Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993318: bullseye-pu: package golang-1.15/1.15.15-1~deb11u1
From: Shengjing Zhu <zhsj@debian.org>
Date: Tue, 31 Aug 2021 01:30:13 +0800
Message-id: <YS0VpZxHswl+e/or@local.zhsj.me>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 993318@bugs.debian.org
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: zhsj@debian.org

[ Reason ]
Update golang-1.15 to upstream latest minor release.
The Go upstream has minor release with only important bugfix are backported.
Uptream policy: https://github.com/golang/go/wiki/MinorReleases
> security issues, serious problems with no workaround, and documentation fixes
> are backported

So I'd like to bring the latest minor version to bullseye.

This 1.15.15 version also includes a non-urgent security fix for CVE-2021-36221.

The full issues between 1.15.9(version in bullseye) to 1.15.15

+ Go1.15.10
  https://github.com/golang/go/milestone/204?closed=1
+ Go1.15.11
  https://github.com/golang/go/milestone/208?closed=1
+ Go1.15.12
  https://github.com/golang/go/milestone/209?closed=1
+ Go1.15.13
  https://github.com/golang/go/milestone/215?closed=1
+ Go1.15.14
  https://github.com/golang/go/milestone/217?closed=1
+ Go1.15.15
  https://github.com/golang/go/milestone/220?closed=1

[ Impact ]
Fix many issues which are considered to be important by upstream.

[ Tests ]
Go1.15.15 is in testing for many days and many packages have been built with
this version.
Meanwhile upstream has extensive tests for their minor release.

[ Risks ]
I don't think there's risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The diff is big, so I only paste the diffstat here, and attach a link to the full diff.

 VERSION                                                |    2 
 debian/changelog                                       |   20 
 debian/control                                         |    4 
 debian/control.in                                      |    4 
 debian/patches/0007-CVE-2021-31525.patch               |   45 --
 debian/patches/0008-CVE-2021-33196.patch               |  124 -----
 debian/patches/0009-CVE-2021-33195-1.patch             |  369 -----------------
 debian/patches/0010-CVE-2021-33195-2.patch             |  111 -----
 debian/patches/0011-CVE-2021-33197.patch               |  147 ------
 debian/patches/0012-CVE-2021-33198.patch               |  107 ----
 debian/patches/0013-CVE-2021-34558.patch               |   46 --
 debian/patches/series                                  |    7 
 misc/cgo/testcshared/cshared_test.go                   |   97 ++++
 src/archive/zip/reader.go                              |   10 
 src/archive/zip/reader_test.go                         |   59 ++
 src/cmd/cgo/out.go                                     |    6 
 src/cmd/compile/internal/gc/escape.go                  |    7 
 src/cmd/compile/internal/ssa/gen/ARM.rules             |  128 ++---
 src/cmd/compile/internal/ssa/gen/ARM64Ops.go           |    9 
 src/cmd/compile/internal/ssa/opGen.go                  |    6 
 src/cmd/compile/internal/ssa/rewriteARM.go             |  306 +++++++-------
 src/cmd/compile/internal/ssa/shortcircuit.go           |   18 
 src/cmd/go/go_test.go                                  |   33 +
 src/cmd/go/internal/load/pkg.go                        |    5 
 src/cmd/go/internal/modcmd/tidy.go                     |    2 
 src/cmd/go/internal/modcmd/vendor.go                   |    4 
 src/cmd/go/internal/modfetch/cache.go                  |   17 
 src/cmd/go/internal/modfetch/fetch.go                  |   77 ++-
 src/cmd/go/internal/modload/init.go                    |    6 
 src/cmd/go/internal/modload/load.go                    |   32 +
 src/cmd/go/testdata/script/list_err_cycle.txt          |   15 
 src/cmd/go/testdata/script/mod_get_missing_ziphash.txt |   55 ++
 src/cmd/go/testdata/script/mod_readonly.txt            |    6 
 src/cmd/go/testdata/script/mod_tidy_error.txt          |    4 
 src/cmd/go/testdata/script/mod_tidy_too_new.txt        |   31 +
 src/cmd/go/testdata/script/mod_verify.txt              |    7 
 src/cmd/link/internal/arm/asm.go                       |   16 
 src/cmd/link/internal/ld/data.go                       |   12 
 src/cmd/link/internal/ld/elf.go                        |    2 
 src/cmd/link/internal/ld/lib.go                        |   11 
 src/cmd/link/internal/ld/macho.go                      |    2 
 src/cmd/link/internal/loader/loader.go                 |   12 
 src/cmd/link/internal/ppc64/asm.go                     |   26 -
 src/crypto/tls/key_agreement.go                        |    6 
 src/database/sql/sql.go                                |   14 
 src/database/sql/sql_test.go                           |   28 +
 src/go.mod                                             |    2 
 src/go.sum                                             |    4 
 src/internal/poll/copy_file_range_linux.go             |   10 
 src/internal/poll/sendfile_bsd.go                      |    4 
 src/internal/poll/sendfile_linux.go                    |    3 
 src/internal/poll/sendfile_solaris.go                  |    3 
 src/math/big/arith_s390x.s                             |  192 --------
 src/math/big/arith_test.go                             |   65 ++
 src/math/big/ratconv.go                                |   15 
 src/math/big/ratconv_test.go                           |   25 +
 src/net/dnsclient_unix_test.go                         |  321 ++++++++++++++
 src/net/http/h2_bundle.go                              |    2 
 src/net/http/httputil/reverseproxy.go                  |   31 -
 src/net/http/httputil/reverseproxy_test.go             |  102 ++++
 src/net/http/omithttp2.go                              |    4 
 src/net/http/transport.go                              |   39 +
 src/net/http/transport_test.go                         |   84 +++
 src/net/lookup.go                                      |  159 ++++++-
 src/net/sendfile_test.go                               |   64 ++
 src/os/readfrom_linux_test.go                          |   32 +
 src/run.bash                                           |   10 
 src/run.bat                                            |    4 
 src/run.rc                                             |    9 
 src/runtime/asm_arm64.s                                |   47 +-
 src/runtime/cgo/gcc_windows_386.c                      |    1 
 src/runtime/cgo/gcc_windows_amd64.c                    |    1 
 src/runtime/cgo/libcgo_windows.h                       |   12 
 src/runtime/pprof/pprof_test.go                        |    3 
 src/runtime/signal_unix.go                             |    2 
 src/runtime/symtab.go                                  |    8 
 src/runtime/symtab_test.go                             |   85 +++
 src/runtime/sys_linux_ppc64x.s                         |   86 +++
 src/runtime/time.go                                    |    5 
 src/syscall/exec_linux_test.go                         |    1 
 src/syscall/syscall_windows.go                         |   34 +
 src/syscall/zsyscall_windows.go                        |    6 
 src/time/sleep_test.go                                 |   16 
 src/time/zoneinfo.go                                   |   33 -
 src/time/zoneinfo_read.go                              |   44 +-
 src/time/zoneinfo_test.go                              |   95 +++-
 src/vendor/golang.org/x/net/http/httpguts/httplex.go   |   10 
 src/vendor/modules.txt                                 |    2 
 test/escape5.go                                        |   11 
 test/fixedbugs/issue42876.go                           |   18 
 test/fixedbugs/issue45175.go                           |   29 +
 test/fixedbugs/issue46653.dir/bad/bad.go               |   64 ++
 test/fixedbugs/issue46653.dir/main.go                  |   27 +
 test/fixedbugs/issue46653.go                           |   10 
 94 files changed, 2240 insertions(+), 1649 deletions(-)

Changelog:

diff -Nru golang-1.15-1.15.9/debian/changelog golang-1.15-1.15.15/debian/changelog
--- golang-1.15-1.15.9/debian/changelog	2021-07-13 13:55:42.000000000 +0800
+++ golang-1.15-1.15.15/debian/changelog	2021-08-31 00:37:05.000000000 +0800
@@ -1,3 +1,23 @@
+golang-1.15 (1.15.15-1~deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Rebuild 1.15.15 for bullseye.
+    Fix CVE-2021-36221: net/http: panic due to racy read of persistConn
+    after handler panic (Closes: #991961)
+
+ -- Shengjing Zhu <zhsj@debian.org>  Tue, 31 Aug 2021 00:37:05 +0800
+
+golang-1.15 (1.15.15-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream version 1.15.15
+  * Remove security patches which were previously backported
+    for 1.15.9 but are already in 1.15.15
+  * Update Standards-Version to 4.5.1, no changes needed
+  * Change Section from devel to golang
+
+ -- Anthony Fok <foka@debian.org>  Sun, 15 Aug 2021 16:44:15 -0600
+
 golang-1.15 (1.15.9-6) unstable; urgency=medium
 
   * Team upload.

Full: https://people.debian.org/~zhsj/golang-1.15_1.15.15-1~deb11u1.debdiff

[ Other info ]
If my guess it correct, Go1.15 is EOL since Go1.17 is released. So this
is probably the only minor release we want to upload.
Reply to:
Prev by Date: Bug#993315: bullseye-pu: package im-config/0.46-1+deb11u1
Next by Date: Bug#992028: transition: libidn
Previous by thread: Bug#993315: bullseye-pu: package im-config/0.46-1+deb11u1
Next by thread: Bug#993342: nmu: kraft_0.97-1
Index(es):
- Date
- Thread