Hello, On Tue, Mar 9, 2021 at 11:15 PM Sylvain Beucler <b...@beuc.net> wrote: > > You can find the patch here: > > http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
Ola, can you move that patch to somewhere else? Because I guess your site is still down. :( > It should be noted that golang* packages are supported in stretch but > come with limited support, not to due to code generation but due to Go > static linking in the first place: > https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited > > > If you do decide to support this package, I recently documented how to > find direct reverse build dependencies at: > https://wiki.debian.org/LTS/TestSuites/golang > > $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev > -T debsrc > debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources > > deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages > | grep-dctrl -n -s Package '' | sort -u > gobgp > golang-github-appc-goaci > golang-github-appc-spec > golang-github-mesos-mesos-go > influxdb > syncthing > (Note: this is not recursive.) > > > In addition, apt-file does provide a list of generated .pb.go files, > though it also includes those from "plain" protobuf (of which > gogoprotobuf if a fork) so not all are affected (the affected ones > should contain "skippy" somewhere): > # apt-file search .pb.go | cut -d: -f1 | sort -u > golang-github-appc-spec-dev > golang-github-gogo-protobuf-dev > golang-github-golang-groupcache-dev > golang-github-influxdb-influxdb-dev > golang-github-mesos-mesos-go-dev > golang-github-opencontainers-runc-dev > golang-github-osrg-gobgp-dev > golang-github-prometheus-alertmanager-dev > golang-github-prometheus-client-model-dev > golang-github-syncthing-syncthing-dev > golang-gomega-dev > golang-google-appengine-dev > golang-google-genproto-dev > golang-google-grpc-dev > golang-gopkg-dancannon-gorethink.v1-dev > golang-gopkg-dancannon-gorethink.v2-dev > golang-goprotobuf-dev I'll be happy to do the work (that is push the fix of golang-gogoprotobuf and then rebuild all these packages) but honestly, is it worth doing that? I don't think releasing these many DLAs makes sense unless there's a fair trade-off, which I don't see yet. What do y'all think? - u
