Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512

To: debian-lts@lists.debian.org
Subject: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
From: Brian May <bam@debian.org>
Date: Tue, 08 Dec 2020 09:24:14 +1100
Message-id: <[🔎] 87wnxtl0fl.fsf@canidae.wired.pri>
In-reply-to: <[🔎] 87a6uqmw0v.fsf@canidae.wired.pri>
References: <87y2ljop3b.fsf@canidae.wired.pri> <[🔎] 87mtyvn8ue.fsf@canidae.wired.pri> <[🔎] 87h7p2mwyb.fsf@canidae.wired.pri> <[🔎] 87a6uqmw0v.fsf@canidae.wired.pri>

Brian May <bam@debian.org> writes:

> I have a patch to fix this. As attached.

I believe that there are exactly two additional packages that would need
to be rebuilt in stretch (i.e. that include the http2 server code):

- dnss
- gobgpd

Not 100% sure if these support creating a http2 server, but might be
worth rebuilding just in case.

Is it OK for me to add these to dla-needed.txt?
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
  - From: Brian May <bam@debian.org>
- Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
  - From: Brian May <bam@debian.org>
- Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
  - From: Brian May <bam@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Incomplete fix for CVE-2019-20218/sqlite3
Previous by thread: Re: golang-1.7 / CVE-2019-9514 / CVE-2019-9512
Next by thread: Certbot security update (Bug #969126)
Index(es):
- Date
- Thread