[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Brian May <bam@debian.org> writes:

> Brian May <bam@debian.org> writes:
>> All of the distributions fail (as in the last two tests pass when they
>> should now), but bullseye at least fixes one of the failures. So it
>> looks like this was incorrectly marked as fixed (note bulleye and sid
>> have the same version of this package).
> I filled an upstream bug report:
> https://github.com/golang/go/issues/41200

Upstream responded with "That's intentional and documented in the
package and in the commit message you link to. The hash header value has
no security purposes."

I am not convinced this is the case. I have responded.
Brian May <bam@debian.org>

Reply to: