[pkg-golang-devel] Wheezy update of golang?
Antoine Beaupré
anarcat at orangeseeds.org
Fri Oct 27 15:15:21 UTC 2017
On 2017-10-24 15:44:18, Antoine Beaupré wrote:
> Hi,
>
> After further analysis for the issues affecting golang in Wheezy, I have
> concluded that it is not necessary to perform updates.
>
> CVE-2017-15041 concerns only the "go get" command, and only malicious
> Subversion repositories which can *then* chain into malicious git
> repositories. But then "go get" also builds an actual binary which is
> normally executed by the user.
After reviewing the patchset for this security issue, I have changed my
mind: the patch is small and doesn't require a full rebuild of all
golang packages, so we should ship it.
I also feel we should ship it for other suites. The patch is fairly easy
to backport as well.
So I'll push a DLA later today.
A.
--
A lot of people never use their initiative because no-one told them to.
- Bansky
More information about the pkg-golang-devel
mailing list