Bug#1078139: marked as done (Please update golang version to >=1.22 or at least >=1.19.13 in the stable Bookworm release, due to CVEs)

Wed, 18 Feb 2026 23:05:30 -0800 

Your message dated Wed, 18 Feb 2026 23:02:54 -0800
with message-id 
<cahnknk1xo_c0t1yyhdz9eox+xds2kzybjgiwhz2z1efuod_...@mail.gmail.com>
and subject line Re: Bug#1078139: version 1.23 "available"
has caused the Debian Bug report #1078139,
regarding Please update golang version to >=1.22 or at least >=1.19.13 in the 
stable Bookworm release, due to CVEs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1078139: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078139
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: golang-go
Version: 2:1.19~1
Severity: important

Hello Debian Team,

As golang-1.19-go version 1.19.8-2 is affected by various critical and high 
CVEs. List:

CVE List:

  *   https://security-tracker.debian.org/tracker/CVE-2023-29405: 9.8
  *   https://security-tracker.debian.org/tracker/CVE-2023-24540: 9.8
  *   https://security-tracker.debian.org/tracker/CVE-2023-29402: 9.8
  *   https://security-tracker.debian.org/tracker/CVE-2023-29404: 9.8
  *   https://security-tracker.debian.org/tracker/CVE-2023-29403: 7.8
The above listed CVEs got fixed in version 1.19.10 and above.



  *   https://security-tracker.debian.org/tracker/CVE-2023-39323: 8.1
  *   https://security-tracker.debian.org/tracker/CVE-2024-24784: 7.5
  *   https://security-tracker.debian.org/tracker/CVE-2024-24785: 7.5
  *   https://security-tracker.debian.org/tracker/CVE-2023-45289: 7.5
  *   https://security-tracker.debian.org/tracker/CVE-2023-45290: 7.5
  *   https://security-tracker.debian.org/tracker/CVE-2024-24783: 7.5
The above listed CVEs got fixed in version 1.21 and 1.22.1 and above.

Found that the updated version of package available in bookworm-backports.
golang-1.19-go  v1.19.13: 
https://packages.debian.org/bookworm-backports/golang-1.19-go
golang-1.22-go v1.22.1: 
https://packages.debian.org/bookworm-backports/golang-1.22-go

golang-go points 1.19.8 in Bookworm: 
https://packages.debian.org/bookworm/golang-go,
while 1.22.1 in Bookworm backports: 
https://packages.debian.org/bookworm-backports/golang-go

Kindly update golang version to >=1.22 or atleast >=1.19.13 in the stable 
Bookworm release for fixing the above listed vulnerabilities.

Let us know if any help is needed from my side for migrating the package from 
backports to stable Bookworm release.


Thanks & Regards,
Badrikesh

--- End Message ---
--- Begin Message --- 
On Sun, 28 Sept 2025 at 20:37, Tianon Gravi <[email protected]> wrote:
> On Sun, 28 Sept 2025 at 12:55, Geert Stappers <[email protected]> wrote:
> > Somewhere augustus 2024:
> > > Kindly update golang version to >=1.22 or atleast >=1.19.13 in the
> > > stable Bookworm release for fixing the above listed vulnerabilities.
> > >
> > > Let us know if any help is needed from my side for migrating the
> > > package from backports to stable Bookworm release.
> >
> >
> > Meanwhile became Bookworm oldstable and  Trixie  stable.
> >
> > As I read https://tracker.debian.org/pkg/golang-defaults
> > today, 2025-09-28:
> >
> > - For stable is 2:1.24~2 available
> > - For old-bpo is 2:1.23~2~bpo12+1 available
> > - oldstable is it still 2:1.19~1
> >
> >
> > What would be good for Debian regarding this bugreport?
> >
> > Upload a 1.23 to oldstable?
> > Advice Bookworm users to activate backports?
>
> We should definitely not update src:golang-defaults to a new minor
> version in a prior release directly, as its primary purpose is to
> control the "default" version of Go used to compile most packages in
> the archive (and that might cause buildability issues in a place where
> we want to be even more careful about them than usual).
>
> At most, backports are probably reasonable, but I'm not exactly sure
> what the implication of that would be (it's probably mostly without
> issue, since backports builds don't necessarily choose backports
> packages unless their version constraints require it).

Closing https://bugs.debian.org/1078139 accordingly (there's not
really anything reasonable we can or should do here for bookworm *or*
trixie).

See https://bugs.debian.org/1116589 for where the general upgrade to
src:golang-defaults in unstable is being tracked.

♥,
- Tianon

--- End Message ---

Reply via email to