Bug#1005340: bullseye-pu: package golang-1.15/1.15.15-1~deb11u3
Control: tags -1 + confirmed
On Sat, 2022-02-12 at 00:52 +0800, Shengjing Zhu wrote:
> [ Reason ]
> Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
>
> [ Impact ]
>
> + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values
> that are not valid coordinates
> + CVE-2022-23772: math/big: prevent large memory consumption in
> Rat.SetString
> + CVE-2022-23773: cmd/go: prevent branches from materializing into
> versions
>
> All are minor security issues, so I'd like to go with stable-pu.
[...]
> CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is
> statically
> linked in all Go programs. But these issues look like too minor to
> rebuild all
> Go programs.
Please go ahead.
Regards,
Adam
Reply to: