[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto 0.36.0 for trixie?

On Mon, Mar 17, 2025 at 12:07 AM Simon Josefsson <simon@josefsson.org> wrote:
>
> Hi.
>
> We have version 0.25.0 in unstable now.  I noticed that there are
> vulnerabilities in <= 0.35.0:
>
> https://pkg.go.dev/vuln/GO-2025-3487
>
> This affects packages like go-git which fix this in their 5.14.0 release
> and needs the x-crypto >= 0.35.0 bump.
>
> What is the status of this migration?  I know it is late, but low-level
> crypto vulnerabilities seems serious, and maybe we can get an exception
> to upload 0.36.0 if we make sure all reverse dependencies build and
> work?!  I did not look into if it is possible to back-port any small fix
> for this, and I suspect there are many other security-related fixes that
> happened in Go x-crypto between 0.25 and 0.36.
>
> Santiago, you uploaded 0.33 to experimental a month ago, did you perform
> any reverse builds of all packages in Debian using it?  How about
> uploading 0.36 to experimental now and test using latest release?  I can
> do that, it seems safe regardless of what will happen in unstable.
>

Just note that all golang.org/x/* are _usually_ safe to update as
upstream says they don't break ABI for these packages. But I can't
find where such promise is documented currently...

-- 
Shengjing Zhu
Reply to: