Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Hi Brian,
On 09/09/2020 00:55, Brian May wrote:
> Looking at:
>
> https://security-tracker.debian.org/tracker/CVE-2019-9512
> https://security-tracker.debian.org/tracker/CVE-2019-9514
>
> Under "golang-1.7" release stretch it says "vulnerable".
>
> But in the notes, there is:
>
> [stretch] - golang-1.7 <ignored> (Minor issue)
>
> Why?
Why... is there a discrepancy?
-> because ignored vulnerabilities keep the package vulnerable
Why... was it marked as ignored?
-> non-LTS triaging, security team often doesn't justify; check
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de6118ef838589de05f9f606c90e66ef47d91ede
for the original commit and who you may ask for details (this was 1 year
ago though).
> Anyway, as this was marked as minor for golang-1.7 in Stretch, probably
> also should be marked as minor for golang-golang-x-net-dev also...
I think you can re-evaluate these 2 issues and decide whether a LTS fix
should be done for the impacted packages.
Cheers!
Sylvain
Reply to: