[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of golang?

On 2017-10-24 15:44:18, Antoine Beaupré wrote:
> Hi,
> After further analysis for the issues affecting golang in Wheezy, I have
> concluded that it is not necessary to perform updates.
> CVE-2017-15041 concerns only the "go get" command, and only malicious
> Subversion repositories which can *then* chain into malicious git
> repositories. But then "go get" also builds an actual binary which is
> normally executed by the user.

After reviewing the patchset for this security issue, I have changed my
mind: the patch is small and doesn't require a full rebuild of all
golang packages, so we should ship it.

I also feel we should ship it for other suites. The patch is fairly easy
to backport as well.

So I'll push a DLA later today.


A lot of people never use their initiative because no-one told them to.
                        - Bansky

Reply to: