[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: golang-go.crypto / CVE-2019-11841

On 08/10/2020 10:30, Brian May wrote:
Emilio Pozuelo Monfort <pochu@debian.org> writes:

Note that many of those are golang modules which only ship go code on the -dev
package, and thus don't need a rebuild. OTOH, compiled binaries may need a
rebuild if they use the affected code (directly or indirectly).

How do I tell which ones need rebuilding? Maybe just the ones without
the 'golang-` prefix?

That go be a simplification. However there's a chance one of those golang- packages also has a bin package with a real binary, and then that may need to be rebuilt as well.

Also, not all packages with compiled binaries necessarily need a rebuild. E.g. they may not use the affected code at all, just other parts of golang-go.crypto.

How do I rebuild? Do I need to upload a new version?

Unless they already are in stretch-security, then yes, sourceful uploads will be needed.


Reply to: