Hello, there are 6 CVEs on the golang-go package which are not on https://security-tracker.debian.org/tracker/status/release/stable
I couldn't find them either there https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go The list is: - CVE-2023-29409 https://pkg.go.dev/vuln/GO-2023-1987 - CVE-2023-29403 https://pkg.go.dev/vuln/GO-2023-1840 - CVE-2023-29402 https://pkg.go.dev/vuln/GO-2023-1839 - CVE-2023-39325 https://pkg.go.dev/vuln/GO-2023-2102 - CVE-2023-39323 https://pkg.go.dev/vuln/GO-2023-2095 - CVE-2023-39326 https://pkg.go.dev/vuln/GO-2023-2382 This has been grabbed from the public golang vulnerability database searching for anything affecting 1.19.8 (what bookworm ships). I also checked that no patches have been backported by diffing the std from golang-go and the upstream 1.19.8 sources. Most of them could be fixed by updating to 1.19.12 however the 1.19 branch is no longer supported. https://endoflife.date/go
