Your message dated Sun, 27 Apr 2025 17:21:08 +0000
with message-id <e1u95gi-00gwdo...@fasolo.debian.org>
and subject line Bug#1075973: fixed in golang-github-gorilla-schema 1.4.1-1
has caused the Debian Bug report #1075973,
regarding golang-github-gorilla-schema: CVE-2024-37298
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1075973: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1075973
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: golang-github-gorilla-schema
Version: 1.2.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for golang-github-gorilla-schema.
CVE-2024-37298[0]:
| gorilla/schema converts structs to and from form values. Prior to
| version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has
| a field of type `[]struct{...}` opens it up to malicious attacks
| regarding memory allocations, taking advantage of the sparse slice
| functionality. Any use of `schema.Decoder.Decode()` on a struct with
| arrays of other structs could be vulnerable to this memory
| exhaustion vulnerability. Version 1.4.1 contains a patch for the
| issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-37298
https://www.cve.org/CVERecord?id=CVE-2024-37298
[1] https://github.com/gorilla/schema/security/advisories/GHSA-3669-72x9-r9p3
[2]
https://github.com/gorilla/schema/commit/cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-gorilla-schema
Source-Version: 1.4.1-1
Done: Reinhard Tartler <siret...@tauware.de>
We believe that the bug you reported is fixed in the latest version of
golang-github-gorilla-schema, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1075...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siret...@tauware.de> (supplier of updated
golang-github-gorilla-schema package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Apr 2025 11:58:26 -0400
Source: golang-github-gorilla-schema
Architecture: source
Version: 1.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Reinhard Tartler <siret...@tauware.de>
Closes: 1075973
Changes:
golang-github-gorilla-schema (1.4.1-1) unstable; urgency=medium
.
* New upstream release
* Fixes: CVE-2024-37298, Closes: #1075973
Checksums-Sha1:
e894a954e460e4edffca61ede1c1c91a8d90bffc 2399
golang-github-gorilla-schema_1.4.1-1.dsc
546f21c6e85af93e30c58ab66287bf93f032945a 28615
golang-github-gorilla-schema_1.4.1.orig.tar.gz
f41c1eacf2782f8c0c27d51b6645bc0e5ce394c3 2484
golang-github-gorilla-schema_1.4.1-1.debian.tar.xz
Checksums-Sha256:
761c11f1544ed15d4ee00262b469ff93f8d01afa4a48c6d120486bc9b4229c2e 2399
golang-github-gorilla-schema_1.4.1-1.dsc
5ba1ae2586add03cbbe9ca0f4669c37fd257b196f6e3d2f41dc98cc99efb802b 28615
golang-github-gorilla-schema_1.4.1.orig.tar.gz
45fa2a7567cd893cd6a8902430a571f3dbca8d20b059c63c31fbdbb50a78a6a8 2484
golang-github-gorilla-schema_1.4.1-1.debian.tar.xz
Files:
3b96aa73d8223e66c4cb3a0c8bf36d49 2399 golang optional
golang-github-gorilla-schema_1.4.1-1.dsc
828567d86067fc441550df5eee9639a0 28615 golang optional
golang-github-gorilla-schema_1.4.1.orig.tar.gz
9f0b3130a332656e4a2fff45236d0a96 2484 golang optional
golang-github-gorilla-schema_1.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmgOVFEUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsvv3w//VIGwp+GPgVHCpdMAwuDtOOILjysn
rM15zJ4Qf4Wcz3fVzDoeY0Agz4qjfcT3KMWZrNeWs0t5gIsvpw296cQxoweexDMM
ALov4rbssYja3yLTJ9x7HBE+a5K2k7106oHDazv9q+6yEUBAVvRrvDdkF+9Krsp3
p4PVF+6sYyEQjXfjwr5gY6rMlxv6blQxsFNzZBC462EKgU/MBb3iuiSDCrHjhxUY
14rkqB48yQqt0x0lxYeyjRq0TZk7fzXH6kOBwXZVLXlRjNO5NMlylmAADVMp7Jzn
mwpME80DKJE7nkvjD01lkg72qR5VihE1/U44LOPOyTevDFWQBgTodvqj8CkQlmXO
XawVpP35bRHU76VgEVYmndCgP47l+rUspfoB3mO1DiVtmSsFFVj2EV6STlku2Pak
cDmI83EBgLFcR9T0KI85V8zdngsy++nOC2OXDbPe1a5/w/fL7luZID+KfiF+ny6v
9BoaREwA8MwdPmp19OfQCUbOm98aKkuD7z9P4/muPnqnuqaM1EeYCgs7G8iSUusA
bPI7S41b+x16uzwwnnrq/iRk1KyLUSgK0hvFfcfJY0EVWUh0DMBxVFR7Ve4XUWg2
6JPeqLiv/Dj5lyABbX6lgQvSm1J6jv7xB2TCT4BVg+k/kbr/Kjlz9yTM+fq88611
yd5rvU9y5lJvdd8=
=zDLD
-----END PGP SIGNATURE-----
pgpMxZyEWIJH3.pgp
Description: PGP signature
--- End Message ---
