Where to report CVEs missing from the security tracker ?

To: team+go-compiler@tracker.debian.org, debian-user@lists.debian.org
Subject: Where to report CVEs missing from the security tracker ?
From: Jorropo <jorropo.pgm@gmail.com>
Date: Tue, 9 Jan 2024 16:57:17 +0100
Message-id: <[🔎] CAHWihb-GWXjr-wUOd5+Aj9pHdAm_P3asJPObbL_MEm87kyTgHw@mail.gmail.com>

Hello, there are 6 CVEs on the golang-go package which are not on
https://security-tracker.debian.org/tracker/status/release/stable

I couldn't find them either there
https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go

The list is:
- CVE-2023-29409 https://pkg.go.dev/vuln/GO-2023-1987
- CVE-2023-29403 https://pkg.go.dev/vuln/GO-2023-1840
- CVE-2023-29402 https://pkg.go.dev/vuln/GO-2023-1839
- CVE-2023-39325 https://pkg.go.dev/vuln/GO-2023-2102
- CVE-2023-39323 https://pkg.go.dev/vuln/GO-2023-2095
- CVE-2023-39326 https://pkg.go.dev/vuln/GO-2023-2382

This has been grabbed from the public golang vulnerability database
searching for anything affecting 1.19.8 (what bookworm ships).
I also checked that no patches have been backported by diffing the std
from golang-go and the upstream 1.19.8 sources.

Most of them could be fixed by updating to 1.19.12 however the 1.19
branch is no longer supported. https://endoflife.date/go

Reply to:

Follow-Ups:
- Re: Where to report CVEs missing from the security tracker ?
  - From: Sven Joachim <svenjoac@gmx.de>

Prev by Date: Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?
Next by Date: Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?
Previous by thread: Re: SMART Uncorrectable_Error_Cnt rising - should I be worried?
Next by thread: Re: Where to report CVEs missing from the security tracker ?
Index(es):
- Date
- Thread