742eda3565
Fixes the following security vulnerability: - CVE-2019-17596: Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Upstream has not provided a go 1.11.x release with a fix for this, so instead include the Debian backport of the upstream security fix from: https://sources.debian.org/src/golang-1.11/1.11.6-1+deb10u3/debian/patches/0008-Fix-CVE-2019-17596.patch/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
||
|---|---|---|
| .. | ||
| 0001-build.go-explicit-option-for-crosscompilation.patch | ||
| 0002-Fix-CVE-2019-16276.patch | ||
| 0003-Fix-CVE-2019-17596.patch | ||
| Config.in.host | ||
| go.hash | ||
| go.mk | ||