2024-12-04 11:51:26 https://www.zerodayinitiative.com/advisories/ZDI-24-1642/ 2024-12-04 11:54:21 oh, probably not an issue for us then... 2024-12-04 11:58:00 since we have long past upgraded from the vulnerable linux versions 2024-12-06 17:25:57 https://www.cve.org/CVERecord?id=CVE-2024-12254 (python 3.12.x asyncio unbounded memory buffering) 2024-12-10 00:07:58 #16721 2024-12-11 18:57:57 go x/crypto/ssh: misuse of ServerConfig.PublicKeyCallback may cause authorization bypass https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q 2024-12-12 09:29:13 Rewrite it in rust, they said. It's more secure, they said: https://github.com/advisories/GHSA-3qx3-6hxr-j2ch 2024-12-12 09:50:32 ikke: to be fair, seems to be because they vendor libgit2, which is C 2024-12-12 14:10:11 yeah, they link to https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 2024-12-12 14:23:31 I also believe this advisory applies to non-distro binaries mostly, Alpine/Arch/Debian/ use dynamic linking for libgit2.so 2024-12-12 14:23:45 NixOS doesn't, but well 2024-12-14 10:42:07 https://pkg.go.dev/vuln/GO-2024-3321 2024-12-14 10:42:28 (would have loved some text formatting of that) 2024-12-14 10:45:24 maybe the old #15593 could be useful for helping to find the first aports to bump golang.org/x/crypto/ssh in 2024-12-14 12:11:15 omni: perhaps also govulncheck, which checks if code is actually used 2024-12-14 13:15:21 even better 2024-12-14 13:18:44 Not sure if it works with stripped binaries, though 2024-12-14 13:22:36 not something we have packaged, is it? 2024-12-14 13:34:29 Probably not 2024-12-14 14:27:56 volatile google source tarballs 2024-12-14 14:28:54 git clone https://go.googlesource.com/vuln; cd vuln; go build -v -o govulncheck ./cmd/govulncheck 2024-12-17 07:09:22 https://xenbits.xen.org/xsa/ 2024-12-17 07:09:38 XSA-465 & XSA-466 2024-12-19 05:04:40 https://xenbits.xen.org/xsa/advisory-465.html 2024-12-19 05:04:42 https://xenbits.xen.org/xsa/advisory-466.html 2024-12-19 05:05:11 both need to be addressed in linux