Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
On 09/09/2020 00:55, Brian May wrote:
> Looking at:
> Under "golang-1.7" release stretch it says "vulnerable".
> But in the notes, there is:
> [stretch] - golang-1.7 <ignored> (Minor issue)
Why... is there a discrepancy?
-> because ignored vulnerabilities keep the package vulnerable
Why... was it marked as ignored?
-> non-LTS triaging, security team often doesn't justify; check
for the original commit and who you may ask for details (this was 1 year
> Anyway, as this was marked as minor for golang-1.7 in Stretch, probably
> also should be marked as minor for golang-golang-x-net-dev also...
I think you can re-evaluate these 2 issues and decide whether a LTS fix
should be done for the impacted packages.