Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3

To: Shengjing Zhu <zhsj@debian.org>, 1005340@bugs.debian.org
Subject: Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 19 Feb 2022 17:44:38 +0000
Message-id: <[🔎] 8203fc55121453eae58d7fd6f0be6dbde1b31b95.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1005340@bugs.debian.org
In-reply-to: <[🔎] 164459837974.278937.9352464289540476714.reportbug@debian>
References: <[🔎] 164459837974.278937.9352464289540476714.reportbug@debian> <[🔎] 164459837974.278937.9352464289540476714.reportbug@debian>

Control: tags -1 + confirmed

On Sat, 2022-02-12 at 00:52 +0800, Shengjing Zhu wrote:
> [ Reason ]
> Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
> 
> [ Impact ]
> 
> + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
>   that are not valid coordinates
> + CVE-2022-23772: math/big: prevent large memory consumption in
>   Rat.SetString
> + CVE-2022-23773: cmd/go: prevent branches from materializing into
> versions
> 
> All are minor security issues, so I'd like to go with stable-pu.
[...]
> CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is
> statically
> linked in all Go programs. But these issues look like too minor to
> rebuild all
> Go programs.

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
  - From: Shengjing Zhu <zhsj@debian.org>

Prev by Date: Bug#1005288: bullseye-pu: package sphinx-bootstrap-theme/0.7.1-1+deb11u1
Next by Date: Processed: Re: Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
Previous by thread: Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
Next by thread: Processed: Re: Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
Index(es):
- Date
- Thread