[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

Hi Brian

Yes it is not that good that we mark the issue as fixed. The question is how we convince upstream that this is actually a problem.

Do we have an idea on how a good patch would look like?

If we are close to fixing the issue we can just wait and then issue a new DLA-xxx-2 where we update the information telling that the previous fix was not complete.

Best regards

// Ola

On Wed, 9 Sep 2020 at 00:26, Brian May <bam@debian.org> wrote:
Ola Lundqvist <ola@inguza.com> writes:

> I agree with you about the hash part (the main part of it) of this CVE. In
> fact this CVE is about two different things. If gnupg do hash validation I
> think go should do the same.

It concerns me that we have marked CVE-2019-11841 as resolved in
bullseye and sid, and we have no good procedures for "undoing" a DLA/DSA
that marks a CVE as resolved. This is something that has got in the past

I think it might be possible to update data/DLA/list or data/DSA/list
and remove the CVE from the DLA/DSA. Maybe then we would need to update
data/CVE/list also (unless this happens automatically). But then we have
still have the problem that the last email sent said that the issue was

> I was referring to the second part of the vulnerability described in
> "Moreover, since...". Now when I read about it, it is clear that it is only
> referring to the PHP header part and not the rest of the text. I wonder if
> that should be seen as a separate vulnerability, that people think the
> whole text is signed, while it is just a part of it... But that should
> probably be on the application layer on top of this library.

Yes, it probably should have been two separate CVEs. Having two distinct
issues in one CVE gets confusing when only one issue gets resolved.

If I understand this correctly, I believe this part was resolved.
Brian May <bam@debian.org>

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: