Control: tags -1 + confirmed On Sat, 2022-02-12 at 00:52 +0800, Shengjing Zhu wrote: > [ Reason ] > Backport patches for CVE-2022-23806 CVE-2022-23772 CVE-2022-23773 > > [ Impact ] > > + CVE-2022-23806: crypto/elliptic: fix IsOnCurve for big.Int values > that are not valid coordinates > + CVE-2022-23772: math/big: prevent large memory consumption in > Rat.SetString > + CVE-2022-23773: cmd/go: prevent branches from materializing into > versions > > All are minor security issues, so I'd like to go with stable-pu. [...] > CVE-2022-23806 and CVE-2022-23772 are for Go std library, which is > statically > linked in all Go programs. But these issues look like too minor to > rebuild all > Go programs.
Please go ahead. Regards, Adam