with message-id <e1u7qey-00azp6...@fasolo.debian.org>
and subject line Bug#1037530: fixed in golang-github-gin-gonic-gin 1.8.1-3
has caused the Debian Bug report #1037530,
regarding golang-github-gin-gonic-gin: CVE-2023-29401
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1037530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037530
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-gin-gonic-gin
Version: 1.8.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/gin-gonic/gin/issues/3555
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-gin-gonic-gin.
CVE-2023-29401[0]:
| The filename parameter of the Context.FileAttachment function is not
| properly sanitized. A maliciously crafted filename can cause the
| Content-Disposition header to be sent with an unexpected filename
| value or otherwise modify the Content-Disposition header. For
| example, a filename of "setup.bat";x=.txt" will be sent as a
| file named "setup.bat". If the FileAttachment function is called
| with names provided by an untrusted source, this may permit an
| attacker to cause a file to be served with a name different than
| provided. Maliciously crafted attachment file name can modify the
| Content-Disposition header.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-29401
https://www.cve.org/CVERecord?id=CVE-2023-29401
[1] https://github.com/gin-gonic/gin/issues/3555
[2]
https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-gin-gonic-gin
Source-Version: 1.8.1-3
Done: Martin Dosch <mar...@mdosch.de>
We believe that the bug you reported is fixed in the latest version of
golang-github-gin-gonic-gin, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1037...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Dosch <mar...@mdosch.de> (supplier of updated
golang-github-gin-gonic-gin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 Apr 2025 02:58:11 +0000
Source: golang-github-gin-gonic-gin
Architecture: source
Version: 1.8.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Martin Dosch <mar...@mdosch.de>
Closes: 1035498 1037530
Changes:
golang-github-gin-gonic-gin (1.8.1-3) unstable; urgency=medium
.
* Team Upload.
* d/patches: Add fix for CVE-2023-29401. (Closes: #1037530)
* d/patches: Add fix for CVE-2023-26125. (Closes: #1035498)
Checksums-Sha1:
bca1bcc75f2d919b2de34aaae7e2aec5eee2af53 2563
golang-github-gin-gonic-gin_1.8.1-3.dsc
7db7ae7d67ff46dda22f39ba4e7588baca45b6cf 161688
golang-github-gin-gonic-gin_1.8.1.orig.tar.gz
0f5acbf0a71ffd880c651adfeb95aeeaa1d56fee 7096
golang-github-gin-gonic-gin_1.8.1-3.debian.tar.xz
f560241f50e8f809e09e74967693f3b34a8320cb 6885
golang-github-gin-gonic-gin_1.8.1-3_amd64.buildinfo
Checksums-Sha256:
fdedc19677b215b41a3b0cd85b676432a7a8fd304709cb17ba2247741210f573 2563
golang-github-gin-gonic-gin_1.8.1-3.dsc
9f6a9a6c2b96c323902d8ee1728152bafdf1894130554a93af5d3f1807c0403b 161688
golang-github-gin-gonic-gin_1.8.1.orig.tar.gz
b37f89a2329333f25d7c17828deb176ef2fa0c4bd6f79b9176c99c0727aa7b3c 7096
golang-github-gin-gonic-gin_1.8.1-3.debian.tar.xz
e8aa683ca2201e879c478edaf71d51ae96684a85b1f4d7cbf644a25a4836c923 6885
golang-github-gin-gonic-gin_1.8.1-3_amd64.buildinfo
Files:
e682a29ba5a90b5aeb8acd01d097e361 2563 devel optional
golang-github-gin-gonic-gin_1.8.1-3.dsc
a31b44a83d663474027423825ac98369 161688 devel optional
golang-github-gin-gonic-gin_1.8.1.orig.tar.gz
2dcca3f2261c08900e61879373efc283 7096 devel optional
golang-github-gin-gonic-gin_1.8.1-3.debian.tar.xz
d8918ef5e1ce0304d719eca1ecaf0bc4 6885 devel optional
golang-github-gin-gonic-gin_1.8.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmgIV/0SHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5puQP+wZNA3ZkbldXqIZMmJSvCOMOmeIOg3av
QjAiBRcBintpqRU9SRmMMWi1JVEazToiuzZD+MdZOQDVHTCNX6uUSpMiQDzjFmUI
rfJva2fEXjzbxo6HsAnQaDjWs5vyDaju1dQd2u6t0qw/ECGODcwDWElVYKyvgJQ7
oiitWG0+DMsyZEHs7u2MwNmglYTLv8SCXspIvDwwouqJfaSIluIr7hbCZi7sF/i9
t/OV/q0prGHFB+qYlyjLF6iL5nS3QDwFkeczfb2Z1wubpjHVwtPlB7cjYAzkNbqW
ltGAICc/X4lXaoQA9u3J92tQH4lGYgxj/iJR3+PieAHixAeK/91WXmGBeZChMOdE
VdFc4zoHmsMBN0jMNey5w9nhgoVFwX0ZCugSQ6qXjUt3bf1Xk5j8x8pYgCF0Z+gQ
H4Dy6BeNMqFTviReU1YVbbgAtPps+3g2q53LL45uAd020hR5F3aBjPxTWojXBTp6
5o+9lBP+FQ0nOBo9B4pZF9zydTc8tET62WHjMi6hjDkXDjleLbBSEv4l4G2Z0E79
sdOSqWOwXW4dxfbtLIrKBWLZu19vBG2AkthZFk/pmnknfwSJb6hOiPVulPD4/4Cw
QdoDj/lzvttpmdHuN/MdswwgxWNBpPREPmeZwZ2RRLXFxzW0bFoxgfXfDAhvkTsM
1dGPfi7jEROs
=ItBR
-----END PGP SIGNATURE-----
pgpfSd41M1b4S.pgp
Description: PGP signature
--- End Message ---
