Re: golang-go.crypto / CVE-2019-11841
Ola Lundqvist <ola@inguza.com> writes:
> I agree with you about the hash part (the main part of it) of this CVE. In
> fact this CVE is about two different things. If gnupg do hash validation I
> think go should do the same.
It concerns me that we have marked CVE-2019-11841 as resolved in
bullseye and sid, and we have no good procedures for "undoing" a DLA/DSA
that marks a CVE as resolved. This is something that has got in the past
also.
I think it might be possible to update data/DLA/list or data/DSA/list
and remove the CVE from the DLA/DSA. Maybe then we would need to update
data/CVE/list also (unless this happens automatically). But then we have
still have the problem that the last email sent said that the issue was
fixed.
> I was referring to the second part of the vulnerability described in
> "Moreover, since...". Now when I read about it, it is clear that it is only
> referring to the PHP header part and not the rest of the text. I wonder if
> that should be seen as a separate vulnerability, that people think the
> whole text is signed, while it is just a part of it... But that should
> probably be on the application layer on top of this library.
Yes, it probably should have been two separate CVEs. Having two distinct
issues in one CVE gets confusing when only one issue gets resolved.
If I understand this correctly, I believe this part was resolved.
--
Brian May <bam@debian.org>
Reply to: