Re: Where to report CVEs missing from the security tracker ?
On 2024-01-09 16:57 +0100, Jorropo wrote:
> Hello, there are 6 CVEs on the golang-go package which are not on
> https://security-tracker.debian.org/tracker/status/release/stable
They are there, just not shown by default. Toggle the "include issues
tagged no-dsa" checkbox to see them.
> I couldn't find them either there
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go
Not every CVE has a bug report in the Debian BTS, and there are multiple
golang versions packaged.
> The list is:
> - CVE-2023-29409 https://pkg.go.dev/vuln/GO-2023-1987
> - CVE-2023-29403 https://pkg.go.dev/vuln/GO-2023-1840
> - CVE-2023-29402 https://pkg.go.dev/vuln/GO-2023-1839
> - CVE-2023-39325 https://pkg.go.dev/vuln/GO-2023-2102
> - CVE-2023-39323 https://pkg.go.dev/vuln/GO-2023-2095
> - CVE-2023-39326 https://pkg.go.dev/vuln/GO-2023-2382
>
> This has been grabbed from the public golang vulnerability database
> searching for anything affecting 1.19.8 (what bookworm ships).
> I also checked that no patches have been backported by diffing the std
> from golang-go and the upstream 1.19.8 sources.
The CVEs are all in the security tracker for the golang-1.19 package:
https://security-tracker.debian.org/tracker/source-package/golang-1.19.
> Most of them could be fixed by updating to 1.19.12 however the 1.19
> branch is no longer supported. https://endoflife.date/go
It is up to the package maintainers to provide updates for stable or
not, and upgrading to a newer version might be risky. Version 1.19.13
is in bookworm-backports, however.
Cheers,
Sven
Reply to: