Please update golang version to >=1.22 or at least >=1.19.13 in the stable Bookworm release, due to CVEs

["Prusty, Badrikesh" <badrikesh.prusty@siemens.com>]

Package: golang-go

Version: 2:1.19~1

Severity: important

 

Hello Debian Team,

 

As golang-1.19-go version 1.19.8-2 is affected by various critical and high CVEs. List:

 

CVE List:

• https://security-tracker.debian.org/tracker/CVE-2023-29405: 9.8
• https://security-tracker.debian.org/tracker/CVE-2023-24540: 9.8
• https://security-tracker.debian.org/tracker/CVE-2023-29402: 9.8
• https://security-tracker.debian.org/tracker/CVE-2023-29404: 9.8
• https://security-tracker.debian.org/tracker/CVE-2023-29403: 7.8

The above listed CVEs got fixed in version 1.19.10 and above.

 

 

• https://security-tracker.debian.org/tracker/CVE-2023-39323: 8.1
• https://security-tracker.debian.org/tracker/CVE-2024-24784: 7.5
• https://security-tracker.debian.org/tracker/CVE-2024-24785: 7.5
• https://security-tracker.debian.org/tracker/CVE-2023-45289: 7.5
• https://security-tracker.debian.org/tracker/CVE-2023-45290: 7.5
• https://security-tracker.debian.org/tracker/CVE-2024-24783: 7.5

The above listed CVEs got fixed in version 1.21 and 1.22.1 and above.

 

Found that the updated version of package available in bookworm-backports.

golang-1.19-go  v1.19.13: https://packages.debian.org/bookworm-backports/golang-1.19-go

golang-1.22-go v1.22.1: https://packages.debian.org/bookworm-backports/golang-1.22-go

 

golang-go points 1.19.8 in Bookworm: https://packages.debian.org/bookworm/golang-go,

while 1.22.1 in Bookworm backports: https://packages.debian.org/bookworm-backports/golang-go

 

Kindly update golang version to >=1.22 or atleast >=1.19.13 in the stable Bookworm release for fixing the above listed vulnerabilities.

 

Let us know if any help is needed from my side for migrating the package from backports to stable Bookworm release.

 

 

Thanks & Regards,

Badrikesh