Re: golang-go.crypto / CVE-2019-11841

To: debian-lts@lists.debian.org
Subject: Re: golang-go.crypto / CVE-2019-11841
From: Brian May <bam@debian.org>
Date: Fri, 04 Sep 2020 08:22:13 +1000
Message-id: <[🔎] 877dtatsa2.fsf@canidae.wired.pri>
In-reply-to: <[🔎] 87eenju6qa.fsf@canidae.wired.pri>
References: <87k0xes8kr.fsf@canidae.wired.pri> <[🔎] 87pn75t6vb.fsf@canidae.wired.pri> <[🔎] 87eenju6qa.fsf@canidae.wired.pri>

Brian May <bam@debian.org> writes:

> Brian May <bam@debian.org> writes:
>
>> All of the distributions fail (as in the last two tests pass when they
>> should now), but bullseye at least fixes one of the failures. So it
>> looks like this was incorrectly marked as fixed (note bulleye and sid
>> have the same version of this package).
>
> I filled an upstream bug report:
> https://github.com/golang/go/issues/41200

Upstream responded with "That's intentional and documented in the
package and in the commit message you link to. The hash header value has
no security purposes."

I am not convinced this is the case. I have responded.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>

References:
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>
- Re: golang-go.crypto / CVE-2019-11841
  - From: Brian May <bam@debian.org>

Prev by Date: (E)LTS report for August 2020
Next by Date: Re: Backports needed for Firefox/Thunderbird ESR 78 in Buster/Stretch
Previous by thread: Re: golang-go.crypto / CVE-2019-11841
Next by thread: Re: golang-go.crypto / CVE-2019-11841
Index(es):
- Date
- Thread