Re: golang-go.crypto / CVE-2019-11841

[Utkarsh Gupta <utkarsh@debian.org>]

Hi Brian,

On Mon, Oct 5, 2020 at 3:35 AM Brian May <bam@debian.org> wrote:
> I wasn't sure it was going to be worth it?

Maybe not for an independent DLA but we could always piggyback them
along with the ones that do.
(at least that's my opinion!)

> $ patch --dry-run -p1  < ../CVE-2020-9283.patch
> checking file ssh/keys.go
> Hunk #1 succeeded at 494 with fuzz 1 (offset -68 lines).
> Hunk #2 FAILED at 584.
> Hunk #3 FAILED at 840.
> Hunk #4 succeeded at 807 with fuzz 2 (offset -57 lines).
> Hunk #5 FAILED at 903.
> Hunk #6 FAILED at 1056.
> Hunk #7 FAILED at 1309.
> 5 out of 7 hunks FAILED
>
> Looking at this again, it looks like it should be trivial to apply #2,
> #5, and #6 manually. Not sure why these didn't apply automatically.
> Which just leaves #3 - may not be required - and #7 - which only patches
> a comment.

Ah, great. It'd nice to include this then! :)


- u