[pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204
anarcat
anarcat at debian.org
Fri Apr 14 19:07:02 UTC 2017
Control: user -1 debian-release at lists.debian.org
Control: usertags -1 bsp-2017-04-ca-montreal
Control: tags -1 +patch
I looked into this during the Montreal BSP, and it's unclear what we
should do here, considering there has been multiple new uploads since
the stretch freeze.
The patch is pretty long:
https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
... and there's no way to just backport it into stretch at this point
(IIRC).
So I'm wondering if the next step here would not just be to ask for an
exception to unblock this for stretch, or just tell the release team to
just ignore this and drop the package from stretch.
Let me know,
A.
--
Celui qui ne connaît pas l'histoire est condamné à la revivre.
- Karl Marx
More information about the Pkg-go-maintainers
mailing list