Hi Now the patch is available again in case you want to do the update.
/ Ola Den fre 19 mars 2021 17:40Ola Lundqvist <[email protected]> skrev: > Hi > > I do not really think it is worth it. But that is more related to the fact > that I have not understood what the security problem is. > > Yes, my site is down. It is concluded to be just ash right now. I have a > backup so I should be able to upload the patch to somewhere else. > > // Ola > > On Thu, 18 Mar 2021 at 22:27, Utkarsh Gupta <[email protected]> wrote: > >> Hello, >> >> On Tue, Mar 9, 2021 at 11:15 PM Sylvain Beucler <[email protected]> wrote: >> > > You can find the patch here: >> > > >> http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch >> >> Ola, can you move that patch to somewhere else? Because I guess your >> site is still down. :( >> >> > It should be noted that golang* packages are supported in stretch but >> > come with limited support, not to due to code generation but due to Go >> > static linking in the first place: >> > >> https://salsa.debian.org/debian/debian-security-support/-/blob/stretch/security-support-limited >> > >> > >> > If you do decide to support this package, I recently documented how to >> > find direct reverse build dependencies at: >> > https://wiki.debian.org/LTS/TestSuites/golang >> > >> > $ dose-ceve --deb-native-arch=amd64 -r golang-github-gogo-protobuf-dev >> > -T debsrc >> > >> debsrc:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_source_Sources >> > >> > >> deb:///var/lib/apt/lists/ftp.fr.debian.org_debian_dists_stretch_main_binary-amd64_Packages >> > | grep-dctrl -n -s Package '' | sort -u >> > gobgp >> > golang-github-appc-goaci >> > golang-github-appc-spec >> > golang-github-mesos-mesos-go >> > influxdb >> > syncthing >> > (Note: this is not recursive.) >> > >> > >> > In addition, apt-file does provide a list of generated .pb.go files, >> > though it also includes those from "plain" protobuf (of which >> > gogoprotobuf if a fork) so not all are affected (the affected ones >> > should contain "skippy" somewhere): >> > # apt-file search .pb.go | cut -d: -f1 | sort -u >> > golang-github-appc-spec-dev >> > golang-github-gogo-protobuf-dev >> > golang-github-golang-groupcache-dev >> > golang-github-influxdb-influxdb-dev >> > golang-github-mesos-mesos-go-dev >> > golang-github-opencontainers-runc-dev >> > golang-github-osrg-gobgp-dev >> > golang-github-prometheus-alertmanager-dev >> > golang-github-prometheus-client-model-dev >> > golang-github-syncthing-syncthing-dev >> > golang-gomega-dev >> > golang-google-appengine-dev >> > golang-google-genproto-dev >> > golang-google-grpc-dev >> > golang-gopkg-dancannon-gorethink.v1-dev >> > golang-gopkg-dancannon-gorethink.v2-dev >> > golang-goprotobuf-dev >> >> I'll be happy to do the work (that is push the fix of >> golang-gogoprotobuf and then rebuild all these packages) but honestly, >> is it worth doing that? I don't think releasing these many DLAs makes >> sense unless there's a fair trade-off, which I don't see yet. >> >> What do y'all think? >> >> >> - u >> >> > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | [email protected] [email protected] | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > >
