Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)

To: "Dr. Tobias Quathamer" <toddy@debian.org>, 916642@bugs.debian.org, Emilio Pozuelo Monfort <pochu@debian.org>, Ivo De Decker <ivo.dedecker@telenet.be>, Michael Stapelberg <stapelberg@debian.org>, security@debian.org, Michael Hudson-Doyle <mwhudson@debian.org>, Tianon Gravi <tianon@debian.org>, Paul Tagliamonte <paultag@debian.org>, Martín Ferrari <tincho@debian.org>, pkg-golang-devel@alioth-lists.debian.net
Subject: Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)
From: James McCoy <jamessan@debian.org>
Date: Fri, 1 Feb 2019 20:25:34 -0500
Message-id: <[🔎] 20190202012534.4ch2kqsl47m7lukw@odin.jamessan.com>
Reply-to: James McCoy <jamessan@debian.org>, 916642@bugs.debian.org
In-reply-to: <20190125132352.xja2d6fr56po4bhy@odin.jamessan.com>
References: <CANnVG6m=w=j0NNmMtJmRvFVZUhcXSC_xSG9-SsETpsLaN7771w@mail.gmail.com> <084921f6-a280-b411-ee67-c7ff4b44ff69@debian.org> <26640389-7e72-572a-e4a8-076d678eb01f@debian.org> <6298848d-71ae-814d-44c1-ab7ab812c07d@debian.org> <20190125132352.xja2d6fr56po4bhy@odin.jamessan.com> <26640389-7e72-572a-e4a8-076d678eb01f@debian.org>

On Fri, Jan 25, 2019 at 08:23:52AM -0500, James McCoy wrote:
> On Thu, Jan 24, 2019 at 03:00:22PM +0100, Dr. Tobias Quathamer wrote:
> > Am 24.01.2019 um 09:12 schrieb Emilio Pozuelo Monfort:
> > > On 24/01/2019 08:58, Michael Stapelberg wrote:
> > >> Last time, pochu@ (cc'ed) helpfully scheduled binNMUs. pochu, would you be
> > >> able to help this time, too?
> > > 
> > > Sure. Can you give me a list of source packages to binNMU in unstable? If this
> > > is public already, can you do that through a binNMU bug against release.debian.org?
> > > 
> > > Emilio
> > 
> > Hi all,
> > 
> > there is already an outdated binNMU list as bug report available, so
> > I'm reusing that report. Please ignore the previously attached
> > binNMU list of that bug report.
> > 
> > This should be a complete and current list of needed binNMUs:
> > 
> > 
> > [‥]
> >   nmu serf_0.8.1+git20180508.80ab4877~ds-1 . ANY . -m 'Rebuild with current golang-1.11 (CVE-2019-6486)'
> 
> This is a (common) mistake.  src:serf does not use golang.
> src:golang-github-hashicorp-serf is the golang package, which producees
> bin:serf, however I just saw that src:serf was binNMUed.

Ping.

nmu golang-github-hashicorp-serf_0.8.1+git20180508.80ab4877~ds-1 . ANY .  -m 'Rebuild with current golang-1.11 (CVE-2019-6486)'

Tobias, your tool should be updated to ensure it's using the source
pacakge name, not the binary package name.

Cheers,
-- 
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7  2D23 DFE6 91AE 331B A3DB

Reply to:

Follow-Ups:
- Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: NEW changes in stable-new
Next by thread: Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)
Index(es):
- Date
- Thread