Re: Bug#991961: golang-1.15: CVE-2021-36221

To: Salvatore Bonaccorso <carnil@debian.org>, 991961@bugs.debian.org
Cc: Debian release team <debian-release@lists.debian.org>
Subject: Re: Bug#991961: golang-1.15: CVE-2021-36221
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 7 Aug 2021 04:01:49 +0800
Message-id: <[🔎] CAFyCLW8Jr3+MH3Lr3h8o9MvLcu7M88o0ANTxxTXT-GrCP1NGBA@mail.gmail.com>
In-reply-to: <162827217381.466423.14823664676802193352.reportbug@eldamar.lan>
References: <162827217381.466423.14823664676802193352.reportbug@eldamar.lan>

Hi,

On Sat, Aug 7, 2021 at 1:51 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> Source: golang-1.15
> Version: 1.15.9-6
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/golang/go/issues/46866
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for golang-1.15.
>
> CVE-2021-36221[0]:
> | net/http: panic due to racy read of persistConn after handler panic
>

The issue looks minor(upstream disclose it without pre-announce).
Should we fix it before the bullseye release?
Fixing issues in the compiler's std library needs to rebuild the whole
world, see #990825

Or we just postpone later, or just fix the compiler package along?

-- 
Shengjing Zhu

Reply to:

Follow-Ups:
- Re: Bug#991961: golang-1.15: CVE-2021-36221
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#991915: marked as done (unblock: otrs2/6.0.32-6)
Next by Date: Re: Bug#991961: golang-1.15: CVE-2021-36221
Previous by thread: Bug#991940: marked as done (unblock: munge/0.5.14-6)
Next by thread: Re: Bug#991961: golang-1.15: CVE-2021-36221
Index(es):
- Date
- Thread