On 31.12.24 12:17, Loren M. Lang wrote:
As I am relatively new to the Go Team, I chose to keep it to a smaller, easier to review, change which resolved the CVE with the highest score. That was the only CVE that lead to a Debian bug of severity grave and threatened to remove it from testing in a few weeks from now. It has a CVE base score of 8.0. The others have a score of 6.5 or less and their corresponding Debian bugs are only of severity important.
Sure, but in case other releases, like Bookworm, shall get an update as well, it would help other teams to bundle patches. Anyway, important bugs are not release critical but should be fixed in any case.
Now that my feet are wet, I do plan to dig into the other CVEs and find the appropriate minimally-viable patch to fix them, however, I probably won't have enough time until this next week-end.
Yes, the fix for CVE-2024-54132 doesn't look that easy to backport and the fix for CVE-2024-53858 is somewhere hidden in the commits between v2.26.0 and v2.63.0. Good luck :-).
Do you intend to work on a patch for Bullseye as well? Thorsten
