Re: golang-go.crypto / CVE-2019-11841
On 08/10/2020 10:30, Brian May wrote:
Emilio Pozuelo Monfort <email@example.com> writes:
Note that many of those are golang modules which only ship go code on the -dev
package, and thus don't need a rebuild. OTOH, compiled binaries may need a
rebuild if they use the affected code (directly or indirectly).
How do I tell which ones need rebuilding? Maybe just the ones without
the 'golang-` prefix?
That go be a simplification. However there's a chance one of those golang-
packages also has a bin package with a real binary, and then that may need to be
rebuilt as well.
Also, not all packages with compiled binaries necessarily need a rebuild. E.g.
they may not use the affected code at all, just other parts of golang-go.crypto.
How do I rebuild? Do I need to upload a new version?
Unless they already are in stretch-security, then yes, sourceful uploads will be