Hi! El 18/03/25 a las 01:52, Mathias Gibbens escribió: > On Sun, 2025-03-16 at 17:05 +0100, Simon Josefsson wrote: > > Hi. > > > > We have version 0.25.0 in unstable now. I noticed that there are > > vulnerabilities in <= 0.35.0: > > > > https://pkg.go.dev/vuln/GO-2025-3487 > > The Security Team has triaged the two CVEs as ignored/postponed[1], > which I agree with. For completeness, the security team is currently in charge of bookworm, for which CVE-2025-22869 has been triaged as no-dsa. The LTS team is currently responsible for bullseye, for which the issues have been marked as <ignored>. As a side note, the LTS team has an open issue to help on improving the situation about security support for statically-linked ecosystems, such as Go: https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/60. If you have any thoughts, those are very welcome! > > This affects packages like go-git which fix this in their 5.14.0 release > > and needs the x-crypto >= 0.35.0 bump. > > > > What is the status of this migration? I know it is late, but low-level > > crypto vulnerabilities seems serious, and maybe we can get an exception > > to upload 0.36.0 if we make sure all reverse dependencies build and > > work?! I did not look into if it is possible to back-port any small fix > > for this, and I suspect there are many other security-related fixes that > > happened in Go x-crypto between 0.25 and 0.36. > > `build-rdeps golang-golang-x-crypto-dev` reports 959 reverse build- > depends in main, so definitely not a small number of potentially > affected packages. I would want to discuss with the Security and/or > Release Teams to get their thoughts on proceeding with an update to > this package at this point in time. Since the target is unstable (and then testing), the release team input is important right now. > > Santiago, you uploaded 0.33 to experimental a month ago, did you perform > > any reverse builds of all packages in Debian using it? Yes, I tested building aptly. But only that. > > How about > > uploading 0.36 to experimental now and test using latest release? I can > > do that, it seems safe regardless of what will happen in unstable. I have started preparing the experimental upload and I'll upload it in some minutes. Help is welcome to test the reverse build-deps, and etc. Sorry for being late here. #life. > The pseudo-excuses look OK[2], which is encouraging but we'd probably > want to upload 0.36 to experimental for good measure. > > Mathias > > [1] -- https://security-tracker.debian.org/tracker/source-package/golang-go.crypto > [2] -- https://qa.debian.org/excuses.php?experimental=1&package=golang-go.crypto Lazy question: does the golang-team has any automated script/method to test how reverse build-deps build? Cheers! -- Santiago
Attachment:
signature.asc
Description: PGP signature