normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities).
Public Ubuntu tracking of the golang vulnerability:
Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang-go=1.22`
`gosu` is a universe package in Ubuntu, and from what i can see was inherited from `side` at version 1.17.1
https:/ /packages. debian. org/sid/ gosu
I see no open bugs against `gosu` : https:/ /bugs.debian. org/cgi- bin/pkgreport. cgi?src= gosu , and it needs to be confirmed that it's built against golang 1.17 in `debian`. Not my expertise
normally the correct move would be to go upstream first. Since i control things on the Ubuntu side for cloud-images, i'll move the ticket around there. I'll also make it public as it's not a new security vulnerability (private security bugs are for new disclosures, not for tracking already announced vulnerabilities).
Public Ubuntu tracking of the golang vulnerability:
https:/ /ubuntu. com/security/ CVE-2024- 24790
Note, since this is reported against Noble, i _believe_ this is an incorrect match. I'm working on double checking, but in noble, the golangs have been patched (both 1.21 and 1.22) It's likely a bad version string match. but i've listed this against `gosu` for someone to double check my assertions. `gosu` in noble is building against `golang-go=1.22`
http:// archive. ubuntu. com/ubuntu/ pool/universe/ g/gosu/ gosu_1. 17-1.dsc