[pkg-golang-devel] golang CVE-2019-6486 (DoS in crypto/elliptic)

Emilio Pozuelo Monfort pochu at debian.org
Thu Jan 24 08:12:01 GMT 2019


On 24/01/2019 08:58, Michael Stapelberg wrote:
> Hey,
> 
> https://security-tracker.debian.org/tracker/CVE-2019-6486 was announced a
> few hours ago.
> 
> I have uploaded golang-1.11 1.11.5 to unstable with a fix, so unstable and
> testing should have the fixed compiler soon.
> 
> There are still a few tasks left to do, though:
> 
> 1. The versions in stretch (stable) and jessie (oldstable) are also
> affected. I can never remember the correct process, or which versions we
> support, and our git packaging repository is way out of sync with what’s on
> the mirrors (*sigh*).
> 
> If someone (from security-team?) could help upload a fixed version for
> stable (and oldstable?), that’d be much appreciated!
> 
> The patch at https://github.com/golang/go/commit/42b42f71 applies to
> stretch, and applies to jessie when fixing the file path (src/crypto →
> src/pkg/crypto).
> 
> 2. We’ll need to schedule binNMUs for all reverse dependencies of
> golang-x.y (e.g. golang-1.11 in unstable/testing) which result in
> arch-specific packages (arch:all packages just ship code, but arch:any
> packages might ship compiled copies of crypto/elliptic).
> 
> Last time, pochu@ (cc'ed) helpfully scheduled binNMUs. pochu, would you be
> able to help this time, too?

Sure. Can you give me a list of source packages to binNMU in unstable? If this
is public already, can you do that through a binNMU bug against release.debian.org?

Emilio



More information about the pkg-golang-devel mailing list