On Tue, Dec 31, 2024 at 01:37:44PM +0100, Thorsten Alteholz wrote: > > > > On 31.12.24 12:17, Loren M. Lang wrote: > > As I am relatively new to the Go Team, I chose to keep it to a smaller, > > easier to review, change which resolved the CVE with the highest score. > > That was the only CVE that lead to a Debian bug of severity grave and > > threatened to remove it from testing in a few weeks from now. It has a > > CVE base score of 8.0. The others have a score of 6.5 or less and their > > corresponding Debian bugs are only of severity important. > > Sure, but in case other releases, like Bookworm, shall get an update as > well, it would help other teams to bundle patches. > Anyway, important bugs are not release critical but should be fixed in any > case. We can hold off on the Bookworm update for a little bit if that would help. As this is my first attempt at getting a package into stable-updates, I am learning a bit myself. Another developer pointed me at the appropriate part of the developer reference for this so I realize that I was using the wrong version suffix when publishing a package for p-u to stable. Another reason why I was keeping it simple as I learn this. > > > > > Now that my feet are wet, I do plan to dig into the other CVEs and find > > the appropriate minimally-viable patch to fix them, however, I probably > > won't have enough time until this next week-end. > > Yes, the fix for CVE-2024-54132 doesn't look that easy to backport and the > fix for CVE-2024-53858 is somewhere hidden in the commits between v2.26.0 > and v2.63.0. Good luck :-). Yep, I'll figure it out this week-end, but I want to make sure I fully understand the issue and can ensure I apply the appropriate patch. > > Do you intend to work on a patch for Bullseye as well? Yes, I can backport it there as well. It looks like gh was only made available to bullseye as a backport so that should be similar to other backports which I have done before. > > Thorsten > -- Loren M. Lang lorenl@north-winds.org http://www.north-winds.org/ Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
Attachment:
signature.asc
Description: PGP signature