Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)

[James McCoy <jamessan@debian.org>]

On Thu, Jan 24, 2019 at 03:00:22PM +0100, Dr. Tobias Quathamer wrote:
> Am 24.01.2019 um 09:12 schrieb Emilio Pozuelo Monfort:
> > On 24/01/2019 08:58, Michael Stapelberg wrote:
> >> Last time, pochu@ (cc'ed) helpfully scheduled binNMUs. pochu, would you be
> >> able to help this time, too?
> > 
> > Sure. Can you give me a list of source packages to binNMU in unstable? If this
> > is public already, can you do that through a binNMU bug against release.debian.org?
> > 
> > Emilio
> 
> Hi all,
> 
> there is already an outdated binNMU list as bug report available, so
> I'm reusing that report. Please ignore the previously attached
> binNMU list of that bug report.
> 
> This should be a complete and current list of needed binNMUs:
> 
> 
> [‥]
>   nmu serf_0.8.1+git20180508.80ab4877~ds-1 . ANY . -m 'Rebuild with current golang-1.11 (CVE-2019-6486)'

This is a (common) mistake.  src:serf does not use golang.
src:golang-github-hashicorp-serf is the golang package, which producees
bin:serf, however I just saw that src:serf was binNMUed.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB