Looking at: https://security-tracker.debian.org/tracker/CVE-2019-9512 https://security-tracker.debian.org/tracker/CVE-2019-9514 Under "golang-1.7" release stretch it says "vulnerable". But in the notes, there is: [stretch] - golang-1.7 <ignored> (Minor issue) Why? Anyway, as this was marked as minor for golang-1.7 in Stretch, probably also should be marked as minor for golang-golang-x-net-dev also... -- Brian May <bam@debian.org>