Hello, there are 6 CVEs on the golang-go package which are not on https://security-tracker.debian.org/tracker/status/release/stable
I couldn't find them either there https://bugs.debian.org/cgi-bin/pkgreport.cgi?dist=unstable;package=golang-go
The list is:
- CVE-2023-29409 https://pkg.go.dev/vuln/GO-2023-1987
- CVE-2023-29403 https://pkg.go.dev/vuln/GO-2023-1840
- CVE-2023-29402 https://pkg.go.dev/vuln/GO-2023-1839
- CVE-2023-39325 https://pkg.go.dev/vuln/GO-2023-2102
- CVE-2023-39323 https://pkg.go.dev/vuln/GO-2023-2095
- CVE-2023-39326 https://pkg.go.dev/vuln/GO-2023-2382
This has been grabbed from the public golang vulnerability database
searching for anything affecting 1.19.8 (what bookworm ships).
I also checked that no patches have been backported by diffing the std
from golang-go and the upstream 1.19.8 sources.
Most of them could be fixed by updating to 1.19.12 however the 1.19
branch is no longer supported. https://endoflife.date/go
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (0 / 16) |
Uptime: | 00:44:57 |
Calls: | 6,669 |
Calls today: | 1 |
Files: | 12,216 |
Messages: | 5,338,492 |