Hi Brian, On 09/09/2020 00:55, Brian May wrote: > Looking at: > > https://security-tracker.debian.org/tracker/CVE-2019-9512 > https://security-tracker.debian.org/tracker/CVE-2019-9514 > > Under "golang-1.7" release stretch it says "vulnerable". > > But in the notes, there is: > > [stretch] - golang-1.7 <ignored> (Minor issue) > > Why?
Why... is there a discrepancy? -> because ignored vulnerabilities keep the package vulnerable Why... was it marked as ignored? -> non-LTS triaging, security team often doesn't justify; check https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de6118ef838589de05f9f606c90e66ef47d91ede for the original commit and who you may ask for details (this was 1 year ago though). > Anyway, as this was marked as minor for golang-1.7 in Stretch, probably > also should be marked as minor for golang-golang-x-net-dev also... I think you can re-evaluate these 2 issues and decide whether a LTS fix should be done for the impacted packages. Cheers! Sylvain
