[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

On 08/10/2020 10:08, Brian May wrote:
Emilio Pozuelo Monfort <pochu@debian.org> writes:

Have you checked if any rdeps need to be rebuilt?

No. I imagine there might be some. How do I check? I can't remember
right now how to check reverse build depends.

root@andromeda:/# grep-dctrl -FBuild-Depends 'golang-golang-x-crypto-dev' -sPackage /var/lib/apt/lists/deb.debian.org_debian_dists_stretch_main_source_Sources | sort -u
Package: acmetool
Package: chasquid
Package: coyim
Package: go-wire
Package: gocryptfs
Package: golang-github-azure-azure-sdk-for-go
Package: golang-github-azure-go-autorest
Package: golang-github-azure-go-ntlmssp
Package: golang-github-bowery-prompt
Package: golang-github-coreos-ioprogress
Package: golang-github-coreos-pkg
Package: golang-github-elithrar-simple-scrypt
Package: golang-github-endophage-gotuf
Package: golang-github-howeyc-gopass
Package: golang-github-kisom-goutils
Package: golang-github-pkg-sftp
Package: golang-github-rackspace-gophercloud
Package: golang-github-weaveworks-mesh
Package: golang-github-xenolf-lego
Package: golang-github-xordataexchange-crypt
Package: golang-golang-x-net-dev
Package: golang-gopkg-dancannon-gorethink.v2
Package: golang-gopkg-macaroon.v1
Package: govendor
Package: influxdb
Package: mongo-tools
Package: packer
Package: rclone
Package: restic
Package: snapd
Package: syncthing
Package: tendermint-ed25519
Package: tendermint-go-merkle
root@andromeda:/# grep-dctrl -FBuild-Depends 'golang-go.crypto-dev' -sPackage /var/lib/apt/lists/deb.debian.org_debian_dists_stretch_main_source_Sources | sort -u
Package: golang-ed25519-dev
Package: golang-github-bradfitz-http2
Package: golang-github-endophage-gotuf
Package: golang-pault-go-debian
Package: influxdb
Package: obfs4proxy
Package: pluginhook

(That's only checking on stretch main, but that should probably be sufficient).

Note that many of those are golang modules which only ship go code on the -dev package, and thus don't need a rebuild. OTOH, compiled binaries may need a rebuild if they use the affected code (directly or indirectly).


Reply to: