Dear Anthony and Go Team, I am looking for a review and sponsor for my uploads for gh which provide the minimally-viable patch to resolve Debian bug #1087883 and CVE-2024-52308. I noticed that this bug has been sitting open for over a month and is listed with severity grave so I decided to put in a few cycles and help to get it resolved. As this bug technically affects both versions of gh in stable and unstable, I have prepared two uploads and put them on mentors for review. Both uploads can be seen here:
https://mentors.debian.net/package/gh/ And retrieved with: dget -x https://mentors.debian.net/debian/pool/main/g/gh/gh_2.46.0-1.1.dsc dget -x https://mentors.debian.net/debian/pool/main/g/gh/gh_2.23.0+dfsg1-1.1.dsc The update just applies the two relevant Git commits from upstream that patch the vulnerability and nothing more. The fix for both 2.23.0 and 2.46.0 was identical except for line numbers. I uploaded the branches involved and signed tags to salsa: https://salsa.debian.org/penguin359/gh/-/tree/debian/sid?ref_type=heads https://salsa.debian.org/go-team/packages/gh/-/tree/debian/bookworm?ref_type=heads I had meant to wait to upload the bookworm branch to the main go-team repo until it had undergone review and acceptance, but I had the wrong remote selected for the push. There was a build failure during the bookworm pipeline job, but it seems unrelated to the patch as it's from the bash-completion add-on to Debhelper. Please advise if I am not following the desired workflow for changes such as this or if there are other improvements I should make. Thank you, Loren -- Loren M. Lang lor...@north-winds.org http://www.north-winds.org/ Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
signature.asc
Description: PGP signature
