[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of golang?


After further analysis for the issues affecting golang in Wheezy, I have
concluded that it is not necessary to perform updates.

CVE-2017-15041 concerns only the "go get" command, and only malicious
Subversion repositories which can *then* chain into malicious git
repositories. But then "go get" also builds an actual binary which is
normally executed by the user.

CVE-2017-15042 is about the `smtp` module which may unexpectedly send
cleartext when authenticating to a remote SMTP server. Fixing this would
require the upload of an unknown number of modules, and was introduced
after the wheezy release (although I did not verify that).

Considering those two issues were marked as "ignore" in stretch, I do
not consider it relevant to fix those issues in wheezy, and have also
marked them as ignore there.

Please let me know if any of you believe this should actually be fixed
in wheezy and I'm sure the LTS team will be happy to take a second look.



That's the kind of society I want to build. I want a guarantee - with
physics and mathematics, not with laws - that we can give ourselves
real privacy of personal communications.
                         - John Gilmore

Reply to: