Import Debian changes 1.18.10-1~bpo11+1

golang-1.18 (1.18.10-1~bpo11+1) bullseye-backports; urgency=medium
.
  * Rebuild for bullseye-backports.
.
golang-1.18 (1.18.10-1) unstable; urgency=medium
.
  * Team upload.
  * New upstream version 1.18.10
  * Add NO_PNG_PKG_MANGLE to prevent mangling testdata.
    This is Ubuntu specific behaviour so they can sync the package without
    vendor patch.
.
golang-1.18 (1.18.9-1) unstable; urgency=medium
.
  * New upstream version 1.18.9
    + CVE-2022-41720: os, net/http: avoid escapes from os.DirFS and http.Dir
      on Windows
    + CVE-2022-41717: net/http: limit canonical header cache by bytes, not
      entries
.
golang-1.18 (1.18.8-1~bpo11+1) bullseye-backports; urgency=medium
.
  * Rebuild for bullseye-backports.
.
golang-1.18 (1.18.8-1) unstable; urgency=medium
.
  * New upstream version 1.18.8
    + CVE-2022-41716: syscall, os/exec: unsanitized NUL in environment variables
      On Windows, syscall.StartProcess and os/exec.Cmd did not properly check
      for invalid environment variable values. A malicious environment variable
      value could exploit this behavior to set a value for a different
      environment variable.
.
golang-1.18 (1.18.7-1) unstable; urgency=medium
.
  * New upstream version 1.18.7
    + CVE-2022-2879: archive/tar: unbounded memory consumption when reading
      headers
    + CVE-2022-2880: net/http/httputil: ReverseProxy should not forward
      unparseable query parameters
    + CVE-2022-41715: regexp/syntax: limit memory used by parsing regexps
.
golang-1.18 (1.18.6-1~bpo11+1) bullseye-backports; urgency=medium
.
  * Rebuild for bullseye-backports.
.
golang-1.18 (1.18.6-1) unstable; urgency=medium
.
  * New upstream version 1.18.6
    + CVE-2022-27664: net/http: handle server errors after sending GOAWAY
    + CVE-2022-32190: net/url: JoinPath does not strip relative path
      components in all circumstances
.
golang-1.18 (1.18.5-1~bpo11+1) bullseye-backports; urgency=medium
.
  * Rebuild for bullseye-backports.
.
golang-1.18 (1.18.5-1) unstable; urgency=medium
.
  * New upstream version 1.18.5
    + CVE-2022-32189: math/big: index out of range in Float.GobDecode
    + cmd/go: Build information embedded by Go 1.18 impairs build
      reproducibility with cgo flags (Closes: #1008114)
  * Remove 0005-cmd-compile-revert-fix-missing-dict-pass-for-type-as.patch
    which has been applied upstream in v1.18.5
  * Bump Standards-Version to 4.6.1 (no change)
.
golang-1.18 (1.18.4-2) unstable; urgency=medium
.
  * Team upload.
  * cmd/compile: revert "fix missing dict pass for type assertions"
    Backport patch from https://go.dev/cl/417615 (Closes: #1015088)
.
golang-1.18 (1.18.4-1~bpo11+1) bullseye-backports; urgency=medium
.
  * Rebuild for bullseye-backports.
.
golang-1.18 (1.18.4-1) unstable; urgency=medium
.
  * New upstream version 1.18.4
    + CVE-2022-1705: net/http: improper sanitization of Transfer-Encoding
      header
    + CVE-2022-32148: When httputil.ReverseProxy.ServeHTTP was called with a
      Request.Header map containing a nil value for the X-Forwarded-For header,
      ReverseProxy would set the client IP as the value of the X-Forwarded-For
      header, contrary to its documentation. In the more usual case where a
      Director function set the X-Forwarded-For header value to nil,
      ReverseProxy would leave the header unmodified as expected.
    + CVE-2022-30631: compress/gzip: stack exhaustion in Reader.Read
    + CVE-2022-30633: encoding/xml: stack exhaustion in Unmarshal
    + CVE-2022-28131: encoding/xml: stack exhaustion in Decoder.Skip
    + CVE-2022-30635: encoding/gob: stack exhaustion in Decoder.Decode
    + CVE-2022-30632: path/filepath: stack exhaustion in Glob
    + CVE-2022-30630: io/fs: stack exhaustion in Glob
    + CVE-2022-1962: go/parser: stack exhaustion in all Parse* functions