Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)
- To: James McCoy <jamessan@debian.org>, 916642@bugs.debian.org, "Dr. Tobias Quathamer" <toddy@debian.org>, Michael Stapelberg <stapelberg@debian.org>, security@debian.org, Michael Hudson-Doyle <mwhudson@debian.org>, Tianon Gravi <tianon@debian.org>, Paul Tagliamonte <paultag@debian.org>, Martín Ferrari <tincho@debian.org>, pkg-golang-devel@alioth-lists.debian.net
- Subject: Bug#916642: golang CVE-2019-6486 (DoS in crypto/elliptic)
- From: Niels Thykier <niels@thykier.net>
- Date: Sat, 02 Feb 2019 06:40:00 +0000
- Message-id: <[🔎] c00a05e5-f3ff-99f2-97f3-076c1f0eb89b@thykier.net>
- Reply-to: Niels Thykier <niels@thykier.net>, 916642@bugs.debian.org
- In-reply-to: <[🔎] 20190202012534.4ch2kqsl47m7lukw@odin.jamessan.com>
- References: <CANnVG6m=w=j0NNmMtJmRvFVZUhcXSC_xSG9-SsETpsLaN7771w@mail.gmail.com> <084921f6-a280-b411-ee67-c7ff4b44ff69@debian.org> <26640389-7e72-572a-e4a8-076d678eb01f@debian.org> <6298848d-71ae-814d-44c1-ab7ab812c07d@debian.org> <20190125132352.xja2d6fr56po4bhy@odin.jamessan.com> <26640389-7e72-572a-e4a8-076d678eb01f@debian.org> <[🔎] 20190202012534.4ch2kqsl47m7lukw@odin.jamessan.com> <26640389-7e72-572a-e4a8-076d678eb01f@debian.org>
James McCoy:
> On Fri, Jan 25, 2019 at 08:23:52AM -0500, James McCoy wrote:
>> On Thu, Jan 24, 2019 at 03:00:22PM +0100, Dr. Tobias Quathamer wrote:
>>> Am 24.01.2019 um 09:12 schrieb Emilio Pozuelo Monfort:
>>>> On 24/01/2019 08:58, Michael Stapelberg wrote:
>>>>> Last time, pochu@ (cc'ed) helpfully scheduled binNMUs. pochu, would you be
>>>>> able to help this time, too?
>>>>
>>>> Sure. Can you give me a list of source packages to binNMU in unstable? If this
>>>> is public already, can you do that through a binNMU bug against release.debian.org?
>>>>
>>>> Emilio
>>>
>>> Hi all,
>>>
>>> there is already an outdated binNMU list as bug report available, so
>>> I'm reusing that report. Please ignore the previously attached
>>> binNMU list of that bug report.
>>>
>>> This should be a complete and current list of needed binNMUs:
>>>
>>>
>>> [‥]
>>> nmu serf_0.8.1+git20180508.80ab4877~ds-1 . ANY . -m 'Rebuild with current golang-1.11 (CVE-2019-6486)'
>>
>> This is a (common) mistake. src:serf does not use golang.
>> src:golang-github-hashicorp-serf is the golang package, which producees
>> bin:serf, however I just saw that src:serf was binNMUed.
>
> Ping.
>
> nmu golang-github-hashicorp-serf_0.8.1+git20180508.80ab4877~ds-1 . ANY . -m 'Rebuild with current golang-1.11 (CVE-2019-6486)'
>
> Tobias, your tool should be updated to ensure it's using the source
> pacakge name, not the binary package name.
>
> Cheers,
>
Scheduled golang-github-hashicorp-serf_0.8.1+git20180508.80ab4877~ds-1.
Thanks,
~Niels
Reply to: