[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512

Hi Brian,

On 09/09/2020 00:55, Brian May wrote:
> Looking at:
> https://security-tracker.debian.org/tracker/CVE-2019-9512
> https://security-tracker.debian.org/tracker/CVE-2019-9514
> Under "golang-1.7" release stretch it says "vulnerable".
> But in the notes, there is:
> [stretch] - golang-1.7 <ignored> (Minor issue)
> Why?

Why... is there a discrepancy?
-> because ignored vulnerabilities keep the package vulnerable

Why... was it marked as ignored?
-> non-LTS triaging, security team often doesn't justify; check
for the original commit and who you may ask for details (this was 1 year
ago though).

> Anyway, as this was marked as minor for golang-1.7 in Stretch, probably
> also should be marked as minor for golang-golang-x-net-dev also...

I think you can re-evaluate these 2 issues and decide whether a LTS fix
should be done for the impacted packages.


Reply to: