[pkg-go] Bug#921156: etcd: CVE-2018-1098 CVE-2018-1099

Arnaud Rebillout arnaud.rebillout at collabora.com
Tue Feb 12 02:32:48 GMT 2019

I looked into this a bit yesterday.

As mentioned in the issue upstream at
https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
the master branch of etcd in March 2018, almost a year ago. The
conversation also mentions that this will be part of the next release
v3.4. However v3.4 has not been released yet.

And I don't think we want to package a random commit from the master
branch of etcd. So if we want to solve this bug simply by updating the
package, we'll have to wait for v3.4 to be released.

The other alternative is to cherry-pick the patch.

If I'm not mistaken, the fix can be found in this MR:
https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
patch. It's unlikely that we can apply it without modification on the
etcd currently packaged in debian.

I personally can't do that, as I know nothing about etcd anyway. I don't
know if someone feels up to the task, or have a better idea about how to
solve that.



More information about the Pkg-go-maintainers mailing list