On 10/09/2017 04:36 AM, Jakub Cajka wrote:
For record these vulnerabilities got assigned CVE-2017-15041 and CVE-2017-15042. Any packages using the affected component "net/smtp" needs to be rebuild with the fixed version of Go, in order to pick up the fix.
Oof. Do we have any tools right now for working out whether direct or transitive dependencies of packages we maintain are affected, so we know if we need to push a rebuild? (Speaking only for myself, I have 31 packages that don't directly import net/smtp, but I can't speak to any of the packages they pull in.)
It seems like a standard library CVE almost demands a mass golang rebuild, if we want to be safe (in the absence of automated tooling to make targeted rebuilds possible). The reality is, maintainers are going to miss this message and not rebuild, or not do the necessary legwork to know if they need to rebuild.) :(