Description: "On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte." (Note that 1.13.{6,7} was removed from tree on 9th March: https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-lang/go?id=4369b8cb64751a5ce205276e944f8e663f23b14b)
Bug: https://github.com/golang/go/issues/36837 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
We still need to check status in 1.14.x.
(In reply to Thomas Deutschmann from comment #2) > We still need to check status in 1.14.x. >The upcoming Go 1.14rc1 release will also include the fixes above. Go 1.14 has since been released, so we're good there!
1.13.8 is waiting for #711552. I will stabilize 1.12.17 myself.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8515427b17f2c8d3190fcf5e774717df4447b98 commit f8515427b17f2c8d3190fcf5e774717df4447b98 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-03-17 15:30:51 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-03-17 15:33:01 +0000 dev-lang/go: stabilize 1.12.17 Bug: https://bugs.gentoo.org/712924 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/go-1.12.17.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b800340816ed04663391c292786f1a5a3ccd1f29 commit b800340816ed04663391c292786f1a5a3ccd1f29 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-03-17 15:50:51 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-03-17 15:51:19 +0000 dev-lang/go: remove vulnerable 1.12 versions Bug: https://bugs.gentoo.org/712924 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.12.13.ebuild | 246 ------------------------------------------ dev-lang/go/go-1.12.15.ebuild | 246 ------------------------------------------ 3 files changed, 494 deletions(-)
(updating whiteboard to reflect waiting for stable).
@maintainer(s), please cleanup!
Tree is clean.
Unable to check for sanity: > no match for package: dev-lang/go-1.13.8
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Ping, the tree is clean, so what's the next step? Thanks, William
(In reply to William Hubbs from comment #12) > Ping, > > the tree is clean, so what's the next step? > > Thanks, > > William Hi William, Nothing more for you to do - we may GLSA it but that's just on our side. Ignore nattka.. it's still having teething problems with the sec bugs. Thanks!
GLSA Vote: No Arches and Maintainer(s), Thank you for your work.
