Re: golang-go.crypto / CVE-2019-11841
Brian May <bam@debian.org> writes:
> Brian May <bam@debian.org> writes:
>
>> All of the distributions fail (as in the last two tests pass when they
>> should now), but bullseye at least fixes one of the failures. So it
>> looks like this was incorrectly marked as fixed (note bulleye and sid
>> have the same version of this package).
>
> I filled an upstream bug report:
> https://github.com/golang/go/issues/41200
Upstream responded with "That's intentional and documented in the
package and in the commit message you link to. The hash header value has
no security purposes."
I am not convinced this is the case. I have responded.
--
Brian May <bam@debian.org>
Reply to: