[pkg-golang-devel] golang CVE-2019-6486 (DoS in crypto/elliptic)

[Michael Stapelberg]

Hey,

https://security-tracker.debian.org/tracker/CVE-2019-6486 was announced a
few hours ago.

I have uploaded golang-1.11 1.11.5 to unstable with a fix, so unstable and
testing should have the fixed compiler soon.

There are still a few tasks left to do, though:

1. The versions in stretch (stable) and jessie (oldstable) are also
affected. I can never remember the correct process, or which versions we
support, and our git packaging repository is way out of sync with what’s on
the mirrors (*sigh*).

If someone (from security-team?) could help upload a fixed version for
stable (and oldstable?), that’d be much appreciated!

The patch at https://github.com/golang/go/commit/42b42f71 applies to
stretch, and applies to jessie when fixing the file path (src/crypto →
src/pkg/crypto).

2. We’ll need to schedule binNMUs for all reverse dependencies of
golang-x.y (e.g. golang-1.11 in unstable/testing) which result in
arch-specific packages (arch:all packages just ship code, but arch:any
packages might ship compiled copies of crypto/elliptic).

Last time, pochu@ (cc'ed) helpfully scheduled binNMUs. pochu, would you be
able to help this time, too?

Thanks,

-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-golang-devel/attachments/20190124/87cfac2c/attachment.html>