Re: Port has a security update to compile with golang 1.23.6, but we only have 1.23.3

Sun, 09 Feb 2025 07:03:13 -0800 

The only thing I can find about it is that it is a minor timing related 
security issue happening on ppc64le.

https://github.com/golang/go/issues/71383

via:
https://github.com/golang/go/issues?q=milestone%3AGo1.23.6+label%3ACherryPickApproved
-> https://github.com/golang/go/issues/71423.

So, IMHO, nobody running a supported version of FreeBSD will be affected.

NB: The go123 update is already in progress: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284681.

Regards,
Ronald.


Van: "Fernando Apesteguía" <fernando.apesteg...@gmail.com>
Datum: zondag, 9 februari 2025 15:08
Aan: Piotr Smyrak <ps.po...@smyrak.com>
CC: ports FreeBSD <ports@freebsd.org>, Stefan Bethke <s...@lassitu.de>
Onderwerp: Re: Port has a security update to compile with golang 1.23.6, but we 
only have 1.23.3
El dom, 9 feb 2025, 12:43, Piotr Smyrak <ps.po...@smyrak.com> escribió: 
On Sun, 9 Feb 2025 09:47:52 +0100
Moin Rahman <b...@freebsd.org> wrote:

> > On Feb 9, 2025, at 09:43, Stefan Bethke <s...@lassitu.de> wrote:
> >
> > Gitea has released their version 1.23.3, which includes this in the
> > release notes
> > (https://github.com/go-gitea/gitea/releases/tag/v1.23.3)
> >
> > * Build Gitea with Golang v1.23.6 to fix security bugs
> >
> > As far as I can tell, the newest Golang package is:
> > go123-1.23.3                   Go programming language
> > and the port has 1.23.5.
> >
> > As a port maintainer, how should I go about updating Gitea? Simply
> > bumping the version likely will not incorporate the fixes that have
> > been included in Go 1.23.6? Should I monitor the go123 port and
> > send in the update patch for Gitea once the Go port has been
> > updated? Or send the patch now, and bump port revision once go is
> > at (at least) 1.23.6?
> >
>
> As a non-committer you will eventually submit a PR or Review. So
> notify in the PR/Review that the gitea update should take place after
> Go has been updated to 1.23.6.

Well, an entry in security/vuxml database is needed. To let people
running the software they shall take their decission whether to stop
running it publicly, to extra protect it, etc.>
Can you provide such an entry? 
If not, where is the specific security bug information to be found?


--
 Piotr Smyrak
>

Reply via email to