On Wed, 2021-07-14 at 20:16 +0800, Shengjing Zhu wrote: > That feels over-engineering/energy-wasting.
Another option would be to search the source code, and these findings would need to be confirmed using grep, but looking at codesearch: https://codesearch.debian.net/search?q=%5C.generateClientKeyExchange&literal=0 golang-github-marten-seemann-qtls golang-github-marten-seemann-qtls-go1-15 golang-github-cloudflare-cfssl golang-refraction-networking-utls heartbleeder As well as anything that transitively build-depends on any of these. That said, I don't think rebuilding those packages will fix the issue, since they have embedded code copies of key_agreement.go and possibly use those copies instead of the code from the std library. There are also a number of other copies of key_agreement.go as well as copies of handshake_client.go, which calls the vulnerable code. $ apt-file search -I dsc key_agreement.go android-platform-external-boringssl: /src/ssl/test/runner/key_agreement.go chromium: /third_party/boringssl/src/ssl/test/runner/key_agreement.go gcc-avr: /gcc/libgo/go/crypto/tls/key_agreement.go gcc-riscv64-unknown-elf: /libgo/go/crypto/tls/key_agreement.go golang-1.15: /src/crypto/tls/key_agreement.go golang-1.16: /src/crypto/tls/key_agreement.go golang-github-cloudflare-cfssl: /scan/vendor/crypto/tls/key_agreement.go golang-github-marten-seemann-qtls: /key_agreement.go golang-github-marten-seemann-qtls-go1-15: /key_agreement.go golang-refraction-networking-utls: /key_agreement.go heartbleeder: /tls/key_agreement.go llvm-toolchain-9: /llgo/third_party/gofrontend/libgo/go/crypto/tls/key_agreement.go mono: /external/boringssl/ssl/test/runner/key_agreement.go $ apt-file search -I dsc handshake_client.go android-platform-external-boringssl: /src/ssl/test/runner/handshake_client.go chromium: /third_party/boringssl/src/ssl/test/runner/handshake_client.go gcc-avr: /gcc/libgo/go/crypto/tls/handshake_client.go gcc-riscv64-unknown-elf: /libgo/go/crypto/tls/handshake_client.go golang-1.15: /src/crypto/tls/handshake_client.go golang-1.16: /src/crypto/tls/handshake_client.go golang-github-cloudflare-cfssl: /scan/vendor/crypto/tls/handshake_client.go golang-github-marten-seemann-qtls: /handshake_client.go golang-github-marten-seemann-qtls-go1-15: /handshake_client.go golang-refraction-networking-utls: /handshake_client.go heartbleeder: /tls/handshake_client.go llvm-toolchain-9: /llgo/third_party/gofrontend/libgo/go/crypto/tls/handshake_client.go mono: /external/boringssl/ssl/test/runner/handshake_client.go -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
