[pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204
Control: user -1 debian-rele...@lists.debian.org Control: usertags -1 bsp-2017-04-ca-montreal Control: tags -1 +patch I looked into this during the Montreal BSP, and it's unclear what we should do here, considering there has been multiple new uploads since the stretch freeze. The patch is pretty long: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 ... and there's no way to just backport it into stretch at this point (IIRC). So I'm wondering if the next step here would not just be to ask for an exception to unblock this for stretch, or just tell the release team to just ignore this and drop the package from stretch. Let me know, A. -- Celui qui ne connaît pas l'histoire est condamné à la revivre. - Karl Marx ___ Pkg-go-maintainers mailing list Pkg-go-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
[pkg-go] Bug#859655: golang-go.crypto: CVE-2017-3204
Source: golang-go.crypto Version: 1:0.0~git20161012.0.5f31782-1 Severity: grave Tags: upstream patch security Forwarded: https://github.com/golang/go/issues/19767 Hi, the following vulnerability was published for golang-go.crypto. CVE-2017-3204[0]: | The Go SSH library (x/crypto/ssh) by default does not verify host | keys, facilitating man-in-the-middle attacks. Default behavior changed | in commit e4e2799 to require explicitly registering a hostkey | verification mechanism. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-3204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204 [1] https://github.com/golang/go/issues/19767 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Pkg-go-maintainers mailing list Pkg-go-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
