Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512

To: debian-lts@lists.debian.org
Subject: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 9 Sep 2020 14:20:33 +0200
Message-id: <[🔎] 658c7061-6023-5f4c-7c4c-bcc80e4cd49f@beuc.net>
In-reply-to: <[🔎] 87y2ljop3b.fsf@canidae.wired.pri>
References: <[🔎] 87y2ljop3b.fsf@canidae.wired.pri>

Hi Brian,

On 09/09/2020 00:55, Brian May wrote:
> Looking at:
> 
> https://security-tracker.debian.org/tracker/CVE-2019-9512
> https://security-tracker.debian.org/tracker/CVE-2019-9514
> 
> Under "golang-1.7" release stretch it says "vulnerable".
> 
> But in the notes, there is:
> 
> [stretch] - golang-1.7 <ignored> (Minor issue)
> 
> Why?

Why... is there a discrepancy?
-> because ignored vulnerabilities keep the package vulnerable

Why... was it marked as ignored?
-> non-LTS triaging, security team often doesn't justify; check
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de6118ef838589de05f9f606c90e66ef47d91ede
for the original commit and who you may ask for details (this was 1 year
ago though).

> Anyway, as this was marked as minor for golang-1.7 in Stretch, probably
> also should be marked as minor for golang-golang-x-net-dev also...

I think you can re-evaluate these 2 issues and decide whether a LTS fix
should be done for the impacted packages.

Cheers!
Sylvain

Reply to:

References:
- golang-1.7 / CVE-2019-9514 / CVE-2019-9512
  - From: Brian May <bam@debian.org>

Prev by Date: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Next by Date: LTS report for August 2020 - Abhijith PA
Previous by thread: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Next by thread: LTS report for August 2020 - Abhijith PA
Index(es):
- Date
- Thread