On 2024-01-09 16:57 +0100, Jorropo wrote: > Hello, there are 6 CVEs on the golang-go package which are not on > https://security-tracker.debian.org/tracker/status/release/stable
They are there, just not shown by default. Toggle the "include issues tagged no-dsa" checkbox to see them. > I couldn't find them either there > https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go Not every CVE has a bug report in the Debian BTS, and there are multiple golang versions packaged. > The list is: > - CVE-2023-29409 https://pkg.go.dev/vuln/GO-2023-1987 > - CVE-2023-29403 https://pkg.go.dev/vuln/GO-2023-1840 > - CVE-2023-29402 https://pkg.go.dev/vuln/GO-2023-1839 > - CVE-2023-39325 https://pkg.go.dev/vuln/GO-2023-2102 > - CVE-2023-39323 https://pkg.go.dev/vuln/GO-2023-2095 > - CVE-2023-39326 https://pkg.go.dev/vuln/GO-2023-2382 > > This has been grabbed from the public golang vulnerability database > searching for anything affecting 1.19.8 (what bookworm ships). > I also checked that no patches have been backported by diffing the std > from golang-go and the upstream 1.19.8 sources. The CVEs are all in the security tracker for the golang-1.19 package: https://security-tracker.debian.org/tracker/source-package/golang-1.19. > Most of them could be fixed by updating to 1.19.12 however the 1.19 > branch is no longer supported. https://endoflife.date/go It is up to the package maintainers to provide updates for stable or not, and upgrading to a newer version might be risky. Version 1.19.13 is in bookworm-backports, however. Cheers, Sven
