[Git][security-tracker-team/security-tracker][master] dla: drop golang-golang-x-net
Sylvain Beucler (@beuc)
gitlab at salsa.debian.org
Fri Aug 1 18:59:32 BST 2025
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
29db0f84 by Sylvain Beucler at 2025-08-01T19:58:26+02:00
dla: drop golang-golang-x-net
As discussed with FD and prior FD on #debian-lts, after ah expressed
difficulties with the update:
The golang ecosystem has limited support. This looks like a core
package, apparently 80 packages need to be (statically) rebuilt.
There's no plans to fix this is bookworm, all CVEs are <no-dsa>, hence
this is low-priority.
There's currently no LTS sponsors, so there no particular reason to be
proactive here.
Hence dropping the package for now, too much effort for too little gain.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -32211,6 +32211,7 @@ CVE-2025-27495 (A vulnerability has been identified in TeleControl Server Basic
CVE-2025-22872 (The tokenizer incorrectly interprets tags with unquoted attribute valu ...)
- golang-golang-x-net 1:0.27.0-2 (bug #1103586)
[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/73070
NOTE: Fixed by: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9 (v0.38.0)
CVE-2025-20236 (A vulnerability in the custom URL parser of Cisco Webex App could allo ...)
@@ -71207,7 +71208,7 @@ CVE-2024-4229 (Incorrect Default Permissions vulnerability in Edgecross Basic So
CVE-2024-45338 (An attacker can craft an input to the Parse functions that would be pr ...)
- golang-golang-x-net 1:0.27.0-2 (bug #1091168)
[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
- [bullseye] - golang-golang-x-net <postponed> (minor issue; DoS)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue, DoS, follow bookworm DSAs/point-releases)
NOTE: https://go-review.googlesource.com/c/net/+/637536
NOTE: https://github.com/golang/go/issues/70906
NOTE: https://pkg.go.dev/vuln/GO-2024-3333
@@ -146414,9 +146415,9 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
- - golang-golang-x-net 1:0.23.0+dfsg-1
+ - golang-golang-x-net 1:0.23.0+dfsg-
[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
- [bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65051
NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2)
NOTE: https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3 (go1.21.9)
@@ -194638,7 +194639,7 @@ CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress
CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...)
- golang-golang-x-net 1:0.14.0-1 (bug #1043163)
[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
- [bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
+ [bullseye] - golang-golang-x-net <postponed> (Limited support, minor issue, follow bookworm DSAs/point-releases)
- golang-golang-x-net-dev <removed>
[buster] - golang-golang-x-net-dev <postponed> (Limited support, follow bullseye DSAs/point-releases)
NOTE: https://go.dev/cl/514896
=====================================
data/dla-needed.txt
=====================================
@@ -135,11 +135,6 @@ golang-github-gorilla-csrf
NOTE: 20250621: https://buildd.debian.org/status/package.php?p=golang-github-alecthomas-chroma&suite=bullseye-security
NOTE: 20250621: still stuck at Uploaded phase, probably due to missing sources at security.debian.org (Beuc)
--
-golang-golang-x-net
- NOTE: 20250502: Added by Front-Desk (lamby)
- NOTE: 20250502: NB. golang - will need to check and schedule binNMUs. (lamby)
- NOTE: 20250621: https://salsa.debian.org/go-team/packages/golang-golang-x-net/-/commits/debian/bullseye (ah)
---
goldendict
NOTE: 20250723: Added by Front-Desk (ta)
NOTE: 20250723: there is no upstream fix yet
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29db0f849042f2be62d7062e02cb082b6339b060
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29db0f849042f2be62d7062e02cb082b6339b060
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250801/74be2300/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list