On Sun, 2025-03-16 at 17:05 +0100, Simon Josefsson wrote: > Hi. > > We have version 0.25.0 in unstable now. I noticed that there are > vulnerabilities in <= 0.35.0: > > https://pkg.go.dev/vuln/GO-2025-3487 The Security Team has triaged the two CVEs as ignored/postponed[1], which I agree with. > This affects packages like go-git which fix this in their 5.14.0 release > and needs the x-crypto >= 0.35.0 bump. > > What is the status of this migration? I know it is late, but low-level > crypto vulnerabilities seems serious, and maybe we can get an exception > to upload 0.36.0 if we make sure all reverse dependencies build and > work?! I did not look into if it is possible to back-port any small fix > for this, and I suspect there are many other security-related fixes that > happened in Go x-crypto between 0.25 and 0.36. `build-rdeps golang-golang-x-crypto-dev` reports 959 reverse build- depends in main, so definitely not a small number of potentially affected packages. I would want to discuss with the Security and/or Release Teams to get their thoughts on proceeding with an update to this package at this point in time. > Santiago, you uploaded 0.33 to experimental a month ago, did you perform > any reverse builds of all packages in Debian using it? How about > uploading 0.36 to experimental now and test using latest release? I can > do that, it seems safe regardless of what will happen in unstable. The pseudo-excuses look OK[2], which is encouraging but we'd probably want to upload 0.36 to experimental for good measure. Mathias [1] -- https://security-tracker.debian.org/tracker/source-package/golang-go.crypto [2] -- https://qa.debian.org/excuses.php?experimental=1&package=golang-go.crypto
Attachment:
signature.asc
Description: This is a digitally signed message part