On Mon, Mar 17, 2025 at 12:07 AM Simon Josefsson <[email protected]> wrote: > > Hi. > > We have version 0.25.0 in unstable now. I noticed that there are > vulnerabilities in <= 0.35.0: > > https://pkg.go.dev/vuln/GO-2025-3487 > > This affects packages like go-git which fix this in their 5.14.0 release > and needs the x-crypto >= 0.35.0 bump. > > What is the status of this migration? I know it is late, but low-level > crypto vulnerabilities seems serious, and maybe we can get an exception > to upload 0.36.0 if we make sure all reverse dependencies build and > work?! I did not look into if it is possible to back-port any small fix > for this, and I suspect there are many other security-related fixes that > happened in Go x-crypto between 0.25 and 0.36. > > Santiago, you uploaded 0.33 to experimental a month ago, did you perform > any reverse builds of all packages in Debian using it? How about > uploading 0.36 to experimental now and test using latest release? I can > do that, it seems safe regardless of what will happen in unstable. >
Just note that all golang.org/x/* are _usually_ safe to update as upstream says they don't break ABI for these packages. But I can't find where such promise is documented currently... -- Shengjing Zhu
