Re: Wheezy update of golang?
On 2017-10-24 15:44:18, Antoine Beaupré wrote:
> After further analysis for the issues affecting golang in Wheezy, I have
> concluded that it is not necessary to perform updates.
> CVE-2017-15041 concerns only the "go get" command, and only malicious
> Subversion repositories which can *then* chain into malicious git
> repositories. But then "go get" also builds an actual binary which is
> normally executed by the user.
After reviewing the patchset for this security issue, I have changed my
mind: the patch is small and doesn't require a full rebuild of all
golang packages, so we should ship it.
I also feel we should ship it for other suites. The patch is fairly easy
to backport as well.
So I'll push a DLA later today.
A lot of people never use their initiative because no-one told them to.