Hi Mathias, On Fri, Mar 20, 2026 at 04:27:03PM +0000, Mathias Gibbens wrote: > It is unclear looking at the upstream issue and pull requests if this > affects gobgp < v4.2.0 or not. If only v4.2.0 is affected, then this > CVE doesn't affect any version of gobgp in Debian. > > The fix consists of two PRs: > * https://github.com/osrg/gobgp/pull/3319 (included in v4.3.0) > * https://github.com/osrg/gobgp/pull/3326 (not yet in a release)
Yes agreed, the available information is not fully clear, so we should err on the safe side. At least the pending merge for the vulndb indicates older versions as well: https://github.com/golang/vulndb/issues/4736 Regards, Salvatore
