Your message dated Fri, 25 Apr 2025 21:49:38 +0000
with message-id <e1u8qvs-006gwz...@fasolo.debian.org>
and subject line Bug#1057226: fixed in golang-github-go-resty-resty 2.10.0-2
has caused the Debian Bug report #1057226,
regarding golang-github-go-resty-resty: CVE-2023-45286
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1057226: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057226
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-go-resty-resty
Version: 2.10.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/go-resty/resty/pull/745
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-go-resty-resty.
CVE-2023-45286[0]:
| A race condition in go-resty can result in HTTP request body
| disclosure across requests. This condition can be triggered by
| calling sync.Pool.Put with the same *bytes.Buffer more than once,
| when request retries are enabled and a retry occurs. The call to
| sync.Pool.Get will then return a bytes.Buffer that hasn't had
| bytes.Buffer.Reset called on it. This dirty buffer will contain the
| HTTP request body from an unrelated request, and go-resty will
| append the current HTTP request body to it, sending two bodies in
| one request. The sync.Pool in question is defined at package level
| scope, so a completely unrelated server could receive the request
| body.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45286
https://www.cve.org/CVERecord?id=CVE-2023-45286
[1] https://github.com/go-resty/resty/pull/745
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-go-resty-resty
Source-Version: 2.10.0-2
Done: Santiago Ruano Rincón <santi...@debian.org>
We believe that the bug you reported is fixed in the latest version of
golang-github-go-resty-resty, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1057...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Ruano Rincón <santi...@debian.org> (supplier of updated
golang-github-go-resty-resty package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 25 Apr 2025 16:51:11 -0300
Source: golang-github-go-resty-resty
Architecture: source
Version: 2.10.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Santiago Ruano Rincón <santi...@debian.org>
Closes: 1057226
Changes:
golang-github-go-resty-resty (2.10.0-2) unstable; urgency=medium
.
* Team upload.
* CVE-2023-45286: A race condition in go-resty can result in HTTP request
body disclosure across requests (Closes: #1057226)
Checksums-Sha1:
a72816f79fd7bb917d4bbe5a68223fdbd85ed653 1742
golang-github-go-resty-resty_2.10.0-2.dsc
46af070903582c3a0c76ebca602bd8e55124fb69 3444
golang-github-go-resty-resty_2.10.0-2.debian.tar.xz
eebc6f6be0d919d56aae5d1d6855f02421a70cba 5337
golang-github-go-resty-resty_2.10.0-2_source.buildinfo
Checksums-Sha256:
d5388375167692dde31be4284276b906dddec95a4334f3e9bd1e82b48b379916 1742
golang-github-go-resty-resty_2.10.0-2.dsc
e22cc57c3f3c7f12f53a630f5fee73019e733ce080e8aba356d75d411e41412b 3444
golang-github-go-resty-resty_2.10.0-2.debian.tar.xz
a82b1806631b9e31b97dedf11b9088cb93ac7f38d5f11ba32f78725e8691fbf7 5337
golang-github-go-resty-resty_2.10.0-2_source.buildinfo
Files:
7b77a13b5c5e931f545be75824beae35 1742 golang optional
golang-github-go-resty-resty_2.10.0-2.dsc
015128bec4bf2701353704ec671781f3 3444 golang optional
golang-github-go-resty-resty_2.10.0-2.debian.tar.xz
36bf388761e7254d5d3cbf930509579b 5337 golang optional
golang-github-go-resty-resty_2.10.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaAv6ZRQcc2FudGlhZ29A
ZGViaWFuLm9yZwAKCRAn3j1FEEiG72xdAP9Uu1V4HjpcIhSiXT59JllMD3/jlUnV
/w4bLF73CzI1qgEAtYo74dtAgZosmQUgrudSsf0LZAeeM26qdPD48tt+3g8=
=MJ68
-----END PGP SIGNATURE-----
pgpar84CHMVuK.pgp
Description: PGP signature
--- End Message ---
