The NetBSD Project

CVS log for pkgsrc/lang/go/version.mk

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / lang / go

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.204 / (download) - annotate - [select for diffs], Tue Mar 5 19:37:52 2024 UTC (3 weeks, 1 day ago) by bsiegert
Branch: MAIN
CVS Tags: HEAD
Changes since 1.203: +2 -2 lines
Diff to previous 1.203 (colored) to selected 1.56 (colored)

go122: update to 1.22.1 (security)

This minor release includes 5 security fixes following the security policy:

- crypto/x509: Verify panics on certificates with an unknown public key
  algorithm

  Verifying a certificate chain which contains a certificate with an unknown
  public key algorithm will cause Certificate.Verify to panic.

  This affects all crypto/tls clients, and servers that set Config.ClientAuth
  to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
  behavior is for TLS servers to not verify client certificates.

  Thanks to John Howard (Google) for reporting this issue.

  This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.

- net/http: memory exhaustion in Request.ParseMultipartForm

  When parsing a multipart form (either explicitly with
  Request.ParseMultipartForm or implicitly with Request.FormValue,
  Request.PostFormValue, or Request.FormFile), limits on the total size of the
  parsed form were not applied to the memory consumed while reading a single
  form line. This permitted a maliciously crafted input containing very long
  lines to cause allocation of arbitrarily large amounts of memory, potentially
  leading to memory exhaustion.

  ParseMultipartForm now correctly limits the maximum size of form lines.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.

- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
  cookies on HTTP redirect

  When following an HTTP redirect to a domain which is not a subdomain match or
  exact match of the initial domain, an http.Client does not forward sensitive
  headers such as "Authorization" or "Cookie". For example, a redirect from
  foo.com to www.foo.com will forward the Authorization header, but a redirect
  to bar.com will not.

  A maliciously crafted HTTP redirect could cause sensitive headers to be
  unexpectedly forwarded.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.

- html/template: errors returned from MarshalJSON methods may break template
  escaping

  If errors returned from MarshalJSON methods contain user controlled data,
  they may be used to break the contextual auto-escaping behavior of the
  html/template package, allowing for subsequent actions to inject unexpected
  content into templates.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.

- net/mail: comments in display names are incorrectly handled

  The ParseAddressList function incorrectly handles comments (text within
  parentheses) within display names. Since this is a misalignment with
  conforming address parsers, it can result in different trust decisions being
  made by programs using different parsers.

  Thanks to Juho Nurminen of Mattermost and Slonser
  (https://github.com/Slonser) for reporting this issue.

  This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.

Revision 1.203 / (download) - annotate - [select for diffs], Tue Mar 5 19:27:58 2024 UTC (3 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored) to selected 1.56 (colored)

go121: update to 1.21.8 (security)

This minor release includes 5 security fixes following the security policy:

- crypto/x509: Verify panics on certificates with an unknown public key
  algorithm

  Verifying a certificate chain which contains a certificate with an unknown
  public key algorithm will cause Certificate.Verify to panic.

  This affects all crypto/tls clients, and servers that set Config.ClientAuth
  to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
  behavior is for TLS servers to not verify client certificates.

  Thanks to John Howard (Google) for reporting this issue.

  This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.

- net/http: memory exhaustion in Request.ParseMultipartForm

  When parsing a multipart form (either explicitly with
  Request.ParseMultipartForm or implicitly with Request.FormValue,
  Request.PostFormValue, or Request.FormFile), limits on the total size of the
  parsed form were not applied to the memory consumed while reading a single
  form line. This permitted a maliciously crafted input containing very long
  lines to cause allocation of arbitrarily large amounts of memory, potentially
  leading to memory exhaustion.

  ParseMultipartForm now correctly limits the maximum size of form lines.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.

- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
  cookies on HTTP redirect

  When following an HTTP redirect to a domain which is not a subdomain match or
  exact match of the initial domain, an http.Client does not forward sensitive
  headers such as "Authorization" or "Cookie". For example, a redirect from
  foo.com to www.foo.com will forward the Authorization header, but a redirect
  to bar.com will not.

  A maliciously crafted HTTP redirect could cause sensitive headers to be
  unexpectedly forwarded.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.

- html/template: errors returned from MarshalJSON methods may break template
  escaping

  If errors returned from MarshalJSON methods contain user controlled data,
  they may be used to break the contextual auto-escaping behavior of the
  html/template package, allowing for subsequent actions to inject unexpected
  content into templates.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.

- net/mail: comments in display names are incorrectly handled

  The ParseAddressList function incorrectly handles comments (text within
  parentheses) within display names. Since this is a misalignment with
  conforming address parsers, it can result in different trust decisions being
  made by programs using different parsers.

  Thanks to Juho Nurminen of Mattermost and Slonser
  (https://github.com/Slonser) for reporting this issue.

  This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.

Revision 1.202 / (download) - annotate - [select for diffs], Fri Feb 9 20:34:10 2024 UTC (6 weeks, 5 days ago) by bsiegert
Branch: MAIN
Changes since 1.201: +2 -1 lines
Diff to previous 1.201 (colored) to selected 1.56 (colored)

Add a new package for go122-1.22.0

The latest Go release, version 1.22, arrives six months after Go 1.21. Most of its changes
are in the implementation of the toolchain, runtime, and libraries. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue
to compile and run as before.

Release notes: https://go.dev/doc/go1.22

Revision 1.201 / (download) - annotate - [select for diffs], Wed Feb 7 14:44:16 2024 UTC (7 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.200: +2 -2 lines
Diff to previous 1.200 (colored) to selected 1.56 (colored)

go121: update 1.21.7

go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on the Go
issue tracker for details.

Revision 1.200 / (download) - annotate - [select for diffs], Wed Feb 7 14:37:50 2024 UTC (7 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.199: +2 -2 lines
Diff to previous 1.199 (colored) to selected 1.56 (colored)

go120: update to 1.20.14

go1.20.14 (released 2024-02-06) includes fixes to the crypto/x509 package.
See the Go 1.20.14 milestone on the issue tracker for details.

Revision 1.199 / (download) - annotate - [select for diffs], Wed Jan 10 16:49:29 2024 UTC (2 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.198: +2 -2 lines
Diff to previous 1.198 (colored) to selected 1.56 (colored)

go121: update to 1.21.6

go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages.

It also includes a fix for a slow memory leak on Linux.

Revision 1.198 / (download) - annotate - [select for diffs], Wed Jan 10 16:41:22 2024 UTC (2 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored) to selected 1.56 (colored)

go120: update to 1.20.13

go1.20.13 (released 2024-01-09) includes fixes to the runtime and the
crypto/tls package.

Revision 1.189.2.3 / (download) - annotate - [select for diffs], Wed Dec 6 12:08:36 2023 UTC (3 months, 3 weeks ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189.2.2: +3 -3 lines
Diff to previous 1.189.2.2 (colored) to branchpoint 1.189 (colored) next main 1.190 (colored) to selected 1.56 (colored)

Pullup ticket #6822 - requested by bsiegert
lang/go120: security update
lang/go121: security update
lang/go: metadata update
audio/gospt: revision bump
audio/ymuse: revision bump
chat/coyim: revision bump
chat/gomuks: revision bump
chat/matterircd: revision bump
chat/senpai: revision bump
chat/ssh-chat: revision bump
databases/go-ldap: revision bump
databases/influxdb: revision bump
databases/mongo-tools: revision bump
databases/mysqld_exporter: revision bump
databases/postgres_exporter: revision bump
databases/prometheus: revision bump
databases/promscale: revision bump
databases/sqlc: revision bump
databases/timescaledb-tune: revision bump
devel/asmfmt: revision bump
devel/conftest: revision bump
devel/errcheck: revision bump
devel/fq: revision bump
devel/git-lfs: revision bump
devel/go-ed25519: revision bump
devel/go-gocode: revision bump
devel/go-golang-lru: revision bump
devel/go-gopkgs: revision bump
devel/go-goptlib: revision bump
devel/go-goreturns: revision bump
devel/go-gox: revision bump
devel/go-impl: revision bump
devel/go-logrus: revision bump
devel/go-nbreader: revision bump
devel/go-pty: revision bump
devel/go-review: revision bump
devel/go-siphash: revision bump
devel/go-staticcheck: revision bump
devel/go-swagger: revision bump
devel/go-sys: revision bump
devel/go-tools: revision bump
devel/go-wire: revision bump
devel/go-xerrors: revision bump
devel/golangci-lint: revision bump
devel/golint: revision bump
devel/gomodifytags: revision bump
devel/gopls: revision bump
devel/goredo: revision bump
devel/gotags: revision bump
devel/gotests: revision bump
devel/govulncheck: revision bump
devel/lazygit: revision bump
devel/mob: revision bump
devel/nancy: revision bump
devel/opa: revision bump
devel/packr: revision bump
devel/reftools: revision bump
devel/regal: revision bump
devel/revive: revision bump
devel/shfmt: revision bump
devel/syft: revision bump
editors/micro: revision bump
filesystems/kubo: revision bump
graphics/gif2png: revision bump
lang/joker: revision bump
mail/opensmtpd-filter-rspamd: revision bump
mail/opensmtpd-filter-senderscore: revision bump
mail/postforward: revision bump
misc/exercism: revision bump
net/amazon-ecs-cli: revision bump
net/amfora: revision bump
net/bombadillo: revision bump
net/croc: revision bump
net/czds: revision bump
net/dnscontrol: revision bump
net/dnscrypt-proxy2: revision bump
net/gh: revision bump
net/go-dnstap: revision bump
net/go-net: revision bump
net/go-websocket: revision bump
net/gunison: revision bump
net/gvproxy: revision bump
net/hub: revision bump
net/ipget: revision bump
net/kubectl: revision bump
net/libquic: revision bump
net/mangos: revision bump
net/nats-server: revision bump
net/obfs4proxy: revision bump
net/rclone: revision bump
net/stern: revision bump
net/syncthing: revision bump
net/terraform-provider-archive: revision bump
net/terraform-provider-aws: revision bump
net/terraform-provider-kubernetes: revision bump
net/terraform-provider-local: revision bump
net/terraform-provider-null: revision bump
net/terraform-provider-random: revision bump
net/terraform-provider-template: revision bump
net/terraform-provider-vultr: revision bump
net/terraform: revision bump
net/tut: revision bump
net/vultr-cli: revision bump
pkgtools/pkglint: revision bump
security/2fa: revision bump
security/age: revision bump
security/amass: revision bump
security/authelia: revision bump
security/cfssl: revision bump
security/dnsx: revision bump
security/go-asn1-ber: revision bump
security/go-crypto: revision bump
security/go-getpass: revision bump
security/go-mkcert: revision bump
security/gopass: revision bump
security/httpx: revision bump
security/nuclei: revision bump
security/oauth2c: revision bump
security/osv-scanner: revision bump
security/subfinder: revision bump
security/tlsx: revision bump
security/trufflehog: revision bump
security/vault: revision bump
shells/elvish: revision bump
shells/oh-my-posh: revision bump
sysutils/beats: revision bump
sysutils/consul: revision bump
sysutils/direnv: revision bump
sysutils/fzf: revision bump
sysutils/goreman: revision bump
sysutils/lf: revision bump
sysutils/node_exporter: revision bump
sysutils/packer: revision bump
sysutils/podman: revision bump
sysutils/restic: revision bump
sysutils/vultr: revision bump
textproc/glow: revision bump
textproc/go-kr-text: revision bump
textproc/go-md2man: revision bump
textproc/go-mmark: revision bump
textproc/go-text: revision bump
textproc/miller: revision bump
textproc/sift: revision bump
www/apisprout: revision bump
www/caddy: revision bump
www/gitea: revision bump
www/go-ffuf: revision bump
www/go-minify: revision bump
www/gotosocial: revision bump
www/grafana: revision bump
www/hugo: revision bump
www/jira-cli: revision bump
www/mycorrhiza: revision bump
www/pup: revision bump
www/restish: revision bump
www/shoutrrr: revision bump

Revisions pulled up:
- lang/go/version.mk                                            1.194
- lang/go120/PLIST                                              1.10
- lang/go120/distinfo                                           1.12
- lang/go121/PLIST                                              1.4
- lang/go121/distinfo                                           1.4
- audio/gospt/Makefile                       by patch
- audio/ymuse/Makefile                       by patch
- chat/coyim/Makefile                        by patch
- chat/gomuks/Makefile                       by patch
- chat/matterircd/Makefile                   by patch
- chat/senpai/Makefile                       by patch
- chat/ssh-chat/Makefile                     by patch
- databases/go-ldap/Makefile                 by patch
- databases/influxdb/Makefile                by patch
- databases/mongo-tools/Makefile             by patch
- databases/mysqld_exporter/Makefile         by patch
- databases/postgres_exporter/Makefile       by patch
- databases/prometheus/Makefile              by patch
- databases/promscale/Makefile               by patch
- databases/sqlc/Makefile                    by patch
- databases/timescaledb-tune/Makefile        by patch
- devel/asmfmt/Makefile                      by patch
- devel/conftest/Makefile                    by patch
- devel/errcheck/Makefile                    by patch
- devel/fq/Makefile                          by patch
- devel/git-lfs/Makefile                     by patch
- devel/go-ed25519/Makefile                  by patch
- devel/go-gocode/Makefile                   by patch
- devel/go-golang-lru/Makefile               by patch
- devel/go-gopkgs/Makefile                   by patch
- devel/go-goptlib/Makefile                  by patch
- devel/go-goreturns/Makefile                by patch
- devel/go-gox/Makefile                      by patch
- devel/go-impl/Makefile                     by patch
- devel/go-logrus/Makefile                   by patch
- devel/go-nbreader/Makefile                 by patch
- devel/go-pty/Makefile                      by patch
- devel/go-review/Makefile                   by patch
- devel/go-siphash/Makefile                  by patch
- devel/go-staticcheck/Makefile              by patch
- devel/go-swagger/Makefile                  by patch
- devel/go-sys/Makefile                      by patch
- devel/go-tools/Makefile                    by patch
- devel/go-wire/Makefile                     by patch
- devel/go-xerrors/Makefile                  by patch
- devel/golangci-lint/Makefile               by patch
- devel/golint/Makefile                      by patch
- devel/gomodifytags/Makefile                by patch
- devel/gopls/Makefile                       by patch
- devel/goredo/Makefile                      by patch
- devel/gotags/Makefile                      by patch
- devel/gotests/Makefile                     by patch
- devel/govulncheck/Makefile                 by patch
- devel/lazygit/Makefile                     by patch
- devel/mob/Makefile                         by patch
- devel/nancy/Makefile                       by patch
- devel/opa/Makefile                         by patch
- devel/packr/Makefile                       by patch
- devel/reftools/Makefile                    by patch
- devel/regal/Makefile                       by patch
- devel/revive/Makefile                      by patch
- devel/shfmt/Makefile                       by patch
- devel/syft/Makefile                        by patch
- editors/micro/Makefile                     by patch
- filesystems/kubo/Makefile                  by patch
- graphics/gif2png/Makefile                  by patch
- lang/joker/Makefile                        by patch
- mail/opensmtpd-filter-rspamd/Makefile      by patch
- mail/opensmtpd-filter-senderscore/Makefile by patch
- mail/postforward/Makefile                  by patch
- misc/exercism/Makefile                     by patch
- net/amazon-ecs-cli/Makefile                by patch
- net/amfora/Makefile                        by patch
- net/bombadillo/Makefile                    by patch
- net/croc/Makefile                          by patch
- net/czds/Makefile                          by patch
- net/dnscontrol/Makefile                    by patch
- net/dnscrypt-proxy2/Makefile               by patch
- net/gh/Makefile                            by patch
- net/go-dnstap/Makefile                     by patch
- net/go-net/Makefile                        by patch
- net/go-websocket/Makefile                  by patch
- net/gunison/Makefile                       by patch
- net/gvproxy/Makefile                       by patch
- net/hub/Makefile                           by patch
- net/ipget/Makefile                         by patch
- net/kubectl/Makefile                       by patch
- net/libquic/Makefile                       by patch
- net/mangos/Makefile                        by patch
- net/nats-server/Makefile                   by patch
- net/obfs4proxy/Makefile                    by patch
- net/rclone/Makefile                        by patch
- net/stern/Makefile                         by patch
- net/syncthing/Makefile                     by patch
- net/terraform-provider-archive/Makefile    by patch
- net/terraform-provider-aws/Makefile        by patch
- net/terraform-provider-kubernetes/Makefile by patch
- net/terraform-provider-local/Makefile      by patch
- net/terraform-provider-null/Makefile       by patch
- net/terraform-provider-random/Makefile     by patch
- net/terraform-provider-template/Makefile   by patch
- net/terraform-provider-vultr/Makefile      by patch
- net/terraform/Makefile                     by patch
- net/tut/Makefile                           by patch
- net/vultr-cli/Makefile                     by patch
- pkgtools/pkglint/Makefile                  by patch
- security/2fa/Makefile                      by patch
- security/age/Makefile                      by patch
- security/amass/Makefile                    by patch
- security/authelia/Makefile                 by patch
- security/cfssl/Makefile                    by patch
- security/dnsx/Makefile                     by patch
- security/go-asn1-ber/Makefile              by patch
- security/go-crypto/Makefile                by patch
- security/go-getpass/Makefile               by patch
- security/go-mkcert/Makefile                by patch
- security/gopass/Makefile                   by patch
- security/httpx/Makefile                    by patch
- security/nuclei/Makefile                   by patch
- security/oauth2c/Makefile                  by patch
- security/osv-scanner/Makefile              by patch
- security/subfinder/Makefile                by patch
- security/tlsx/Makefile                     by patch
- security/trufflehog/Makefile               by patch
- security/vault/Makefile                    by patch
- shells/elvish/Makefile                     by patch
- shells/oh-my-posh/Makefile                 by patch
- sysutils/beats/Makefile                    by patch
- sysutils/consul/Makefile                   by patch
- sysutils/direnv/Makefile                   by patch
- sysutils/fzf/Makefile                      by patch
- sysutils/goreman/Makefile                  by patch
- sysutils/lf/Makefile                       by patch
- sysutils/node_exporter/Makefile            by patch
- sysutils/packer/Makefile                   by patch
- sysutils/podman/Makefile                   by patch
- sysutils/restic/Makefile                   by patch
- sysutils/vultr/Makefile                    by patch
- textproc/glow/Makefile                     by patch
- textproc/go-kr-text/Makefile               by patch
- textproc/go-md2man/Makefile                by patch
- textproc/go-mmark/Makefile                 by patch
- textproc/go-text/Makefile                  by patch
- textproc/miller/Makefile                   by patch
- textproc/sift/Makefile                     by patch
- www/apisprout/Makefile                     by patch
- www/caddy/Makefile                         by patch
- www/gitea/Makefile                         by patch
- www/go-ffuf/Makefile                       by patch
- www/go-minify/Makefile                     by patch
- www/gotosocial/Makefile                    by patch
- www/grafana/Makefile                       by patch
- www/hugo/Makefile                          by patch
- www/jira-cli/Makefile                      by patch
- www/mycorrhiza/Makefile                    by patch
- www/pup/Makefile                           by patch
- www/restish/Makefile                       by patch
- www/shoutrrr/Makefile                      by patch

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Fri Nov 10 15:39:34 UTC 2023

   Modified Files:
   	pkgsrc/lang/go: version.mk
   	pkgsrc/lang/go120: PLIST distinfo
   	pkgsrc/lang/go121: PLIST distinfo

   Log Message:
   Update go120 to 1.20.11 and go121 to 1.21.4 (security).

   These minor releases include 2 security fixes following the security policy:

   - path/filepath: recognize \??\ as a Root Local Device path prefix.

    On Windows, a path beginning with \??\ is a Root Local Device path equivalent
    to a path beginning with \\?\. Paths with a \??\ prefix may be used to access
    arbitrary locations on the system. For example, the path \??\c:\x is
    equivalent to the more common path c:\x.

    The filepath package did not recognize paths with a \??\ prefix as special.

    Clean could convert a rooted path such as \a\..\??\b into
    the root local device path \??\b. It will now convert this
    path into .\??\b.

    IsAbs did not report paths beginning with \??\ as absolute.
    It now does so.

    VolumeName now reports the \??\ prefix as a volume name.

    Join(`\`, `??`, `b`) could convert a seemingly innocent
    sequence of path elements into the root local device path
    \??\b. It will now convert this to \.\??\b.

    This is CVE-2023-45283 and https://go.dev/issue/63713.

   - path/filepath: recognize device names with trailing spaces and superscripts

    The IsLocal function did not correctly detect reserved names in some cases:

    reserved names followed by spaces, such as "COM1 ".
    "COM" or "LPT" followed by a superscript 1, 2, or 3.
    IsLocal now correctly reports these names as non-local.

    This is CVE-2023-45284 and https://go.dev/issue/63713.


   To generate a diff of this commit:
   cvs rdiff -u -r1.193 -r1.194 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go120/PLIST
   cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go120/distinfo
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo

Revision 1.197 / (download) - annotate - [select for diffs], Tue Dec 5 19:28:26 2023 UTC (3 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q4-base, pkgsrc-2023Q4
Changes since 1.196: +2 -2 lines
Diff to previous 1.196 (colored) to selected 1.56 (colored)

go121: update to 1.21.5 (security)

This minor release includes 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver reading
  from a request or response body to read many more bytes from the network than
  are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a handler
  fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata. A
  sender can exploit this by inserting a large metadata segment with each byte
  transferred. The chunk reader now produces an error if the ratio of real body
  to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.
  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable via
  the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not
  set for said module. This only affects users who are not using the module
  proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.
  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume
  name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other
  effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Revision 1.196 / (download) - annotate - [select for diffs], Tue Dec 5 19:17:57 2023 UTC (3 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.195: +2 -2 lines
Diff to previous 1.195 (colored) to selected 1.56 (colored)

go120: update to 1.20.12 (security)

This minor release includes 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver reading
  from a request or response body to read many more bytes from the network than
  are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a handler
  fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata. A
  sender can exploit this by inserting a large metadata segment with each byte
  transferred. The chunk reader now produces an error if the ratio of real body
  to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.
  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable via
  the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not
  set for said module. This only affects users who are not using the module
  proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.
  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume
  name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other
  effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Revision 1.195 / (download) - annotate - [select for diffs], Wed Nov 15 15:54:40 2023 UTC (4 months, 1 week ago) by jperkin
Branch: MAIN
Changes since 1.194: +4 -2 lines
Diff to previous 1.194 (colored) to selected 1.56 (colored)

go: Add support for GO_VERSION_REQD.

This isn't full multi support like other languages yet, but for now simply a
way for a package to indicate that it requires a specific version of go.

Useful for things like wireguard-go which currently do not build with 1.21.

Revision 1.194 / (download) - annotate - [select for diffs], Fri Nov 10 15:39:34 2023 UTC (4 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.193: +3 -3 lines
Diff to previous 1.193 (colored) to selected 1.56 (colored)

Update go120 to 1.20.11 and go121 to 1.21.4 (security).

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize \??\ as a Root Local Device path prefix.

  On Windows, a path beginning with \??\ is a Root Local Device path equivalent
  to a path beginning with \\?\. Paths with a \??\ prefix may be used to access
  arbitrary locations on the system. For example, the path \??\c:\x is
  equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a \??\ prefix as special.

  Clean could convert a rooted path such as \a\..\??\b into
  the root local device path \??\b. It will now convert this
  path into .\??\b.

  IsAbs did not report paths beginning with \??\ as absolute.
  It now does so.

  VolumeName now reports the \??\ prefix as a volume name.

  Join(`\`, `??`, `b`) could convert a seemingly innocent
  sequence of path elements into the root local device path
  \??\b. It will now convert this to \.\??\b.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The IsLocal function did not correctly detect reserved names in some cases:

  reserved names followed by spaces, such as "COM1 ".
  "COM" or "LPT" followed by a superscript 1, 2, or 3.
  IsLocal now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Revision 1.189.2.2 / (download) - annotate - [select for diffs], Sat Nov 4 13:00:31 2023 UTC (4 months, 3 weeks ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189.2.1: +2 -2 lines
Diff to previous 1.189.2.1 (colored) to branchpoint 1.189 (colored) to selected 1.56 (colored)

Pullup ticket #6816 - requested by bsiegert
lang/go121: security update
lang/go: metadata update

Revisions pulled up:
- lang/go/version.mk                                            1.191
- lang/go121/PLIST                                              1.3
- lang/go121/distinfo                                           1.3

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Sun Oct 15 09:26:35 UTC 2023

   Modified Files:
   	pkgsrc/lang/go: version.mk
   	pkgsrc/lang/go121: PLIST distinfo

   Log Message:
   go121: update to 1.21.3 (security)

   1.21.3

   net/http: rapid stream resets can cause excessive work

   A malicious HTTP/2 client which rapidly creates requests and
   immediately resets them can cause excessive server resource consumption.
   While the total number of requests is bounded to the
   http2.Server.MaxConcurrentStreams setting, resetting an in-progress
   request allows the attacker to create a new request while the existing
   one is still executing.

   HTTP/2 servers now bound the number of simultaneously executing
   handler goroutines to the stream concurrency limit. New requests
   arriving when at the limit (which can only happen after the client
   has reset an existing, in-flight request) will be queued until a
   handler exits. If the request queue grows too large, the server
   will terminate the connection.

   This issue is also fixed in golang.org/x/net/http2 v0.17.0,
   for users manually configuring HTTP/2.

   The default stream concurrency limit is 250 streams (requests)
   per HTTP/2 connection. This value may be adjusted using the
   golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
   setting and the ConfigureServer function.

   This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
   This is also tracked by CVE-2023-44487.

   1.21.2

   cmd/go: line directives allows arbitrary execution during build

   "//line" directives can be used to bypass the restrictions on "//go:cgo_"
   directives, allowing blocked linker and compiler flags to be passed during
   compliation. This can result in unexpected execution of arbitrary code when
   running "go build". The line directive requires the absolute path of the file in
   which the directive lives, which makes exploting this issue significantly more
   complex.

   This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.


   To generate a diff of this commit:
   cvs rdiff -u -r1.190 -r1.191 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo

Revision 1.193 / (download) - annotate - [select for diffs], Sun Oct 29 14:40:35 2023 UTC (4 months, 4 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.192: +2 -2 lines
Diff to previous 1.192 (colored) to selected 1.56 (colored)

Set Go 1.21 as the default Go version.

I did a verification bulk build with this change and updated all the
packages that were broken by this (kubo, ipget, caddy, etc.), so I hope
that this does not introduce any breakage.

Revision 1.189.2.1 / (download) - annotate - [select for diffs], Sun Oct 22 18:44:03 2023 UTC (5 months ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189: +2 -2 lines
Diff to previous 1.189 (colored) to selected 1.56 (colored)

Pullup ticket #6812 - requested by bsiegert
lang/go120: security update
lang/go: version info update
audio/gospt: RevBump
audio/ymuse: RevBump
chat/coyim: RevBump
chat/gomuks: RevBump
chat/matterircd: RevBump
chat/senpai: RevBump
chat/ssh-chat: RevBump
databases/go-ldap: RevBump
databases/influxdb: RevBump
databases/mongo-tools: RevBump
databases/mysqld_exporter: RevBump
databases/postgres_exporter: RevBump
databases/prometheus: RevBump
databases/promscale: RevBump
databases/sqlc: RevBump
databases/timescaledb-tune: RevBump
devel/asmfmt: RevBump
devel/conftest: RevBump
devel/errcheck: RevBump
devel/fq: RevBump
devel/git-lfs: RevBump
devel/go-ed25519: RevBump
devel/go-gocode: RevBump
devel/go-golang-lru: RevBump
devel/go-gopkgs: RevBump
devel/go-goptlib: RevBump
devel/go-goreturns: RevBump
devel/go-gox: RevBump
devel/go-impl: RevBump
devel/go-logrus: RevBump
devel/go-nbreader: RevBump
devel/go-pty: RevBump
devel/go-review: RevBump
devel/go-siphash: RevBump
devel/go-staticcheck: RevBump
devel/go-swagger: RevBump
devel/go-sys: RevBump
devel/go-tools: RevBump
devel/go-wire: RevBump
devel/go-xerrors: RevBump
devel/golangci-lint: RevBump
devel/golint: RevBump
devel/gomodifytags: RevBump
devel/gopls: RevBump
devel/goredo: RevBump
devel/gotags: RevBump
devel/gotests: RevBump
devel/govulncheck: RevBump
devel/lazygit: RevBump
devel/mob: RevBump
devel/nancy: RevBump
devel/opa: RevBump
devel/packr: RevBump
devel/reftools: RevBump
devel/regal: RevBump
devel/revive: RevBump
devel/shfmt: RevBump
devel/syft: RevBump
editors/micro: RevBump
filesystems/kubo: RevBump
graphics/gif2png: RevBump
lang/joker: RevBump
mail/opensmtpd-filter-rspamd: RevBump
mail/opensmtpd-filter-senderscore: RevBump
mail/postforward: RevBump
meta-pkgs/bulk-test-essential: RevBump
misc/exercism: RevBump
net/amazon-ecs-cli: RevBump
net/amfora: RevBump
net/bombadillo: RevBump
net/croc: RevBump
net/czds: RevBump
net/dnscontrol: RevBump
net/dnscrypt-proxy2: RevBump
net/gh: RevBump
net/go-dnstap: RevBump
net/go-net: RevBump
net/go-websocket: RevBump
net/gunison: RevBump
net/gvproxy: RevBump
net/hub: RevBump
net/ipget: RevBump
net/kubectl: RevBump
net/libquic: RevBump
net/mangos: RevBump
net/nats-server: RevBump
net/obfs4proxy: RevBump
net/rclone: RevBump
net/stern: RevBump
net/syncthing: RevBump
net/terraform-provider-archive: RevBump
net/terraform-provider-aws: RevBump
net/terraform-provider-kubernetes: RevBump
net/terraform-provider-local: RevBump
net/terraform-provider-null: RevBump
net/terraform-provider-random: RevBump
net/terraform-provider-template: RevBump
net/terraform-provider-vultr: RevBump
net/terraform: RevBump
net/tut: RevBump
net/vultr-cli: RevBump
pkgtools/pkglint: RevBump
security/2fa: RevBump
security/age: RevBump
security/amass: RevBump
security/authelia: RevBump
security/cfssl: RevBump
security/dnsx: RevBump
security/go-asn1-ber: RevBump
security/go-crypto: RevBump
security/go-getpass: RevBump
security/go-mkcert: RevBump
security/gopass: RevBump
security/httpx: RevBump
security/nuclei: RevBump
security/oauth2c: RevBump
security/osv-scanner: RevBump
security/subfinder: RevBump
security/tlsx: RevBump
security/trufflehog: RevBump
security/vault: RevBump
shells/elvish: RevBump
shells/oh-my-posh: RevBump
sysutils/beats: RevBump
sysutils/consul: RevBump
sysutils/direnv: RevBump
sysutils/fzf: RevBump
sysutils/goreman: RevBump
sysutils/lf: RevBump
sysutils/node_exporter: RevBump
sysutils/packer: RevBump
sysutils/podman: RevBump
sysutils/restic: RevBump
sysutils/vultr: RevBump
textproc/glow: RevBump
textproc/go-kr-text: RevBump
textproc/go-md2man: RevBump
textproc/go-mmark: RevBump
textproc/go-text: RevBump
textproc/miller: RevBump
textproc/sift: RevBump
www/apisprout: RevBump
www/caddy: RevBump
www/gitea: RevBump
www/go-ffuf: RevBump
www/go-minify: RevBump
www/gotosocial: RevBump
www/grafana: RevBump
www/hugo: RevBump
www/jira-cli: RevBump
www/mycorrhiza: RevBump
www/pup: RevBump
www/restish: RevBump
www/shoutrrr: RevBump

Revisions pulled up:
- lang/go/version.mk                                            1.190,1.192
- lang/go120/PLIST                                              1.9
- lang/go120/distinfo                                           1.10-1.11

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Sat Oct  7 18:09:35 UTC 2023

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go120: PLIST distinfo

   Log Message:
   go120: update to 1.20.9 (security).

   cmd/go: line directives allows arbitrary execution during build

   "//line" directives can be used to bypass the restrictions on "//go:cgo_"
   directives, allowing blocked linker and compiler flags to be passed during
   compliation. This can result in unexpected execution of arbitrary code when
   running "go build". The line directive requires the absolute path of the file in
   which the directive lives, which makes exploting this issue significantly more
   complex.

   This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

   View the release notes for more information:
   https://go.dev/doc/devel/release#go1.20.9

   To generate a diff of this commit:
   cvs rdiff -u -r1.189 -r1.190 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go120/PLIST
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go120/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Sun Oct 15 11:02:08 UTC 2023

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go120: distinfo

   Log Message:
   go120: update to 1.20.10 (security)

   net/http: rapid stream resets can cause excessive work

   A malicious HTTP/2 client which rapidly creates requests and
   immediately resets them can cause excessive server resource consumption.
   While the total number of requests is bounded to the
   http2.Server.MaxConcurrentStreams setting, resetting an in-progress
   request allows the attacker to create a new request while the existing
   one is still executing.

   HTTP/2 servers now bound the number of simultaneously executing
   handler goroutines to the stream concurrency limit. New requests
   arriving when at the limit (which can only happen after the client
   has reset an existing, in-flight request) will be queued until a
   handler exits. If the request queue grows too large, the server
   will terminate the connection.

   This issue is also fixed in golang.org/x/net/http2 v0.17.0,
   for users manually configuring HTTP/2.

   The default stream concurrency limit is 250 streams (requests)
   per HTTP/2 connection. This value may be adjusted using the
   golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
   setting and the ConfigureServer function.

   This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
   This is also tracked by CVE-2023-44487.

   To generate a diff of this commit:
   cvs rdiff -u -r1.191 -r1.192 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go120/distinfo

Revision 1.192 / (download) - annotate - [select for diffs], Sun Oct 15 11:02:08 2023 UTC (5 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.191: +2 -2 lines
Diff to previous 1.191 (colored) to selected 1.56 (colored)

go120: update to 1.20.10 (security)

net/http: rapid stream resets can cause excessive work

A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.

Revision 1.191 / (download) - annotate - [select for diffs], Sun Oct 15 09:26:34 2023 UTC (5 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.190: +2 -2 lines
Diff to previous 1.190 (colored) to selected 1.56 (colored)

go121: update to 1.21.3 (security)

1.21.3

net/http: rapid stream resets can cause excessive work

A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.

HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.

1.21.2

cmd/go: line directives allows arbitrary execution during build

"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compliation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

Revision 1.190 / (download) - annotate - [select for diffs], Sat Oct 7 18:09:35 2023 UTC (5 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.189: +2 -2 lines
Diff to previous 1.189 (colored) to selected 1.56 (colored)

go120: update to 1.20.9 (security).

cmd/go: line directives allows arbitrary execution during build

"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compliation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.

This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.9

Revision 1.189 / (download) - annotate - [select for diffs], Fri Sep 8 19:02:04 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base
Branch point for: pkgsrc-2023Q3
Changes since 1.188: +2 -2 lines
Diff to previous 1.188 (colored) to selected 1.56 (colored)

go119: update to 1.19.13

go1.19.13 (released 2023-09-06) includes fixes to the go command, and the
crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue
tracker for details.

Revision 1.188 / (download) - annotate - [select for diffs], Fri Sep 8 18:49:45 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.187: +2 -2 lines
Diff to previous 1.187 (colored) to selected 1.56 (colored)

go120: update to 1.20.8 (security)

This minor releases includes 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution

  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the
  "go" command was executed within the module. This applies to modules
  downloaded using the "go" command from the module proxy, as well as modules
  downloaded directly using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script
  contexts

  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This
  may cause the template parser to improperly interpret the contents of
  <script> contexts, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
  this issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts

  The html/template package did not apply the proper rules for handling
  occurrences of "<script", "<!--", and "</script" within JS literals in
  <script> contexts.  This may cause the template parser to improperly
  consider script contexts to be terminated early, causing actions to be
  improperly escaped. This could be leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
  this issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections

  Processing an incomplete post-handshake message for a QUIC connection caused
  a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue
  https://go.dev/issue/62266.

Revision 1.187 / (download) - annotate - [select for diffs], Fri Sep 8 13:06:29 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.186: +2 -2 lines
Diff to previous 1.186 (colored) to selected 1.56 (colored)

go121: update to 1.21.1 (security)

This minor releases includes 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution

  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the
  "go" command was executed within the module. This applies to modules
  downloaded using the "go" command from the module proxy, as well as modules
  downloaded directly using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script
  contexts

  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This
  may cause the template parser to improperly interpret the contents of
  <script> contexts, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
  this issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts

  The html/template package did not apply the proper rules for handling
  occurrences of "<script", "<!--", and "</script" within JS literals in
  <script> contexts.  This may cause the template parser to improperly
  consider script contexts to be terminated early, causing actions to be
  improperly escaped. This could be leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
  this issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections

  Processing an incomplete post-handshake message for a QUIC connection caused
  a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue
  https://go.dev/issue/62266.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.1

Revision 1.186 / (download) - annotate - [select for diffs], Sat Aug 26 16:35:29 2023 UTC (7 months ago) by bsiegert
Branch: MAIN
Changes since 1.185: +2 -1 lines
Diff to previous 1.185 (colored) to selected 1.56 (colored)

New package, go121-1.21.0.

This will not be the default Go version in the next branch, since the
freeze date is close.

Revision 1.185 / (download) - annotate - [select for diffs], Fri Aug 25 18:29:24 2023 UTC (7 months ago) by bsiegert
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored) to selected 1.56 (colored)

go120: update to 1.20.7 (security)

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the Go
1.20.7 milestone on our issue tracker for details.

Revision 1.184 / (download) - annotate - [select for diffs], Sat Aug 12 13:02:54 2023 UTC (7 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.183: +2 -2 lines
Diff to previous 1.183 (colored) to selected 1.56 (colored)

Update go119 to 1.19.12 (security).

crypto/tls: restrict RSA keys in certificates to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

Thanks to Mateusz Poliwczak for reporting this issue.

Revision 1.183 / (download) - annotate - [select for diffs], Sat Jul 15 10:40:37 2023 UTC (8 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.182: +2 -2 lines
Diff to previous 1.182 (colored) to selected 1.56 (colored)

go120: update to 1.20.6 (security)

This minor release includes 1 security fix following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A
maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an invalid
Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for CVE-2023-29406 and Go issue
https://go.dev/issue/60374

Revision 1.182 / (download) - annotate - [select for diffs], Sat Jul 15 10:35:14 2023 UTC (8 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.181: +2 -2 lines
Diff to previous 1.181 (colored) to selected 1.56 (colored)

go119: update to 1.19.11 (security)

This minor release includes 1 security fix following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A
maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an invalid
Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for CVE-2023-29406 and Go issue
https://go.dev/issue/60374

Revision 1.181 / (download) - annotate - [select for diffs], Sat Jun 10 11:41:31 2023 UTC (9 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base, pkgsrc-2023Q2
Changes since 1.180: +2 -2 lines
Diff to previous 1.180 (colored) to selected 1.56 (colored)

go120: update to 1.20.5 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.

Revision 1.180 / (download) - annotate - [select for diffs], Tue Jun 6 18:49:04 2023 UTC (9 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.179: +2 -2 lines
Diff to previous 1.179 (colored) to selected 1.56 (colored)

go119: update to 1.19.10 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.

Revision 1.179 / (download) - annotate - [select for diffs], Fri May 5 18:33:15 2023 UTC (10 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.178: +2 -2 lines
Diff to previous 1.178 (colored) to selected 1.56 (colored)

go120: update to 1.20.4 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Revision 1.178 / (download) - annotate - [select for diffs], Wed May 3 19:24:54 2023 UTC (10 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.177: +2 -2 lines
Diff to previous 1.177 (colored) to selected 1.56 (colored)

go119: update to 1.19.9 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Revision 1.177 / (download) - annotate - [select for diffs], Tue Apr 4 18:33:25 2023 UTC (11 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.176: +2 -2 lines
Diff to previous 1.176 (colored) to selected 1.56 (colored)

go120: update to 1.20.3 (security)

This minor release includes 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains //line
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are used,
  since ES6, for JS template literals. If a template contained a Go template
  action within a Javascript template literal, the contents of the action could
  be used to terminate the literal, injecting arbitrary Javascript code into
  the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from
  being used inside of them (e.g. "var a = {{.}}"), since there is no obviously
  safe way to allow this behavior. This takes the same approach as
  github.com/google/safehtml.  Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this
  issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even
  when parsing small inputs.

  Certain unusual patterns of input data could cause the common function used
  to parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small
  request, potentially leading to memory exhaustion and a denial of service.

  Header parsing now correctly allocates only the memory required to hold
  parsed headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems
  from several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart
  form can consume. ReadForm could undercount the amount of memory consumed,
  leading it to accept larger inputs than intended.  Limiting total memory does
  not account for increased pressure on the garbage collector from large
  numbers of small allocations in forms with many parts.  ReadForm could
  allocate a large number of short-lived buffers, further increasing pressure
  on the garbage collector.  The combination of these factors can permit an
  attacker to cause an program that parses multipart forms to consume large
  amounts of CPU and memory, potentially resulting in a denial of service. This
  affects programs that use mime/multipart.Reader.ReadForm, as well as form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit
  may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  Form parts parsed with NextPart and NextRawPart may contain no more than
  10,000 header fields. In addition, forms parsed with ReadForm may contain no
  more than 10,000 header fields across all parts. This limit may be adjusted
  with the environment variable GODEBUG=multipartmaxheaders=.  Thanks to Jakob
  Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.

Revision 1.176 / (download) - annotate - [select for diffs], Tue Apr 4 18:22:14 2023 UTC (11 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.175: +2 -2 lines
Diff to previous 1.175 (colored) to selected 1.56 (colored)

go119: update to 1.19.8 (security)

This minor release includes 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains //line
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are used,
  since ES6, for JS template literals. If a template contained a Go template
  action within a Javascript template literal, the contents of the action could
  be used to terminate the literal, injecting arbitrary Javascript code into
  the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from
  being used inside of them (e.g. "var a = {{.}}"), since there is no obviously
  safe way to allow this behavior. This takes the same approach as
  github.com/google/safehtml.  Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this
  issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even
  when parsing small inputs.

  Certain unusual patterns of input data could cause the common function used
  to parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small
  request, potentially leading to memory exhaustion and a denial of service.

  Header parsing now correctly allocates only the memory required to hold
  parsed headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems
  from several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart
  form can consume. ReadForm could undercount the amount of memory consumed,
  leading it to accept larger inputs than intended.  Limiting total memory does
  not account for increased pressure on the garbage collector from large
  numbers of small allocations in forms with many parts.  ReadForm could
  allocate a large number of short-lived buffers, further increasing pressure
  on the garbage collector.  The combination of these factors can permit an
  attacker to cause an program that parses multipart forms to consume large
  amounts of CPU and memory, potentially resulting in a denial of service. This
  affects programs that use mime/multipart.Reader.ReadForm, as well as form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit
  may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  Form parts parsed with NextPart and NextRawPart may contain no more than
  10,000 header fields. In addition, forms parsed with ReadForm may contain no
  more than 10,000 header fields across all parts. This limit may be adjusted
  with the environment variable GODEBUG=multipartmaxheaders=.  Thanks to Jakob
  Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.

Revision 1.175 / (download) - annotate - [select for diffs], Wed Mar 8 13:14:58 2023 UTC (12 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base, pkgsrc-2023Q1
Changes since 1.174: +2 -2 lines
Diff to previous 1.174 (colored) to selected 1.56 (colored)

go119: update to 1.19.7

This minor release includes 1 security fix following the security policy:

crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
incorrect result if called with some specific unreduced scalars (a scalar larger
than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug
bounty program.

This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

Revision 1.174 / (download) - annotate - [select for diffs], Wed Mar 8 08:51:16 2023 UTC (12 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.173: +3 -3 lines
Diff to previous 1.173 (colored) to selected 1.56 (colored)

go120: update to 1.20.2

This minor release includes 1 security fix following the security policy:

crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
incorrect result if called with some specific unreduced scalars (a scalar larger
than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug
bounty program.

This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

Revision 1.173 / (download) - annotate - [select for diffs], Thu Feb 16 13:55:55 2023 UTC (13 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.172: +2 -2 lines
Diff to previous 1.172 (colored) to selected 1.56 (colored)

go119: update to 1.19.6 (security)

This minor release includes 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal
  attack.  The filepath.Clean function will now transform this path into the
  relative (but still invalid) path .\c:\b.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume
  largely unlimited amounts of memory and disk files. This also affects form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  entry overhead, part names, and MIME headers, permitting a maliciously
  crafted form to consume well over 10MB. In addition, ReadForm contained no
  limit on the number of disk files created, permitting a relatively small
  request body to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this
  issue.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth >= RequestClientCert).

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in
  the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

Revision 1.172 / (download) - annotate - [select for diffs], Thu Feb 16 10:39:59 2023 UTC (13 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.171: +2 -2 lines
Diff to previous 1.171 (colored) to selected 1.56 (colored)

go120: update to 1.20.1 (security)

This minor release includes 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal
  attack.  The filepath.Clean function will now transform this path into the
  relative (but still invalid) path .\c:\b.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume
  largely unlimited amounts of memory and disk files. This also affects form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  entry overhead, part names, and MIME headers, permitting a maliciously
  crafted form to consume well over 10MB. In addition, ReadForm contained no
  limit on the number of disk files created, permitting a relatively small
  request body to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this
  issue.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth >= RequestClientCert).

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in
  the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

Revision 1.171 / (download) - annotate - [select for diffs], Sun Feb 5 13:25:25 2023 UTC (13 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.170: +2 -1 lines
Diff to previous 1.170 (colored) to selected 1.56 (colored)

Import Go 1.20 from pkgsrc-wip into pkgsrc itself.

The latest Go release, version 1.20, arrives six months after Go 1.19. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.

https://go.dev/doc/go1.20

Revision 1.170 / (download) - annotate - [select for diffs], Sat Jan 28 12:34:30 2023 UTC (13 months, 4 weeks ago) by jperkin
Branch: MAIN
Changes since 1.169: +7 -1 lines
Diff to previous 1.169 (colored) to selected 1.56 (colored)

go: Switch illumos platforms to native GOOS=illumos.

Ensures that native interfaces such as flock(3C) that aren't available on
Solaris can be used.

Revision 1.169 / (download) - annotate - [select for diffs], Wed Jan 11 17:24:29 2023 UTC (14 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.168: +2 -2 lines
Diff to previous 1.168 (colored) to selected 1.56 (colored)

go119: update to 1.19.5

go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and
the crypto/x509, net/http, sync/atomic, and syscall packages. See the Go 1.19.5
milestone on our issue tracker for details.

Revision 1.168 / (download) - annotate - [select for diffs], Wed Jan 11 15:21:43 2023 UTC (14 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.167: +2 -6 lines
Diff to previous 1.167 (colored) to selected 1.56 (colored)

go118: update to 1.18.10

go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the
linker, and the crypto/x509, net/http, and syscall packages. See the Go 1.18.10
milestone on our issue tracker for details.

While here, clean up obsolete Go versions in version.mk.

Revision 1.167 / (download) - annotate - [select for diffs], Thu Dec 8 10:37:25 2022 UTC (15 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.166: +2 -2 lines
Diff to previous 1.166 (colored) to selected 1.56 (colored)

Update go119 to 1.19.4 (security).

This minor release includes 2 security fixes following the security policy
<https://go.dev/security>:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.  Both os.DirFS and http.Dir only provide
  read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \ (the root of the
  current drive) can permit a maliciously crafted path to escape from the drive
  and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path
  "/tmp".  This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting HTTP/2
  requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by the
  client. While the total number of entries in this cache is capped, an
  attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2, for users manually
  configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

Revision 1.166 / (download) - annotate - [select for diffs], Thu Dec 8 10:28:44 2022 UTC (15 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.165: +2 -2 lines
Diff to previous 1.165 (colored) to selected 1.56 (colored)

Update go118 to 1.18.9 (security release).

This minor release includes 2 security fixes following the security policy
<https://go.dev/security>:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.  Both os.DirFS and http.Dir only provide
  read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \ (the root of the
  current drive) can permit a maliciously crafted path to escape from the drive
  and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path
  "/tmp".  This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting HTTP/2
  requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by the
  client. While the total number of entries in this cache is capped, an
  attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2, for users manually
  configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

Revision 1.165 / (download) - annotate - [select for diffs], Tue Nov 1 17:41:11 2022 UTC (16 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.164: +2 -2 lines
Diff to previous 1.164 (colored) to selected 1.56 (colored)

go119: update to 1.19.3

This release includes 1 security fixes following the security policy:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for
invalid environment variable values. A malicious environment variable value
could exploit this behavior to set a value for a different environment
variable. For example, the environment variable string "A=B\x00C=D" set the
variables "A=B" and "C=D".

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.3

Revision 1.164 / (download) - annotate - [select for diffs], Tue Nov 1 17:26:16 2022 UTC (16 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.163: +2 -2 lines
Diff to previous 1.163 (colored) to selected 1.56 (colored)

go118: update to 1.18.8

This release includes 1 security fixes following the security policy:

syscall, os/exec: unsanitized NUL in environment variables

On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for
invalid environment variable values. A malicious environment variable value
could exploit this behavior to set a value for a different environment
variable. For example, the environment variable string "A=B\x00C=D" set the
variables "A=B" and "C=D".

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.8

Revision 1.159.2.2 / (download) - annotate - [select for diffs], Fri Oct 7 18:19:31 2022 UTC (17 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2022Q3
Changes since 1.159.2.1: +2 -2 lines
Diff to previous 1.159.2.1 (colored) to branchpoint 1.159 (colored) next main 1.160 (colored) to selected 1.56 (colored)

Pullup ticket #6680 - requested by taca
lang/go119: security fix

Revisions pulled up:
- lang/go/version.mk                                            1.163
- lang/go119/PLIST                                              1.3
- lang/go119/distinfo                                           1.3

---
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Wed Oct  5 11:20:24 UTC 2022

   Modified Files:
   	pkgsrc/lang/go: version.mk
   	pkgsrc/lang/go119: PLIST distinfo

   Log Message:
   Update go119 to 1.19.2

   This minor release includes 3 security fixes following the security policy:

   - archive/tar: unbounded memory consumption when reading headers

     Reader.Read did not set a limit on the maximum size of file headers.
     A maliciously crafted archive could cause Read to allocate unbounded
     amounts of memory, potentially causing resource exhaustion or panics.
     Reader.Read now limits the maximum size of header blocks to 1 MiB.

     Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

     This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

   - net/http/httputil: ReverseProxy should not forward unparseable query parameters

     Requests forwarded by ReverseProxy included the raw query parameters from the
     inbound request, including unparseable parameters rejected by net/http. This
     could permit query parameter smuggling when a Go proxy forwards a parameter
     with an unparseable value.

     ReverseProxy will now sanitize the query parameters in the forwarded query
     when the outbound request's Form field is set after the ReverseProxy.Director
     function returns, indicating that the proxy has parsed the query parameters.
     Proxies which do not parse query parameters continue to forward the original
     query parameters unchanged.

     Thanks to Gal Goldstein (Security Researcher, Oxeye) and
     Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

     This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

   - regexp/syntax: limit memory used by parsing regexps

     The parsed regexp representation is linear in the size of the input,
     but in some cases the constant factor can be as high as 40,000,
     making relatively small regexps consume much larger amounts of memory.

     Each regexp being parsed is now limited to a 256 MB memory footprint.
     Regular expressions whose representation would use more space than that
     are now rejected. Normal use of regular expressions is unaffected.

     Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

     This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

Revision 1.159.2.1 / (download) - annotate - [select for diffs], Fri Oct 7 16:34:02 2022 UTC (17 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2022Q3
Changes since 1.159: +2 -2 lines
Diff to previous 1.159 (colored) to selected 1.56 (colored)

Pullup ticket #6679 - requested by taca
lang/go118: security fix

Revisions pulled up:
- lang/go/version.mk                                            1.162
- lang/go118/PLIST                                              1.8
- lang/go118/distinfo                                           1.8

---
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Wed Oct  5 09:51:52 UTC 2022

   Modified Files:
   	pkgsrc/lang/go: version.mk
   	pkgsrc/lang/go118: PLIST distinfo

   Log Message:
   go118: update to 1.18.7

   This minor release includes 3 security fixes following the security policy:

   - archive/tar: unbounded memory consumption when reading headers

     Reader.Read did not set a limit on the maximum size of file headers.
     A maliciously crafted archive could cause Read to allocate unbounded
     amounts of memory, potentially causing resource exhaustion or panics.
     Reader.Read now limits the maximum size of header blocks to 1 MiB.

     Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

     This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

   - net/http/httputil: ReverseProxy should not forward unparseable query parameters

     Requests forwarded by ReverseProxy included the raw query parameters from the
     inbound request, including unparseable parameters rejected by net/http. This
     could permit query parameter smuggling when a Go proxy forwards a parameter
     with an unparseable value.

     ReverseProxy will now sanitize the query parameters in the forwarded query
     when the outbound request's Form field is set after the ReverseProxy.Director
     function returns, indicating that the proxy has parsed the query parameters.
     Proxies which do not parse query parameters continue to forward the original
     query parameters unchanged.

     Thanks to Gal Goldstein (Security Researcher, Oxeye) and
     Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

     This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

   - regexp/syntax: limit memory used by parsing regexps

     The parsed regexp representation is linear in the size of the input,
     but in some cases the constant factor can be as high as 40,000,
     making relatively small regexps consume much larger amounts of memory.

     Each regexp being parsed is now limited to a 256 MB memory footprint.
     Regular expressions whose representation would use more space than that
     are now rejected. Normal use of regular expressions is unaffected.

     Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

     This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

Revision 1.163 / (download) - annotate - [select for diffs], Wed Oct 5 11:20:24 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.162: +2 -2 lines
Diff to previous 1.162 (colored) to selected 1.56 (colored)

Update go119 to 1.19.2

This minor release includes 3 security fixes following the security policy:

- archive/tar: unbounded memory consumption when reading headers

  Reader.Read did not set a limit on the maximum size of file headers.
  A maliciously crafted archive could cause Read to allocate unbounded
  amounts of memory, potentially causing resource exhaustion or panics.
  Reader.Read now limits the maximum size of header blocks to 1 MiB.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

- net/http/httputil: ReverseProxy should not forward unparseable query parameters

  Requests forwarded by ReverseProxy included the raw query parameters from the
  inbound request, including unparseable parameters rejected by net/http. This
  could permit query parameter smuggling when a Go proxy forwards a parameter
  with an unparseable value.

  ReverseProxy will now sanitize the query parameters in the forwarded query
  when the outbound request's Form field is set after the ReverseProxy.Director
  function returns, indicating that the proxy has parsed the query parameters.
  Proxies which do not parse query parameters continue to forward the original
  query parameters unchanged.

  Thanks to Gal Goldstein (Security Researcher, Oxeye) and
  Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

  This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

- regexp/syntax: limit memory used by parsing regexps

  The parsed regexp representation is linear in the size of the input,
  but in some cases the constant factor can be as high as 40,000,
  making relatively small regexps consume much larger amounts of memory.

  Each regexp being parsed is now limited to a 256 MB memory footprint.
  Regular expressions whose representation would use more space than that
  are now rejected. Normal use of regular expressions is unaffected.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

Revision 1.162 / (download) - annotate - [select for diffs], Wed Oct 5 09:51:52 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.161: +2 -2 lines
Diff to previous 1.161 (colored) to selected 1.56 (colored)

go118: update to 1.18.7

This minor release includes 3 security fixes following the security policy:

- archive/tar: unbounded memory consumption when reading headers

  Reader.Read did not set a limit on the maximum size of file headers.
  A maliciously crafted archive could cause Read to allocate unbounded
  amounts of memory, potentially causing resource exhaustion or panics.
  Reader.Read now limits the maximum size of header blocks to 1 MiB.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

- net/http/httputil: ReverseProxy should not forward unparseable query parameters

  Requests forwarded by ReverseProxy included the raw query parameters from the
  inbound request, including unparseable parameters rejected by net/http. This
  could permit query parameter smuggling when a Go proxy forwards a parameter
  with an unparseable value.

  ReverseProxy will now sanitize the query parameters in the forwarded query
  when the outbound request's Form field is set after the ReverseProxy.Director
  function returns, indicating that the proxy has parsed the query parameters.
  Proxies which do not parse query parameters continue to forward the original
  query parameters unchanged.

  Thanks to Gal Goldstein (Security Researcher, Oxeye) and
  Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

  This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

- regexp/syntax: limit memory used by parsing regexps

  The parsed regexp representation is linear in the size of the input,
  but in some cases the constant factor can be as high as 40,000,
  making relatively small regexps consume much larger amounts of memory.

  Each regexp being parsed is now limited to a 256 MB memory footprint.
  Regular expressions whose representation would use more space than that
  are now rejected. Normal use of regular expressions is unaffected.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

Revision 1.161 / (download) - annotate - [select for diffs], Sat Oct 1 11:20:05 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.160: +1 -11 lines
Diff to previous 1.160 (colored) to selected 1.56 (colored)

go: remove the logic that makes Go 1.9 or 1.10 default for some OSes

Removal agreed on tech-pkg@

Revision 1.160 / (download) - annotate - [select for diffs], Mon Sep 26 15:46:00 2022 UTC (18 months ago) by bsiegert
Branch: MAIN
Changes since 1.159: +2 -2 lines
Diff to previous 1.159 (colored) to selected 1.56 (colored)

Make Go 1.19 the default Go version

This switches ~all Go packages to be built with Go 1.19 instead of 1.18.
Discussed on tech-pkg@ "ok after the freeze"

Revision 1.159 / (download) - annotate - [select for diffs], Mon Sep 12 12:16:05 2022 UTC (18 months, 2 weeks ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base
Branch point for: pkgsrc-2022Q3
Changes since 1.158: +5 -1 lines
Diff to previous 1.158 (colored) to selected 1.56 (colored)

go: Force GOHOSTARCH for Darwin x86_64.

Fixes builds of go118 and newer in x86_64 chroots on an arm64 host.  The go
build system parses "uname -v" and incorrectly assumes that if you're running
on an arm64 host you always want arm64 binaries.

Revision 1.158 / (download) - annotate - [select for diffs], Wed Sep 7 06:36:32 2022 UTC (18 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.157: +2 -2 lines
Diff to previous 1.157 (colored) to selected 1.56 (colored)

go118: update to 1.18.6 (security)

This minor release includes 2 security fixes following the security policy:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.

Thanks to q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Revision 1.157 / (download) - annotate - [select for diffs], Tue Sep 6 19:11:13 2022 UTC (18 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.156: +2 -2 lines
Diff to previous 1.156 (colored) to selected 1.56 (colored)

go119: update to 1.19.1 (security)

This minor release includes 2 security fixes following the security policy:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.

Thanks to q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Revision 1.156 / (download) - annotate - [select for diffs], Sun Aug 21 11:42:19 2022 UTC (19 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.155: +2 -1 lines
Diff to previous 1.155 (colored) to selected 1.56 (colored)

Add a package for Go 1.19

Release notes: https://go.dev/doc/go1.19

Revision 1.155 / (download) - annotate - [select for diffs], Fri Aug 12 16:15:04 2022 UTC (19 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.154: +2 -2 lines
Diff to previous 1.154 (colored) to selected 1.56 (colored)

go118: update to 1.18.5 (security)

1 security fix following the security policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too
short.
This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

Revision 1.154 / (download) - annotate - [select for diffs], Fri Aug 12 15:48:35 2022 UTC (19 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.153: +2 -2 lines
Diff to previous 1.153 (colored) to selected 1.56 (colored)

go117: update to 1.17.13 (security).

1 security fix following the security policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is too
short.
This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

Revision 1.153 / (download) - annotate - [select for diffs], Wed Jul 13 15:02:02 2022 UTC (20 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.152: +2 -2 lines
Diff to previous 1.152 (colored) to selected 1.56 (colored)

go118: update to 1.18.4 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Revision 1.152 / (download) - annotate - [select for diffs], Wed Jul 13 14:14:18 2022 UTC (20 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.151: +2 -2 lines
Diff to previous 1.151 (colored) to selected 1.56 (colored)

go117: update to 1.17.12 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Revision 1.151 / (download) - annotate - [select for diffs], Thu Jun 2 18:50:40 2022 UTC (21 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.150: +2 -2 lines
Diff to previous 1.150 (colored) to selected 1.56 (colored)

Update go118 to 1.18.3

This minor release includes 4 security fixes following the security policy
<https://go.dev/security>:

   - crypto/rand: rand.Read hangs with extremely large buffers

   On Windows, rand.Read will hang indefinitely if passed a buffer larger
   than 1 << 32 - 1 bytes.

   Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
   toolset, for reporting this issue.

   This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.


   - crypto/tls: session tickets lack random ticket_age_add

   Session tickets generated by crypto/tls did not contain a randomly
   generated ticket_age_add. This allows an attacker that can observe TLS
   handshakes to correlate successive connections by comparing ticket ages
   during session resumption.

   Thanks to GitHub user @nervuri for reporting this.

   This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.


   - os/exec: empty Cmd.Path can result in running unintended binary on
   Windows

   If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
   are executed when Cmd.Path is unset and, in the working directory, there
   are binaries named either "..com" or "..exe", they will be executed.

   Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
   bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
   for reporting this.

   This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.


   - path/filepath: Clean(`.\c:`) returns `c:` on Windows

   On Windows, the filepath.Clean function could convert an invalid path to
   a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

   Thanks to Unrud for reporting this issue.

   This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.

Revision 1.150 / (download) - annotate - [select for diffs], Thu Jun 2 18:19:26 2022 UTC (21 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.149: +2 -2 lines
Diff to previous 1.149 (colored) to selected 1.56 (colored)

Update go117 to 1.17.11

This minor release includes 4 security fixes following the security policy
<https://go.dev/security>:

   - crypto/rand: rand.Read hangs with extremely large buffers

   On Windows, rand.Read will hang indefinitely if passed a buffer larger
   than 1 << 32 - 1 bytes.

   Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
   toolset, for reporting this issue.

   This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.


   - crypto/tls: session tickets lack random ticket_age_add

   Session tickets generated by crypto/tls did not contain a randomly
   generated ticket_age_add. This allows an attacker that can observe TLS
   handshakes to correlate successive connections by comparing ticket ages
   during session resumption.

   Thanks to GitHub user @nervuri for reporting this.

   This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.


   - os/exec: empty Cmd.Path can result in running unintended binary on
   Windows

   If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
   are executed when Cmd.Path is unset and, in the working directory, there
   are binaries named either "..com" or "..exe", they will be executed.

   Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
   bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
   for reporting this.

   This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.


   - path/filepath: Clean(`.\c:`) returns `c:` on Windows

   On Windows, the filepath.Clean function could convert an invalid path to
   a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

   Thanks to Unrud for reporting this issue.

   This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.

Revision 1.149 / (download) - annotate - [select for diffs], Wed May 11 19:00:55 2022 UTC (22 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.148: +2 -2 lines
Diff to previous 1.148 (colored) to selected 1.56 (colored)

go118: update to 1.18.2 (security)

go1.18.2 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, the go command, and the
crypto/x509, go/types, net/http/httptest, reflect, and sync/atomic packages.
See the Go 1.18.2 milestone on our issue tracker for details.

Revision 1.148 / (download) - annotate - [select for diffs], Wed May 11 18:39:42 2022 UTC (22 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.147: +2 -2 lines
Diff to previous 1.147 (colored) to selected 1.56 (colored)

go117: update to 1.17.10 (security)

go1.17.10 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, and the crypto/x509 and
net/http/httptest packages. See the Go 1.17.10 milestone on our issue tracker
for details.

Revision 1.147 / (download) - annotate - [select for diffs], Tue Apr 19 11:56:21 2022 UTC (23 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.146: +2 -2 lines
Diff to previous 1.146 (colored) to selected 1.56 (colored)

go: make 1.18 the default version

I did a bulk build and identified 5 packages that would break (apisprout, caddy,
go-staticcheck, gvproxy and restish) and fixed them.

Please email tech-pkg@ if you find other breakage!

Revision 1.146 / (download) - annotate - [select for diffs], Wed Apr 13 07:46:56 2022 UTC (23 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.145: +2 -2 lines
Diff to previous 1.145 (colored) to selected 1.56 (colored)

go118: update to 1.18.1

This minor release includes three security fixes following the security policy:

- encoding/pem: fix stack overflow in Decode

  A large (more than 5 MB) PEM input can cause a stack overflow in Decode,
  leading the program to crash.

  Thanks to Juho Nurminen of Mattermost who reported the error.

  This is CVE-2022-24675 and https://go.dev/issue/51853.

- crypto/elliptic: tolerate all oversized scalars in generic P-256

  A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or
  P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
  crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

  This was discovered thanks to a Project Wycheproof test vector.

  This is CVE-2022-28327 and https://go.dev/issue/52075.

- crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18

  Verifying certificate chains containing certificates which are not compliant
  with RFC 5280 causes Certificate.Verify to panic on macOS.

  These chains can be delivered through TLS and can cause a crypto/tls or
  net/http client to crash.

  Thanks to Tailscale for doing weird things and finding this.

  This is CVE-2022-27536 and https://go.dev/issue/51759.

Revision 1.145 / (download) - annotate - [select for diffs], Wed Apr 13 07:36:53 2022 UTC (23 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.144: +2 -2 lines
Diff to previous 1.144 (colored) to selected 1.56 (colored)

go117: update to 1.17.9

This minor release includes three security fixes following the security policy:

- encoding/pem: fix stack overflow in Decode

  A large (more than 5 MB) PEM input can cause a stack overflow in Decode,
  leading the program to crash.

  Thanks to Juho Nurminen of Mattermost who reported the error.

  This is CVE-2022-24675 and https://go.dev/issue/51853.

- crypto/elliptic: tolerate all oversized scalars in generic P-256

  A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or
  P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
  crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

  This was discovered thanks to a Project Wycheproof test vector.

  This is CVE-2022-28327 and https://go.dev/issue/52075.

- crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18

  Verifying certificate chains containing certificates which are not compliant
  with RFC 5280 causes Certificate.Verify to panic on macOS.

  These chains can be delivered through TLS and can cause a crypto/tls or
  net/http client to crash.

  Thanks to Tailscale for doing weird things and finding this.

  This is CVE-2022-27536 and https://go.dev/issue/51759.

Revision 1.144 / (download) - annotate - [select for diffs], Tue Mar 15 20:13:45 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.143: +2 -1 lines
Diff to previous 1.143 (colored) to selected 1.56 (colored)

go118: add Go 1.18 (final release).

Due to how close the freeze is, this will not be the default for the next
quarterly release.

There are lots of news, including support for Generics. Read the release
notes for details.

Revision 1.143 / (download) - annotate - [select for diffs], Mon Mar 7 08:44:52 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored) to selected 1.56 (colored)

Update go117 to 1.17.8 (security).

This minor release includes a security fix following the security policy:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause
regexp.Compile to cause goroutine stack exhaustion, forcing the program to
exit. Note this applies to very large expressions, on the order of 2MB.

Thanks to Juho Nurminen of Mattermost for reporting this.

This is CVE-2022-24921 and https://go.dev/issue/51112.

Revision 1.142 / (download) - annotate - [select for diffs], Sun Mar 6 09:53:43 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
Changes since 1.141: +2 -2 lines
Diff to previous 1.141 (colored) to selected 1.56 (colored)

Update go116 to 1.16.15.

This minor release includes a security fix following the security policy:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause
regexp.Compile to cause goroutine stack exhaustion, forcing the program to
exit. Note this applies to very large expressions, on the order of 2MB.

Thanks to Juho Nurminen of Mattermost for reporting this.

This is CVE-2022-24921 and https://go.dev/issue/51112.

Revision 1.141 / (download) - annotate - [select for diffs], Sat Feb 12 20:14:01 2022 UTC (2 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored) to selected 1.56 (colored)

Update go117 to 1.17.7 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

Revision 1.140 / (download) - annotate - [select for diffs], Sat Feb 12 19:52:40 2022 UTC (2 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.139: +2 -2 lines
Diff to previous 1.139 (colored) to selected 1.56 (colored)

Update go116 to 1.16.14 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

Revision 1.139 / (download) - annotate - [select for diffs], Sun Jan 9 19:54:46 2022 UTC (2 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.138: +2 -2 lines
Diff to previous 1.138 (colored) to selected 1.56 (colored)

Update go117 to 1.17.6.

go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker,
runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6
milestone on our issue tracker for details.

Revision 1.138 / (download) - annotate - [select for diffs], Sun Jan 9 19:18:51 2022 UTC (2 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.137: +2 -2 lines
Diff to previous 1.137 (colored) to selected 1.56 (colored)

Update go116 to 1.16.13.

go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker,
runtime, and the net/http package. See the Go 1.16.13 milestone on our issue
tracker for details.

Revision 1.137 / (download) - annotate - [select for diffs], Thu Dec 9 17:25:56 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored) to selected 1.56 (colored)

Update go117 to 1.17.5.

go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on
our issue tracker for details.

go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages. See the Go 1.17.5 milestone on our issue tracker for
details.

When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.

This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
requests.

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.

Revision 1.136 / (download) - annotate - [select for diffs], Thu Dec 9 17:13:49 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.135: +2 -2 lines
Diff to previous 1.135 (colored) to selected 1.56 (colored)

Update go116 to 1.16.12.

go1.16.12 (released 2021-12-09) includes security fixes to the syscall and
net/http packages. See the Go 1.16.12 milestone on our issue tracker for
details.

When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.

This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
requests.

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.

Revision 1.135 / (download) - annotate - [select for diffs], Fri Dec 3 17:08:35 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.134: +2 -2 lines
Diff to previous 1.134 (colored) to selected 1.56 (colored)

Update go116 to 1.16.11.

go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and
the net/http, net/http/httptest, and time packages. See the Go 1.16.11
milestone on our issue tracker for details.

Revision 1.134 / (download) - annotate - [select for diffs], Mon Nov 29 16:29:34 2021 UTC (2 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.133: +3 -3 lines
Diff to previous 1.133 (colored) to selected 1.56 (colored)

go: Use OPSYS_VERSION.

Revision 1.133 / (download) - annotate - [select for diffs], Fri Nov 5 19:35:00 2021 UTC (2 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.132: +2 -2 lines
Diff to previous 1.132 (colored) to selected 1.56 (colored)

Update go117 to 1.17.3.

go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime,
the go command, the misc/wasm directory, and to the net/http and syscall
packages. See the Go 1.17.3 milestone on our issue tracker for details.

Revision 1.132 / (download) - annotate - [select for diffs], Thu Nov 4 19:18:59 2021 UTC (2 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored) to selected 1.56 (colored)

Update go116 to 1.16.10.

go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime,
the misc/wasm directory, and to the net/http package. See the Go 1.16.10
milestone on our issue tracker for details.

Revision 1.131 / (download) - annotate - [select for diffs], Fri Oct 8 14:47:44 2021 UTC (2 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.130: +2 -2 lines
Diff to previous 1.130 (colored) to selected 1.56 (colored)

Update go117 to 1.17.2.

This minor release includes a security fix according to the new security policy.

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.

This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.

Revision 1.130 / (download) - annotate - [select for diffs], Fri Oct 8 14:21:44 2021 UTC (2 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.129: +2 -2 lines
Diff to previous 1.129 (colored) to selected 1.56 (colored)

Update go116 to 1.16.9.

This minor release includes a security fix according to the new security policy.

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.

If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.

This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.

Revision 1.129 / (download) - annotate - [select for diffs], Fri Sep 17 13:17:19 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3
Changes since 1.128: +2 -2 lines
Diff to previous 1.128 (colored) to selected 1.56 (colored)

go117: update to 1.17.1 (security).

go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the compiler, linker, the go command, and to
the crypto/rand, embed, go/types, html/template, and net/http packages.

Revision 1.128 / (download) - annotate - [select for diffs], Fri Sep 17 12:56:18 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.127: +2 -2 lines
Diff to previous 1.127 (colored) to selected 1.56 (colored)

Update go116 to 1.16.8 (security).

go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter,
html/template, net/http, and runtime/pprof packages.

Revision 1.127 / (download) - annotate - [select for diffs], Sat Sep 4 15:46:42 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.126: +2 -2 lines
Diff to previous 1.126 (colored) to selected 1.56 (colored)

Make go 1.17 the default.

I ran a bulk build and found three packages that broke. Two are fixed.
I don't know how to fix net/amazon-ecs-cli, but it did not build for me on
Go 1.16 either, so it is not a direct regression.

Revision 1.126 / (download) - annotate - [select for diffs], Sun Aug 22 14:18:51 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.125: +1 -2 lines
Diff to previous 1.125 (colored) to selected 1.56 (colored)

We say goodbye to go115.

go115 became EOL upstream as soon as 1.17 was released.

Revision 1.125 / (download) - annotate - [select for diffs], Sun Aug 22 13:10:18 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.124: +2 -1 lines
Diff to previous 1.124 (colored) to selected 1.56 (colored)

Add Go 1.17.

Some relevant changes:
 - new register-based calling convention (not on NetBSD though IIUC)
 - new language feature to cast slices into array pointers
 - the usual amount of bugfixes

Revision 1.124 / (download) - annotate - [select for diffs], Wed Aug 11 19:00:24 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.123: +2 -2 lines
Diff to previous 1.123 (colored) to selected 1.56 (colored)

go116: update to 1.16.7.

This minor release includes a security fix according to the new security
policy.

A net/http/httputil ReverseProxy can panic due to a race condition if its
Handler aborts with ErrAbortHandler, for example due to an error in copying the
response body. An attacker might be able to force the conditions leading to the
race condition.

This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to
Andrew Crump (VMware) for reporting this issue.

Revision 1.123 / (download) - annotate - [select for diffs], Wed Aug 11 16:46:48 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.122: +2 -2 lines
Diff to previous 1.122 (colored) to selected 1.56 (colored)

go115: update to 1.15.15.

This minor release includes a security fix according to the new security
policy.

A net/http/httputil ReverseProxy can panic due to a race condition if its
Handler aborts with ErrAbortHandler, for example due to an error in copying the
response body. An attacker might be able to force the conditions leading to the
race condition.

This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to
Andrew Crump (VMware) for reporting this issue.

Revision 1.122 / (download) - annotate - [select for diffs], Tue Jul 13 10:12:00 2021 UTC (2 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.121: +2 -2 lines
Diff to previous 1.121 (colored) to selected 1.56 (colored)

Update go116 to 1.16.6.

This minor release includes a security fix according to the new security policy.

crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected. The panic can be triggered by an attacker in a privileged network
position without access to the server certificate's private key, as long as a
trusted ECDSA or Ed25519 certificate for the server exists (or can be issued),
or the client is configured with Config.InsecureSkipVerify. Clients that
disable all TLS_RSA cipher suites (that is, TLS 1.0ãà.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this
issue.

Revision 1.121 / (download) - annotate - [select for diffs], Tue Jul 13 10:05:08 2021 UTC (2 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.120: +2 -2 lines
Diff to previous 1.120 (colored) to selected 1.56 (colored)

Update go115 to 1.15.14.

This minor release includes a security fix according to the new security policy.

crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected. The panic can be triggered by an attacker in a privileged network
position without access to the server certificate's private key, as long as a
trusted ECDSA or Ed25519 certificate for the server exists (or can be issued),
or the client is configured with Config.InsecureSkipVerify. Clients that
disable all TLS_RSA cipher suites (that is, TLS 1.0ãà.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this
issue.

Revision 1.120 / (download) - annotate - [select for diffs], Sat Jun 5 12:40:07 2021 UTC (2 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored) to selected 1.56 (colored)

Update go116 to 1.16.5.

go1.16.5 (released 2021-06-03) includes security fixes to the archive/zip, math
/big, net, and net/http/httputil packages, as well as bug fixes to the linker,
the go command, and the net/http package. See the Go 1.16.5 milestone on our
issue tracker for details.

The SetString and UnmarshalText methods of math/big.Rat
<https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable
fatal error if passed inputs with very large exponents.
This is issue <https://github.com/golang/go/issues/44910> and
CVE-2021-33198.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel
Odeke for reporting it.

ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could
be made to forward certain hop-by-hop headers, including Connection. In
case the target of the ReverseProxy was itself a reverse proxy, this would
let an attacker drop arbitrary headers, including those set by the
ReverseProxy.Director.
This is issue <https://github.com/golang/go/issues/46313> and
CVE-2021-33197.

Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for
reporting this issue.

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in
net <https://pkg.go.dev/net>, and their respective methods on the Resolver
<https://pkg.go.dev/net#Resolver> type may return arbitrary values
retrieved from DNS which do not follow the established RFC 1035
<https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If
these names are used without further sanitization, for instance unsafely
included in HTML, they may allow for injection of unexpected content. Note
that LookupTXT may still return arbitrary values that could require
sanitization before further use.
This is issue <https://github.com/golang/go/issues/46241> and
CVE-2021-33195.

Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
reporting this issue.

The NewReader and OpenReader functions in archive/zip
<https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large number
of files, regardless of its actual size.
This is issue <https://github.com/golang/go/issues/46242>and
CVE-2021-33196.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel
Odeke for reporting it.

Revision 1.119 / (download) - annotate - [select for diffs], Fri Jun 4 16:43:20 2021 UTC (2 years, 9 months ago) by bsiegert
Branch: MAIN
Changes since 1.118: +2 -2 lines
Diff to previous 1.118 (colored) to selected 1.56 (colored)

Update go115 to 1.15.13.

go1.15.13 (released 2021-06-03) includes security fixes to the archive/zip,
math/big, net, and net/http/httputil packages, as well as bug fixes to the
linker, the go command, and the math/big and net/http packages. See the Go
1.15.13 milestone on our issue tracker for details.

The SetString and UnmarshalText methods of math/big.Rat
<https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable
fatal error if passed inputs with very large exponents.
This is issue <https://github.com/golang/go/issues/44910> and
CVE-2021-33198.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel
Odeke for reporting it.

ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could
be made to forward certain hop-by-hop headers, including Connection. In
case the target of the ReverseProxy was itself a reverse proxy, this would
let an attacker drop arbitrary headers, including those set by the
ReverseProxy.Director.
This is issue <https://github.com/golang/go/issues/46313> and
CVE-2021-33197.

Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for
reporting this issue.

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in
net <https://pkg.go.dev/net>, and their respective methods on the Resolver
<https://pkg.go.dev/net#Resolver> type may return arbitrary values
retrieved from DNS which do not follow the established RFC 1035
<https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If
these names are used without further sanitization, for instance unsafely
included in HTML, they may allow for injection of unexpected content. Note
that LookupTXT may still return arbitrary values that could require
sanitization before further use.
This is issue <https://github.com/golang/go/issues/46241> and
CVE-2021-33195.

Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
reporting this issue.

The NewReader and OpenReader functions in archive/zip
<https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable
fatal error when reading an archive that claims to contain a large number
of files, regardless of its actual size.
This is issue <https://github.com/golang/go/issues/46242>and
CVE-2021-33196.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel
Odeke for reporting it.

Revision 1.118 / (download) - annotate - [select for diffs], Fri May 7 18:29:14 2021 UTC (2 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.117: +2 -2 lines
Diff to previous 1.117 (colored) to selected 1.56 (colored)

Update go116 to 1.16.4.

go1.16.3 (released 2021/04/01) includes fixes to the compiler, linker, runtime,
the go command, and the testing and time packages. See the Go 1.16.3 milestone
on our issue tracker for details.

go1.16.4 (released 2021/05/06) includes a security fix to the net/http package,
as well as bug fixes to the runtime, the compiler, and the archive/zip, time,
and syscall packages. See the Go 1.16.4 milestone on our issue tracker for
details.

Revision 1.117 / (download) - annotate - [select for diffs], Fri May 7 16:30:41 2021 UTC (2 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.116: +2 -2 lines
Diff to previous 1.116 (colored) to selected 1.56 (colored)

Update go115 to 1.15.12.

go1.15.11 (released 2021/04/01) includes fixes to cgo, the compiler, linker,
runtime, the go command, and the database/sql and net/http packages. See the Go
1.15.11 milestone on our issue tracker for details.

go1.15.12 (released 2021/05/06) includes a security fix to the net/http
package, as well as bug fixes to the runtime and the time package. See the Go
1.15.12 milestone on our issue tracker for details.

Revision 1.116 / (download) - annotate - [select for diffs], Sat Mar 20 09:28:34 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.115: +1 -3 lines
Diff to previous 1.115 (colored) to selected 1.56 (colored)

We say goodbye to Go 1.14.

The policy of the Go project is to support the last two stable branches,
so 1.14 is end of life.

Revision 1.115 / (download) - annotate - [select for diffs], Sat Mar 20 09:26:11 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.114: +2 -4 lines
Diff to previous 1.114 (colored) to selected 1.56 (colored)

Use Go 1.16 as the default version.

macOS on ARM has had 1.16 as the default already for a while. The next
branch should have it for all OSes. Some build breakage has been fixed
already in separate commits.

ok before freeze wiz@

Revision 1.114 / (download) - annotate - [select for diffs], Fri Mar 19 17:22:54 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.113: +2 -2 lines
Diff to previous 1.113 (colored) to selected 1.56 (colored)

Update go115 to 1.15.10.

go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package. See the Go 1.15.8 milestone on our
issue tracker for details.

go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.

go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command,
and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone
on our issue tracker for details.

Revision 1.113 / (download) - annotate - [select for diffs], Sun Mar 14 18:15:16 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.112: +2 -2 lines
Diff to previous 1.112 (colored) to selected 1.56 (colored)

Update go116 to 1.16.2.

go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker,
the go command, and the syscall and time packages. See the Go 1.16.2 milestone
on our issue tracker for details.

Revision 1.112 / (download) - annotate - [select for diffs], Wed Mar 10 19:55:17 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.111: +2 -2 lines
Diff to previous 1.111 (colored) to selected 1.56 (colored)

Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.


   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.

Revision 1.111 / (download) - annotate - [select for diffs], Wed Feb 17 08:07:03 2021 UTC (3 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored) to selected 1.56 (colored)

go116: update to the final 1.16 release

I did not find a detailed changelog from rc1.

Revision 1.110 / (download) - annotate - [select for diffs], Fri Jan 29 17:22:29 2021 UTC (3 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.109: +2 -2 lines
Diff to previous 1.109 (colored) to selected 1.56 (colored)

Update go116 to 1.16 RC1.

This RC contains the recent security updates for Go and fixes a number
of bugs.

Revision 1.109 / (download) - annotate - [select for diffs], Sat Jan 23 14:07:37 2021 UTC (3 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored) to selected 1.56 (colored)

Update go115 to 1.15.7.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running ãà×Èo getãà or any other command that builds
code. Only users who build untrusted code (and donãàÑÕ execute it) are affected.

In addition to Windows users, this can also affect Unix users who have ãàãàlisted explicitly in their PATH and are running ãà×Èo getãàor build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.

Revision 1.108 / (download) - annotate - [select for diffs], Fri Jan 22 20:08:32 2021 UTC (3 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.107: +2 -2 lines
Diff to previous 1.107 (colored) to selected 1.56 (colored)

Update go114 to 1.14.14.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running ãà×Èo getãà or any other command that builds
code. Only users who build untrusted code (and donãàÑÕ execute it) are affected.

In addition to Windows users, this can also affect Unix users who have ãàãàlisted explicitly in their PATH and are running ãà×Èo getãàor build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.

Revision 1.107 / (download) - annotate - [select for diffs], Sat Dec 19 18:03:52 2020 UTC (3 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.106: +3 -1 lines
Diff to previous 1.106 (colored) to selected 1.56 (colored)

Default to go116 on Darwin-*-aarch64

Revision 1.106 / (download) - annotate - [select for diffs], Sat Dec 19 17:58:06 2020 UTC (3 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.105: +2 -1 lines
Diff to previous 1.105 (colored) to selected 1.56 (colored)

Add a package for go116-1.16.beta1.

Normally, we would not package beta versions, except maybe in pkgsrc-wip.
This is different though, since 1.16.beta1 is the first Go version supporting
macOS on Apple Silicon.

Discussion about this was on tech-pkg@.

Revision 1.105 / (download) - annotate - [select for diffs], Fri Nov 13 18:45:50 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.104: +2 -2 lines
Diff to previous 1.104 (colored) to selected 1.56 (colored)

Update go115 to 1.15.5 (security fix).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div,
Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)
can panic when provided crafted large inputs. For the panic to happen, the
divisor or modulo argument must be larger than 3168 bits (on 32-bit
architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat
<https://pkg.go.dev/math/big#Rat> methods are similarly affected.

crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates donãàÑÕ chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.


   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.

Revision 1.104 / (download) - annotate - [select for diffs], Fri Nov 13 18:27:35 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.103: +2 -2 lines
Diff to previous 1.103 (colored) to selected 1.56 (colored)

Update go114 to 1.14.12 (security fix).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large
inputs. For the panic to happen, the divisor or modulo argument must be larger
than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods
are similarly affected.

crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates donãàÑÕ chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help developing
and validating the fix.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.


   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.

Revision 1.103 / (download) - annotate - [select for diffs], Sun Nov 8 20:38:09 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored) to selected 1.56 (colored)

Update go115 to 1.15.4

go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker,
runtime, and the compress/flate, net/http, reflect, and time packages. See the
Go 1.15.4 milestone on our issue tracker for details.

Revision 1.102 / (download) - annotate - [select for diffs], Sun Nov 8 20:12:31 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.101: +2 -2 lines
Diff to previous 1.101 (colored) to selected 1.56 (colored)

Update go114 to 1.14.11

go1.14.11 (released 2020/11/05) includes fixes to the runtime, and the net/http
and time packages. See the Go 1.14.11 milestone on our issue tracker for
details.

Revision 1.101 / (download) - annotate - [select for diffs], Thu Oct 15 12:43:33 2020 UTC (3 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.100: +2 -2 lines
Diff to previous 1.100 (colored) to selected 1.56 (colored)

Update go115 to 1.15.3.

go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime,
documentation, the go command, and the net/mail, os, sync, and testing
packages. See the Go 1.15.2 milestone on our issue tracker for details.

go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime,
the go command, and the bytes, plugin, and testing packages. See the Go 1.15.3
milestone on our issue tracker for details.

Revision 1.100 / (download) - annotate - [select for diffs], Thu Oct 15 12:01:14 2020 UTC (3 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.99: +2 -2 lines
Diff to previous 1.99 (colored) to selected 1.56 (colored)

Update go114 to 1.14.10.

go1.14.9 (released 2020/09/09) includes fixes to the compiler, linker, runtime,
documentation, and the net/http and testing packages. See the Go 1.14.9
milestone on our issue tracker for details.

go1.14.10 (released 2020/10/14) includes fixes to the compiler, runtime, and
the plugin and testing packages. See the Go 1.14.10 milestone on our issue
tracker for details.

Revision 1.99 / (download) - annotate - [select for diffs], Thu Sep 3 07:03:26 2020 UTC (3 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.98: +2 -2 lines
Diff to previous 1.98 (colored) to selected 1.56 (colored)

Update go114 to 1.14.8.

go1.14.8 (released 2020/09/01) includes security fixes to the net/http/cgi and
net/http/fcgi packages. See the Go 1.14.8 milestone on our issue tracker for
details.

Revision 1.98 / (download) - annotate - [select for diffs], Thu Sep 3 06:47:21 2020 UTC (3 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.97: +3 -3 lines
Diff to previous 1.97 (colored) to selected 1.56 (colored)

Update go115 to 1.15.1.

go1.15.1 (released 2020/09/01) includes security fixes to the net/http/cgi and
net/http/fcgi packages. See the Go 1.15.1 milestone on our issue tracker for
details.

Revision 1.97 / (download) - annotate - [select for diffs], Fri Aug 21 19:50:22 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.96: +2 -1 lines
Diff to previous 1.96 (colored) to selected 1.56 (colored)

Add a package for Go 1.15.

The latest Go release, version 1.15, arrives six months after Go 1.14. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.

Go 1.15 includes substantial improvements to the linker, improves allocation
for small objects at high core counts, and deprecates X.509 CommonName. GOPROXY
now supports skipping proxies that return errors and a new embedded tzdata
package has been added.

There are no changes to the language.

Revision 1.96 / (download) - annotate - [select for diffs], Fri Aug 14 18:45:56 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored) to selected 1.56 (colored)

Update go114 to 1.14.7.

go1.14.7 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.14.7 milestone on our issue tracker for details.

Revision 1.95 / (download) - annotate - [select for diffs], Fri Aug 14 18:28:29 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.94: +2 -2 lines
Diff to previous 1.94 (colored) to selected 1.56 (colored)

Update go113 to 1.13.15.

go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on our issue tracker for details.

Revision 1.92.2.2 / (download) - annotate - [select for diffs], Mon Jul 20 14:59:01 2020 UTC (3 years, 8 months ago) by spz
Branch: pkgsrc-2020Q2
Changes since 1.92.2.1: +2 -2 lines
Diff to previous 1.92.2.1 (colored) to branchpoint 1.92 (colored) next main 1.93 (colored) to selected 1.56 (colored)

Pullup ticket #6279 - requested by bsiegert
lang/go114: security update

Revisions pulled up:
- lang/go/version.mk                                            1.94
- lang/go114/PLIST                                              1.5
- lang/go114/distinfo                                           1.8

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Jul 17 17:20:06 UTC 2020

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go114: PLIST distinfo

   Log Message:
   Update go114 to 1.14.6.

   go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509
   and
   net/http packages. See the Go 1.14.5 milestone on our issue tracker for
   details.

   go1.14.6 (released 2020/07/16) includes fixes to the go command, the
   compiler,
   the linker, vet, and the database/sql, encoding/json, net/http, reflect, and
   testing packages. See the Go 1.14.6 milestone on our issue tracker for
   details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.93 -r1.94 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go114/PLIST
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go114/distinfo

Revision 1.92.2.1 / (download) - annotate - [select for diffs], Mon Jul 20 14:52:20 2020 UTC (3 years, 8 months ago) by spz
Branch: pkgsrc-2020Q2
Changes since 1.92: +2 -2 lines
Diff to previous 1.92 (colored) to selected 1.56 (colored)

Pullup ticket #6278 - requested by bsiegert
lang/go113: security update

Revisions pulled up:
- lang/go/version.mk                                            1.93
- lang/go113/PLIST                                              1.4
- lang/go113/distinfo                                           1.8

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Jul 17 17:10:20 UTC 2020

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go113: PLIST distinfo

   Log Message:
   Update go113 to 1.13.14.

   go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the
   go/types
   and math/big packages. See the Go 1.13.12 milestone on our issue tracker for
   details.

   go1.13.13 (released 2020/07/14) includes security fixes to the crypto/x509
   and
   net/http packages. See the Go 1.13.13 milestone on our issue tracker for
   details.

   go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
   database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone
   on our issue tracker for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.92 -r1.93 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go113/PLIST
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go113/distinfo

Revision 1.94 / (download) - annotate - [select for diffs], Fri Jul 17 17:20:05 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.93: +2 -2 lines
Diff to previous 1.93 (colored) to selected 1.56 (colored)

Update go114 to 1.14.6.

go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and
net/http packages. See the Go 1.14.5 milestone on our issue tracker for
details.

go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler,
the linker, vet, and the database/sql, encoding/json, net/http, reflect, and
testing packages. See the Go 1.14.6 milestone on our issue tracker for details.

Revision 1.93 / (download) - annotate - [select for diffs], Fri Jul 17 17:10:20 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.92: +2 -2 lines
Diff to previous 1.92 (colored) to selected 1.56 (colored)

Update go113 to 1.13.14.

go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the go/types
and math/big packages. See the Go 1.13.12 milestone on our issue tracker for
details.

go1.13.13 (released 2020/07/14) includes security fixes to the crypto/x509 and
net/http packages. See the Go 1.13.13 milestone on our issue tracker for details.

go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone
on our issue tracker for details.

Revision 1.92 / (download) - annotate - [select for diffs], Wed Jun 17 09:37:25 2020 UTC (3 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base
Branch point for: pkgsrc-2020Q2
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored) to selected 1.56 (colored)

Update go114 to 1.14.4.

go1.14.3 (released 2020/05/14) includes fixes to cgo, the compiler, the
runtime, and the go/doc and math/big packages. See the Go 1.14.3
milestone on our issue tracker for details.

go1.14.4 (released 2020/06/01) includes fixes to the go doc command, the
runtime, and the encoding/json and os packages. See the Go 1.14.4
milestone on our issue tracker for details.

Revision 1.91 / (download) - annotate - [select for diffs], Sat May 16 08:33:07 2020 UTC (3 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored) to selected 1.56 (colored)

Update go113 to 1.13.11.

go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go
1.13.11 milestone on our issue tracker for details.

Revision 1.90 / (download) - annotate - [select for diffs], Fri May 1 16:39:59 2020 UTC (3 years, 10 months ago) by tnn
Branch: MAIN
Changes since 1.89: +7 -2 lines
Diff to previous 1.89 (colored) to selected 1.56 (colored)

go/version.mk: now supports aarch64

Revision 1.89 / (download) - annotate - [select for diffs], Sun Apr 12 11:09:03 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.88: +2 -3 lines
Diff to previous 1.88 (colored) to selected 1.56 (colored)

Update go113 to 1.13.10.

go1.13.10 (released 2020/04/08) includes fixes to the go command, the
runtime, os/exec, and time packages. See the Go 1.13.10 milestone on our
issue tracker for details.

Revision 1.88 / (download) - annotate - [select for diffs], Sun Apr 12 09:41:18 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.87: +2 -2 lines
Diff to previous 1.87 (colored) to selected 1.56 (colored)

Set 1.14 as default Go version.

1.14.2 is good now :)

Revision 1.87 / (download) - annotate - [select for diffs], Thu Apr 9 13:28:38 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored) to selected 1.56 (colored)

Update go114 to 1.14.2.

go1.14.2 (released 2020/04/08) includes fixes to cgo, the go command, the
runtime, os/exec, and testing packages. See the Go 1.14.2 milestone on our
issue tracker for details.

From what I know from work, 1.14.1 had a nasty runtime bug that is now
fixed.

Revision 1.86 / (download) - annotate - [select for diffs], Sat Mar 21 16:51:10 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored) to selected 1.56 (colored)

Update go113 to 1.13.9.

This release includes fixes to the go command, tools, the runtime,
the toolchain, and to the crypto/cypher package.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.13.minor

Revision 1.85 / (download) - annotate - [select for diffs], Sat Mar 21 10:07:48 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
Changes since 1.84: +1 -3 lines
Diff to previous 1.84 (colored) to selected 1.56 (colored)

Remove GO112_VERSION and GO111_VERSION.

Revision 1.84 / (download) - annotate - [select for diffs], Fri Mar 20 19:50:48 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored) to selected 1.56 (colored)

Update go114 to 1.14.1.

This release include fixes to the go command, tools, the runtime,
the toolchain, and to the crypto/cypher package.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.14.minor

Revision 1.83 / (download) - annotate - [select for diffs], Thu Feb 27 16:34:31 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored) to selected 1.56 (colored)

Update go113 to 1.13.8.

This release includes fixes to the runtime, the crypto/x509, and
net/http packages.

Revision 1.82 / (download) - annotate - [select for diffs], Thu Feb 27 14:32:57 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.81: +2 -1 lines
Diff to previous 1.81 (colored) to selected 1.56 (colored)

Add a package for Go 1.14.

The default will remain at 1.13 for the next branch.

The latest Go release, version 1.14, arrives six months after Go 1.13. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.

See the release notes at https://golang.org/doc/go1.14.

Revision 1.81 / (download) - annotate - [select for diffs], Sun Feb 23 19:21:27 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.80: +2 -2 lines
Diff to previous 1.80 (colored) to selected 1.56 (colored)

Update go112 to 1.12.7.

These releases include fixes to the runtime, the crypto/x509, and
net/http packages.

Revision 1.80 / (download) - annotate - [select for diffs], Sun Feb 2 09:36:40 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.79: +2 -2 lines
Diff to previous 1.79 (colored) to selected 1.56 (colored)

Update go113 to 1.13.7 (security release).

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.

The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.

Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue.

The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
golang.org/x/crypto/cryptobyte.

Revision 1.79 / (download) - annotate - [select for diffs], Sun Feb 2 09:26:39 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.78: +2 -2 lines
Diff to previous 1.78 (colored) to selected 1.56 (colored)

Update go112 to 1.12.16 (security release).

Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.

The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.

Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue.

The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
golang.org/x/crypto/cryptobyte.

Revision 1.78 / (download) - annotate - [select for diffs], Fri Jan 10 12:56:35 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.77: +2 -2 lines
Diff to previous 1.77 (colored) to selected 1.56 (colored)

go: use go113 as the default for building packages.

I did a preliminary bulk build to find build failures resulting from this
change and fixed the fallout in www/grafana. Everything else seemed to be
ok.

Revision 1.77 / (download) - annotate - [select for diffs], Fri Jan 10 12:53:01 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.76: +2 -2 lines
Diff to previous 1.76 (colored) to selected 1.56 (colored)

Update go112 to 1.12.15.

These releases include fixes to the runtime and to the
net/http package.

The macOS releases enable the Hardened Runtime. See
https://golang.org/issue/34986 for details.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.13.minor

Revision 1.76 / (download) - annotate - [select for diffs], Fri Jan 10 12:40:43 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.75: +2 -2 lines
Diff to previous 1.75 (colored) to selected 1.56 (colored)

Update go113 to 1.13.6.

These releases include fixes to the runtime and to the
net/http package.

The macOS releases enable the Hardened Runtime. See
https://golang.org/issue/34986 for details.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.13.minor

Revision 1.75 / (download) - annotate - [select for diffs], Fri Dec 13 07:39:33 2019 UTC (4 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored) to selected 1.56 (colored)

Update go112 to 1.12.14.

go1.12.13 (released 2019/10/31) fixes an issue on macOS 10.15 Catalina where
the non-notarized installer and binaries were being rejected by Gatekeeper.
Only macOS users who hit this issue need to update.

go1.12.14 (released 2019/12/04) includes a fix to the runtime. See the Go
1.12.14 milestone on our issue tracker for details.

Revision 1.74 / (download) - annotate - [select for diffs], Mon Dec 9 09:59:31 2019 UTC (4 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.73: +8 -6 lines
Diff to previous 1.73 (colored) to selected 1.56 (colored)

go: Split *_SUPPORTED variables out into new go-vars.mk.

It's not always possible to include go-package.mk earlier than bsd.prefs.mk
in a package, for example if the package defines its own do-install target,
so move out the *_SUPPORTED variables that need to be included first.

Revision 1.73 / (download) - annotate - [select for diffs], Sun Dec 8 14:42:02 2019 UTC (4 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.72: +2 -1 lines
Diff to previous 1.72 (colored) to selected 1.56 (colored)

Add go113.

I forgot to include this file in the go113 commit, thanks wiz@ for
notifying me!

Revision 1.72 / (download) - annotate - [select for diffs], Sat Dec 7 18:15:13 2019 UTC (4 years, 3 months ago) by rillig
Branch: MAIN
Changes since 1.71: +4 -1 lines
Diff to previous 1.71 (colored) to selected 1.56 (colored)

lang/go: add go to the tools directory

This makes it easier to run the Go compiler from within the build
environment created by "bmake build-env".

Revision 1.69.2.1 / (download) - annotate - [select for diffs], Sun Nov 17 08:30:02 2019 UTC (4 years, 4 months ago) by spz
Branch: pkgsrc-2019Q3
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored) next main 1.70 (colored) to selected 1.56 (colored)

Pullup ticket #6083 - requested by leot
lang/go112: security update
lang/go: update available version

Revisions pulled up:
- lang/go/version.mk                                            1.70
- lang/go112/PLIST                                              1.8
- lang/go112/distinfo                                           1.8

Revision bump for:
- archivers/go-xz/Makefile
- chat/coyim/Makefile
- chat/matterircd/Makefile
- databases/go-etcd/Makefile
- databases/go-ldap/Makefile
- databases/influxdb/Makefile
- databases/postgres_exporter/Makefile
- databases/prometheus/Makefile
- devel/git-lfs/Makefile
- devel/go-afero/Makefile
- devel/go-amber/Makefile
- devel/go-appengine/Makefile
- devel/go-assert/Makefile
- devel/go-blackfriday/Makefile
- devel/go-buffruneio/Makefile
- devel/go-cast/Makefile
- devel/go-check/Makefile
- devel/go-cli/Makefile
- devel/go-cobra/Makefile
- devel/go-colorable/Makefile
- devel/go-colortext/Makefile
- devel/go-colour/Makefile
- devel/go-consul-api/Makefile
- devel/go-debounce/Makefile
- devel/go-ed25519/Makefile
- devel/go-emoji/Makefile
- devel/go-errors/Makefile
- devel/go-flags-svent/Makefile
- devel/go-fnmatch/Makefile
- devel/go-fs/Makefile
- devel/go-fsnotify/Makefile
- devel/go-fsync/Makefile
- devel/go-gitmap/Makefile
- devel/go-glog/Makefile
- devel/go-gls/Makefile
- devel/go-gocode/Makefile
- devel/go-godef/Makefile
- devel/go-godirwalk/Makefile
- devel/go-godotenv/Makefile
- devel/go-golang-lru/Makefile
- devel/go-goorgeous/Makefile
- devel/go-gopkgs/Makefile
- devel/go-goptlib/Makefile
- devel/go-goreturns/Makefile
- devel/go-gox/Makefile
- devel/go-hashstructure/Makefile
- devel/go-homedir/Makefile
- devel/go-humanize/Makefile
- devel/go-i18n/Makefile
- devel/go-immutable-radix/Makefile
- devel/go-ini/Makefile
- devel/go-iochan/Makefile
- devel/go-isatty/Makefile
- devel/go-jwalterweatherman/Makefile
- devel/go-kingpin.v3-unstable/Makefile
- devel/go-locker/Makefile
- devel/go-logrus/Makefile
- devel/go-mapstructure/Makefile
- devel/go-mapstructure-bep/Makefile
- devel/go-mow-cli/Makefile
- devel/go-nbreader/Makefile
- devel/go-nitro/Makefile
- devel/go-osext/Makefile
- devel/go-pflag/Makefile
- devel/go-properties/Makefile
- devel/go-protobuf/Makefile
- devel/go-purell/Makefile
- devel/go-ratelimit/Makefile
- devel/go-repr/Makefile
- devel/go-review/Makefile
- devel/go-sanitized_anchor_name/Makefile
- devel/go-shellwords/Makefile
- devel/go-shuffle/Makefile
- devel/go-siphash/Makefile
- devel/go-sync/Makefile
- devel/go-sys/Makefile
- devel/go-termbox/Makefile
- devel/go-testify/Makefile
- devel/go-thrift/Makefile
- devel/go-tools/Makefile
- devel/go-try/Makefile
- devel/go-viper/Makefile
- devel/go-yaml/Makefile
- devel/golint/Makefile
- devel/google-api-go-client/Makefile
- graphics/go-image/Makefile
- graphics/go-imaging/Makefile
- graphics/go-resize/Makefile
- graphics/go-smartcrop/Makefile
- lang/go-hcl/Makefile
- mail/postforward/Makefile
- math/go-stats/Makefile
- math/go-units/Makefile
- misc/go-genproto/Makefile
- misc/go-genproto-googleapis-rpc/Makefile
- net/aws-sdk-go/Makefile
- net/dnscrypt-proxy2/Makefile
- net/gcloud-golang-metadata/Makefile
- net/go-dns/Makefile
- net/go-dnstap/Makefile
- net/go-framestream/Makefile
- net/go-grpc/Makefile
- net/go-net/Makefile
- net/go-ovh/Makefile
- net/go-websocket/Makefile
- net/hub/Makefile
- net/obfs4proxy/Makefile
- net/syncthing/Makefile
- pkgtools/pkglint/Makefile
- security/2fa/Makefile
- security/go-asn1-ber/Makefile
- security/go-crypt/Makefile
- security/go-crypto/Makefile
- security/go-mkcert/Makefile
- security/go-oauth2/Makefile
- security/go-sftp/Makefile
- security/vault/Makefile
- sysutils/beats/Makefile
- sysutils/consul/Makefile
- sysutils/fzf/Makefile
- sysutils/goreman/Makefile
- sysutils/lf/Makefile
- sysutils/node_exporter/Makefile
- sysutils/vultr/Makefile
- textproc/go-chroma/Makefile
- textproc/go-diff/Makefile
- textproc/go-glob/Makefile
- textproc/go-inflect/Makefile
- textproc/go-md2man/Makefile
- textproc/go-mmark/Makefile
- textproc/go-prose/Makefile
- textproc/go-regexp2/Makefile
- textproc/go-runewidth/Makefile
- textproc/go-sentences/Makefile
- textproc/go-tablewriter/Makefile
- textproc/go-text/Makefile
- textproc/sift/Makefile
- www/caddy/Makefile
- www/gitea/Makefile
- www/go-ace/Makefile
- www/go-cssmin/Makefile
- www/go-gogs-client/Makefile
- www/go-gohtml/Makefile
- www/go-libsass/Makefile
- www/go-minify/Makefile
- www/go-parse/Makefile
- www/go-spritewell/Makefile
- www/go-tocss/Makefile
- www/go-toml-burntsushi/Makefile
- www/go-toml-pelletier/Makefile
- www/go-urlesc/Makefile
- www/go-webhooks/Makefile
- www/grafana/Makefile
- www/hugo/Makefile
- www/pup/Makefile

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Oct 18 14:48:29 UTC 2019

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go112: PLIST distinfo

   Log Message:
   Update go112 to 1.12.12.

   qo1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa
   package. See the Go 1.12.11 milestone on our issue tracker for details.

   go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime,
   syscall and net packages. See the Go 1.12.12 milestone on our issue tracker
   for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.69 -r1.70 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go112/PLIST pkgsrc/lang/go112/distinfo

Revision 1.71 / (download) - annotate - [select for diffs], Sun Nov 3 19:04:01 2019 UTC (4 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.70: +12 -12 lines
Diff to previous 1.70 (colored) to selected 1.56 (colored)

lang: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.

Revision 1.70 / (download) - annotate - [select for diffs], Fri Oct 18 14:48:29 2019 UTC (4 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored) to selected 1.56 (colored)

Update go112 to 1.12.12.

qo1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa
package. See the Go 1.12.11 milestone on our issue tracker for details.

go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime,
syscall and net packages. See the Go 1.12.12 milestone on our issue tracker
for details.

Revision 1.69 / (download) - annotate - [select for diffs], Thu Sep 26 18:36:46 2019 UTC (4 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base
Branch point for: pkgsrc-2019Q3
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored) to selected 1.56 (colored)

Update go112 to 1.12.10.

Commit ok'd by wiz@ for PMC.

Go 1.12.10:

net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If
a Go server is used behind an uncommon reverse proxy that accepts and
forwards but doesn't normalize such invalid headers, the reverse proxy and
the server can interpret the headers differently. This can lead to filter
bypasses or request smuggling, the latter if requests from separate clients
are multiplexed onto the same upstream connection by the proxy. Such invalid
headers are now rejected by Go servers, and passed without normalization to
Go client applications.

The issue is CVE-2019-16276 and Go issue golang.org/issue/34540.

Go 1.12.9:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages. See the Go 1.12.9 milestone on our issue tracker for
details.

Revision 1.68 / (download) - annotate - [select for diffs], Tue Sep 17 04:39:20 2019 UTC (4 years, 6 months ago) by dbj
Branch: MAIN
Changes since 1.67: +6 -1 lines
Diff to previous 1.67 (colored) to selected 1.56 (colored)

lang/go: on osx 10.9 and earlier, use go110

go 1.11 removed support for osx 10.8 and 10.9
https://github.com/golang/go/issues/23122

Revision 1.67 / (download) - annotate - [select for diffs], Wed Aug 14 15:42:52 2019 UTC (4 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.66: +2 -2 lines
Diff to previous 1.66 (colored) to selected 1.56 (colored)

go112: update to 1.12.8 (security release).

net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

net/http and golang.org/x/net/http2 servers that accept direct connections from
untrusted clients could be remotely made to allocate an unlimited amount of
memory, until the program crashes. Servers will now close connections if the
send queue accumulates too many control messages.

The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.

This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of
golang.org/x/net/http2.

net/url: parsing validation issue

url.Parse would accept URLs with malformed hosts, such that the Host field
could have arbitrary suffixes that would appear in neither Hostname() nor
Port(), allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from url.Parse.

The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
for discovering and reporting this issue.

Revision 1.66 / (download) - annotate - [select for diffs], Wed Aug 14 15:17:41 2019 UTC (4 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.65: +2 -2 lines
Diff to previous 1.65 (colored) to selected 1.56 (colored)

go111: update to 1.11.13 (security release).

net/http: Denial of Service vulnerabilities in the HTTP/2 implementation

net/http and golang.org/x/net/http2 servers that accept direct connections from
untrusted clients could be remotely made to allocate an unlimited amount of
memory, until the program crashes. Servers will now close connections if the
send queue accumulates too many control messages.

The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.

This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of
golang.org/x/net/http2.

net/url: parsing validation issue

url.Parse would accept URLs with malformed hosts, such that the Host field
could have arbitrary suffixes that would appear in neither Hostname() nor
Port(), allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from url.Parse.

The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
for discovering and reporting this issue.

Revision 1.65 / (download) - annotate - [select for diffs], Sun Jul 14 15:19:55 2019 UTC (4 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.64: +2 -2 lines
Diff to previous 1.64 (colored) to selected 1.56 (colored)

Update go112 to 1.12.7.

This fixes a nasty code-generation bug, among other things:

go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker,
the go command, and the crypto/x509, net/http, and os packages.
See the Go 1.12.6 milestone on our issue tracker for details.

go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler,
and the linker. See the Go 1.12.7 milestone on our issue tracker for details.

Revision 1.64 / (download) - annotate - [select for diffs], Sun Jul 14 12:25:18 2019 UTC (4 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored) to selected 1.56 (colored)

Update go111 to 1.11.12.

go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package.
See the Go 1.11.11 milestone on our issue tracker for details.

go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker.
See the Go 1.11.12 milestone on our issue tracker for details.

Revision 1.63 / (download) - annotate - [select for diffs], Mon May 27 15:16:38 2019 UTC (4 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.62: +2 -2 lines
Diff to previous 1.62 (colored) to selected 1.56 (colored)

Update go112 to 1.12.5.

This release includes fixes to the compiler, the linker, the go command,
the runtime, and the os package.

Same as for go111, remove the pkg/bootstrap tree from the package.

Revision 1.62 / (download) - annotate - [select for diffs], Mon May 27 14:33:10 2019 UTC (4 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.61: +2 -2 lines
Diff to previous 1.61 (colored) to selected 1.56 (colored)

Update go111 to 1.11.10.

This release includes fixes to the compiler, the linker, the go command, the
runtime, and the os package.

While here, remove pkg/bootstrap from the package, as it is only used
for bootstrapping.

Revision 1.61 / (download) - annotate - [select for diffs], Tue Apr 16 18:30:27 2019 UTC (4 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored) to selected 1.56 (colored)

Update go112 to 1.12.4.

go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go command,
the runtime, and the doc, net, net/http/httputil, and os packages. See the Go
1.12.2 milestone on our issue tracker for details.

go1.12.3 (released 2019/04/08) was accidentally released without its intended
fix. It is identical to go1.12.2, except for its version number. The intended
fix is in go1.12.4.

go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt binary
releases on older versions of GNU/Linux led to failures when linking programs
that used cgo. Only Linux users who hit this issue need to update.

Revision 1.60 / (download) - annotate - [select for diffs], Tue Apr 16 18:13:49 2019 UTC (4 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored) to selected 1.56 (colored)

Update go111 to 1.11.9.

go1.11.7 (released 2019/04/05) includes fixes to the runtime and the net
packages. See the Go 1.11.7 milestone on our issue tracker for details.

go1.11.8 (released 2019/04/08) was accidentally released without its intended
fix. It is identical to go1.11.7, except for its version number. The intended
fix is in go1.11.9.

go1.11.9 (released 2019/04/11) fixes an issue where using the prebuilt binary
releases on older versions of GNU/Linux led to failures when linking programs
that used cgo. Only Linux users who hit this issue need to update.

Revision 1.59 / (download) - annotate - [select for diffs], Sat Mar 16 08:27:56 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored) to selected 1.56 (colored)

Update go112 to 1.12.1.

go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go
command, and the fmt, net/smtp, os, path/filepath, sync, and text/template
packages. See the Go 1.12.1 milestone on our issue tracker for details.

Revision 1.58 / (download) - annotate - [select for diffs], Sat Mar 16 08:19:00 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored) to selected 1.56 (colored)

Update go111 to 1.11.6.

go1.11.6 (released 2019/03/14) includes fixes to cgo, the compiler, linker,
runtime, go command, and the crypto/x509, encoding/json, net, and net/url
packages. See the Go 1.11.6 milestone on our issue tracker for details.

Revision 1.57 / (download) - annotate - [select for diffs], Sat Mar 9 10:00:44 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)

go: switch default version to 1.12.

This means all builds of packages written in Go use 1.12.

Revision 1.56 / (download) - annotate - [selected], Sat Mar 9 09:29:30 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)

Add a package for Go 1.12.

Some of the highlights include opt-in support for TLS 1.3, improved modules
support (in preparation for being the default in Go 1.13), support for
windows/arm, and improved macOS & iOS forwards compatibility.

See https://blog.golang.org/go1.12.

In pkgsrc, this is _not_ the default version for Go package builds just yet.

Revision 1.53.2.2 / (download) - annotate - [select for diffs], Fri Feb 8 11:31:19 2019 UTC (5 years, 1 month ago) by spz
Branch: pkgsrc-2018Q4
Changes since 1.53.2.1: +2 -2 lines
Diff to previous 1.53.2.1 (colored) to branchpoint 1.53 (colored) next main 1.54 (colored) to selected 1.56 (colored)

Pullup ticket #5906 - requested by bsiegert
lang/go111: security update

Revisions pulled up:
- lang/go/version.mk                                            1.54
- lang/go111/distinfo                                           1.5

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Thu Jan 24 09:26:21 UTC 2019

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go111: distinfo

   Log Message:
   Update go111 to 1.11.5 (security).

   This release addresses a recently supported security issue. This DoS
   vulnerability in the crypto/elliptic implementations of the P-521 and P-384
   elliptic curves may let an attacker craft inputs that consume excessive
   amounts of CPU.

   These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
   tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
   key is reused more than once, the attack can also lead to key recovery.

   The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
   See the Go issue for more details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go111/distinfo

Revision 1.53.2.1 / (download) - annotate - [select for diffs], Fri Feb 8 11:30:52 2019 UTC (5 years, 1 month ago) by spz
Branch: pkgsrc-2018Q4
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored) to selected 1.56 (colored)

Pullup ticket #5905 - requested by bsiegert
lang/go110: security update

Revisions pulled up:
- lang/go/version.mk                                            1.55
- lang/go110/distinfo                                           1.4

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Thu Jan 24 09:33:08 UTC 2019

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go110: distinfo

   Log Message:
   Update go110 to 1.10.8 (security).

   This release addresses a recently supported security issue. This DoS
   vulnerability in the crypto/elliptic implementations of the P-521 and P-384
   elliptic curves may let an attacker craft inputs that consume excessive
   amounts of CPU.

   These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
   tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
   key is reused more than once, the attack can also lead to key recovery.

   The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
   See the Go issue for more details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go110/distinfo

Revision 1.55 / (download) - annotate - [select for diffs], Thu Jan 24 09:33:08 2019 UTC (5 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored) to selected 1.56 (colored)

Update go110 to 1.10.8 (security).

This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.

Revision 1.54 / (download) - annotate - [select for diffs], Thu Jan 24 09:26:21 2019 UTC (5 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored) to selected 1.56 (colored)

Update go111 to 1.11.5 (security).

This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.

Revision 1.53 / (download) - annotate - [select for diffs], Thu Dec 20 17:38:23 2018 UTC (5 years, 3 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base
Branch point for: pkgsrc-2018Q4
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored) to selected 1.56 (colored)

go: Actually bump to 1.11.4.  Unbreaks build.

Revision 1.52 / (download) - annotate - [select for diffs], Sat Dec 15 10:23:32 2018 UTC (5 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored) to selected 1.56 (colored)

Update go110 to 1.10.7 (security fix).

These releases include fixes to cgo, the compiler, linker, runtime,
documentation, go command, and the net/http and go/types packages.
They include a fix to a bug introduced in Go 1.11.3 and Go 1.10.6
that broke "go get" for import path patterns containing "...".

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.10.minor

Revision 1.51 / (download) - annotate - [select for diffs], Mon Nov 12 14:40:21 2018 UTC (5 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored) to selected 1.56 (colored)

*: Add CTF_SUPPORTED/CTF_FILES_SKIP where necessary.

Revision 1.50 / (download) - annotate - [select for diffs], Mon Nov 12 13:48:45 2018 UTC (5 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.49: +3 -2 lines
Diff to previous 1.49 (colored) to selected 1.56 (colored)

go: Set STRIP_DEBUG_SUPPORTED=no

Stripping golang binaries renders them useless.

Revision 1.49 / (download) - annotate - [select for diffs], Sun Nov 4 18:22:47 2018 UTC (5 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored) to selected 1.56 (colored)

This file was missing from the previous commit.

go111-1.11.2.

Revision 1.48 / (download) - annotate - [select for diffs], Sun Nov 4 12:36:09 2018 UTC (5 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored) to selected 1.56 (colored)

Update go110 to 1.10.5.

go1.10.5 (released 2018/11/02) includes fixes to the go command, linker,
runtime and the database/sql package. See the Go 1.10.5 milestone on our issue
tracker for details.

Revision 1.47 / (download) - annotate - [select for diffs], Fri Oct 26 13:49:23 2018 UTC (5 years, 5 months ago) by leot
Branch: MAIN
Changes since 1.46: +5 -2 lines
Diff to previous 1.46 (colored) to selected 1.56 (colored)

go: Improve PRINT_PLIST_AWK patterns and avoid possible double definition

- Move GO_PLATFORM definition in lang/go/version.mk in order that also lang/go*
  packages can (re)use it
- Change PRINT_PLIST_AWK pattern that replace all ${GO_PLATFORM} and apply it
  only when ${GO_PLATFORM} is a directory (between two "/").  There are only
  3 exceptions to that in lang/go14.
  Move it to version.mk so lang/go* PLIST can be mostly automatically
  generated.

These changes should help to avoid (most) manual editing of
lang/go*/PLIST.

Discussed with and thanks to <bsiegert>!

Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 2 18:19:56 2018 UTC (5 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored) to selected 1.56 (colored)

Update go111 to 1.11.1.

go1.11.1 (released 2018/10/01) includes fixes to the compiler, documentation,
go command, runtime, and the crypto/x509, encoding/json, go/types, net,
net/http, and reflect packages. See the Go 1.11.1 milestone on our issue
tracker for details.

Also correct the PLIST and use ln -sf instead of ln -s.

Revision 1.45 / (download) - annotate - [select for diffs], Sat Sep 22 19:44:21 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.44: +15 -2 lines
Diff to previous 1.44 (colored) to selected 1.56 (colored)

Move most of the version selection logic into version.mk.

Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on
the user-selected Go version, to be used for fixing syncthing and friends.

Revision 1.44 / (download) - annotate - [select for diffs], Tue Sep 18 20:52:11 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.43: +3 -2 lines
Diff to previous 1.43 (colored) to selected 1.56 (colored)

Add a versioned Go 1.10 package as lang/go110.

This uses a similar approach as go111. Its revision is one higher than
the existing lang/go.

Next steps:
 - make builds use this for dependent packages
 - delete lang/go to complete the move

Revision 1.43 / (download) - annotate - [select for diffs], Tue Sep 18 16:22:14 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.42: +2 -1 lines
Diff to previous 1.42 (colored) to selected 1.56 (colored)

Add Go 1.11 as lang/go111.

This installs the go tool as go111; all the supporting files go under
$PREFIX/go111, so it does not conflict with other Go versions. Go packages
in pkgsrc do not use it to build yet.

Changes:

There are many changes and improvements to the toolchain, runtime, and
libraries, but two features stand out as being especially exciting: modules
and WebAssembly support.

This release adds preliminary support for a new concept called "modules," an
alternative to GOPATH with integrated support for versioning and package
distribution. Module support is considered experimental, and there are still
a few rough edges to smooth out, so please make liberal use of the issue
tracker.

Go 1.11 also adds an experimental port to WebAssembly (js/wasm). This allows
programmers to compile Go programs to a binary format compatible with four
major web browsers.

Revision 1.42 / (download) - annotate - [select for diffs], Mon Aug 27 15:01:09 2018 UTC (5 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored) to selected 1.56 (colored)

Update Go to 1.10.4.

go1.10.4 (released 2018/08/24) includes fixes to the go command, linker, and
the net/http, mime/multipart, ld/macho, bytes, and strings packages. See the
Go 1.10.4 milestone on our issue tracker for details.

pkgsrc note: After the import of Go 1.11, this package will be renamed to
lang/go110.

Revision 1.41 / (download) - annotate - [select for diffs], Sun Jul 8 18:40:40 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored) to selected 1.56 (colored)

Update go19 to 1.9.7, latest on that branch.

go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and
net/http/pprof package. See the Go 1.9.5 milestone on our issue tracker for
details.

go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
See the Go 1.9.6 milestone on our issue tracker for details.

go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
crypto/x509, and strings packages. In particular, it adds minimal support to
the go command for the vgo transition. See the Go 1.9.7 milestone on our issue
tracker for details.

Revision 1.40 / (download) - annotate - [select for diffs], Sun Jul 8 18:00:56 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored) to selected 1.56 (colored)

Forgot this in the last commit. Add GO19_VERSION.

Revision 1.39 / (download) - annotate - [select for diffs], Sun Jul 8 13:53:42 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.38: +5 -1 lines
Diff to previous 1.38 (colored) to selected 1.56 (colored)

Move definition of $GO to version.mk.

We have some packages, like mongodb-tools, that cannot include go-package.mk
but need to call the go tool.

Revision 1.38 / (download) - annotate - [select for diffs], Tue Jun 12 17:37:59 2018 UTC (5 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored) to selected 1.56 (colored)

Update Go to 1.10.3.

go1.10.3 (released 2018/06/05) includes fixes to the go command, and the
crypto/tls, crypto/x509, and strings packages. In particular, it adds minimal
support to the go command for the vgo transition. See the Go 1.10.3 milestone
on our issue tracker for details.

Revision 1.37 / (download) - annotate - [select for diffs], Fri May 4 18:07:40 2018 UTC (5 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored) to selected 1.56 (colored)

Update Go to 1.10.2.

As far as I can see, only non-security-relevant bugfixes.

go1.10.2 (released 2018/05/01) includes fixes to the compiler, linker, and go
command. See the Go 1.10.2 milestone on our issue tracker for details.

Revision 1.36 / (download) - annotate - [select for diffs], Fri Mar 30 11:52:18 2018 UTC (6 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored) to selected 1.56 (colored)

Update Go to 1.10.1.

This fixes a security issue (https://github.com/golang/go/issues/23867).
Also:
These releases include fixes to the compiler, runtime, go command, and the
archive/zip, crypto/tls, crypto/x509, encoding/json, net, net/http, and
net/http/pprof packages.

ok wiz@ for committing during freeze

Revision 1.35 / (download) - annotate - [select for diffs], Sun Mar 4 12:54:06 2018 UTC (6 years ago) by bsiegert
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored) to selected 1.56 (colored)

Update Go to 1.10. Via wip.

Full release notes at https://golang.org/doc/go1.10.

The latest Go release, version 1.10, arrives six months after Go 1.9. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.

This release improves caching of built packages, adds caching of successful
test results, runs vet automatically during tests, and permits passing string
values directly between Go and C using cgo. A new compiler option whitelist may
cause unexpected invalid flag errors in code that built successfully with older
releases.


As announced in the Go 1.9 release notes, Go 1.10 now requires FreeBSD 10.3 or
later; support for FreeBSD 9.3 has been removed.

Go now runs on NetBSD again but requires the unreleased NetBSD 8. Only GOARCH
amd64 and 386 have been fixed. The arm port is still broken.

On 32-bit MIPS systems, the new environment variable settings GOMIPS=hardfloat
(the default) and GOMIPS=softfloat select whether to use hardware instructions
or software emulation for floating-point computations.

Go 1.10 is the last release that will run on OpenBSD 6.0. Go 1.11 will require
OpenBSD 6.2.

Go 1.10 is the last release that will run on OS X 10.8 Mountain Lion or OS X
10.9 Mavericks. Go 1.11 will require OS X 10.10 Yosemite or later.

Go 1.10 is the last release that will run on Windows XP or Windows Vista. Go
1.11 will require Windows 7 or later.

Revision 1.30.2.1 / (download) - annotate - [select for diffs], Sat Feb 24 11:16:59 2018 UTC (6 years, 1 month ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.30: +9 -4 lines
Diff to previous 1.30 (colored) next main 1.31 (colored) to selected 1.56 (colored)

Pullup ticket #5703 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.59-1.60
- lang/go/PLIST                                                 1.35-1.38
- lang/go/distinfo                                              1.54-1.57
- lang/go/patches/patch-src_cmd_dist_util.go                    1.1
- lang/go/patches/patch-src_cmd_link_internal_ld_elf.go         1.1-1.2
- lang/go/patches/patch-src_runtime_os__netbsd.go               1.3
- lang/go/patches/patch-src_runtime_rt0__netbsd__arm.s          1.1
- lang/go/version.mk                                            1.31-1.32,1.34

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	christos
   Date:		Sat Jan 20 16:55:06 UTC 2018

   Modified Files:
   	pkgsrc/lang/go: Makefile PLIST distinfo version.mk
   Added Files:
   	pkgsrc/lang/go/patches: patch-src_cmd_dist_util.go
   	    patch-src_cmd_link_internal_ld_elf.go
   	    patch-src_runtime_os__netbsd.go
   	    patch-src_runtime_rt0__netbsd__arm.s

   Log Message:
   Add Yasushi Oshima patches for arm from:
       https://github.com/oshimaya/pkgsrc/tree/master/lang/go


   To generate a diff of this commit:
   cvs rdiff -u -r1.58 -r1.59 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.34 -r1.35 pkgsrc/lang/go/PLIST
   cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.30 -r1.31 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r0 -r1.1 pkgsrc/lang/go/patches/patch-src_cmd_dist_util.go \
       pkgsrc/lang/go/patches/patch-src_cmd_link_internal_ld_elf.go \
       pkgsrc/lang/go/patches/patch-src_runtime_rt0__netbsd__arm.s
   cvs rdiff -u -r0 -r1.3 pkgsrc/lang/go/patches/patch-src_runtime_os__netbsd.go

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Sun Jan 21 01:28:39 UTC 2018

   Modified Files:
   	pkgsrc/lang/go: PLIST

   Log Message:
   Fix packaging


   To generate a diff of this commit:
   cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/go/PLIST

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	christos
   Date:		Sat Jan 20 18:13:25 UTC 2018

   Modified Files:
   	pkgsrc/lang/go: distinfo
   	pkgsrc/lang/go/patches: patch-src_cmd_link_internal_ld_elf.go

   Log Message:
   fix the path


   To generate a diff of this commit:
   cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/lang/go/patches/patch-src_cmd_link_internal_ld_elf.go

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Sun Jan 28 11:31:03 UTC 2018

   Modified Files:
   	pkgsrc/lang/go: Makefile PLIST distinfo version.mk

   Log Message:
   Update Go to 1.9.3.

   This release includes fixes to the compiler, runtime, and the database/sql,
   math/big, net/http, and net/url packages.

   View the release notes for more information:
        https://golang.org/doc/devel/release.html#go1.9.minor


   To generate a diff of this commit:
   cvs rdiff -u -r1.59 -r1.60 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/PLIST
   cvs rdiff -u -r1.55 -r1.56 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.31 -r1.32 pkgsrc/lang/go/version.mk

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Thu Feb  8 19:32:17 UTC 2018

   Modified Files:
   	pkgsrc/lang/go: PLIST distinfo version.mk

   Log Message:
   Update Go to 1.9.4.

   By using the clang or gcc plugin mechanism, it was possible for an attacker to
   trick the ×Èo getãàcommand into executing arbitrary code. The go command now
   restricts the set of allowed host compiler and linker arguments in cgo source
   files to a list of allowed flags, in particular disallowing -fplugin= and
   -plugin=.

   The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go
   issue for details.

   Thanks to Christopher Brown of Mattermost for reporting this problem.


   To generate a diff of this commit:
   cvs rdiff -u -r1.37 -r1.38 pkgsrc/lang/go/PLIST
   cvs rdiff -u -r1.56 -r1.57 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.33 -r1.34 pkgsrc/lang/go/version.mk

Revision 1.34 / (download) - annotate - [select for diffs], Thu Feb 8 19:32:17 2018 UTC (6 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.33: +2 -2 lines
Diff to previous 1.33 (colored) to selected 1.56 (colored)

Update Go to 1.9.4.

By using the clang or gcc plugin mechanism, it was possible for an attacker to
trick the ×Èo getãàcommand into executing arbitrary code. The go command now
restricts the set of allowed host compiler and linker arguments in cgo source
files to a list of allowed flags, in particular disallowing -fplugin= and
-plugin=.

The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go
issue for details.

Thanks to Christopher Brown of Mattermost for reporting this problem.

Revision 1.33 / (download) - annotate - [select for diffs], Tue Jan 30 17:05:21 2018 UTC (6 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.32: +3 -1 lines
Diff to previous 1.32 (colored) to selected 1.56 (colored)

go*: Disable SSP support completely.

It's not supported by the go linker, and can cause issues when building
third-party modules if the SSP libraries are handled by pkgsrc.

Revision 1.32 / (download) - annotate - [select for diffs], Sun Jan 28 11:31:03 2018 UTC (6 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored) to selected 1.56 (colored)

Update Go to 1.9.3.

This release includes fixes to the compiler, runtime, and the database/sql,
math/big, net/http, and net/url packages.

View the release notes for more information:
     https://golang.org/doc/devel/release.html#go1.9.minor

Revision 1.31 / (download) - annotate - [select for diffs], Sat Jan 20 16:55:05 2018 UTC (6 years, 2 months ago) by christos
Branch: MAIN
Changes since 1.30: +8 -3 lines
Diff to previous 1.30 (colored) to selected 1.56 (colored)

Add Yasushi Oshima patches for arm from:
    https://github.com/oshimaya/pkgsrc/tree/master/lang/go

Revision 1.30 / (download) - annotate - [select for diffs], Sat Oct 28 18:20:14 2017 UTC (6 years, 5 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored) to selected 1.56 (colored)

Update Go to 1.9.2.

This release includes fixes to the compiler, linker, runtime, documentation,
go command, and the crypto/x509, database/sql, log, and net/smtp packages. It
includes a fix to a bug introduced in Go 1.9.1 that broke "go get"
of non-Git repositories under certain conditions.

Revision 1.28.4.1 / (download) - annotate - [select for diffs], Mon Oct 9 12:30:42 2017 UTC (6 years, 5 months ago) by spz
Branch: pkgsrc-2017Q3
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored) next main 1.29 (colored) to selected 1.56 (colored)

Pullup ticket #5565 - requested by sevan
lang/go: security update

Revisions pulled up:
- lang/go/distinfo                                              1.52
- lang/go/version.mk                                            1.29

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Oct  6 18:38:25 UTC 2017

   Modified Files:
           pkgsrc/lang/go: distinfo version.mk

   Log Message:
   Update Go to 1.9.1 (security fix).

   Two security-related issues were recently reported.
   To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

   We recommend that all users update to one of these releases (if you're
   not sure
   which, choose Go 1.9.1).

   The issues addressed by these releases are:

   By nesting a git checkout inside another version control repository, it was
   possible for an attacker to trick the "go get" command into executing
   arbitrary
   code. The go command now refuses to use version control checkouts found
   inside
   other version control systems, with an exception for git submodules (git
   inside
   git).
   The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
   https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
   Thanks to Simon Rawet for the report.

   In the smtp package, PlainAuth is documented as sending credentials only
   over
   authenticated, encrypted TLS connections, but it was changed in Go 1.1
   to also
   send credentials on non-TLS connections when the remote server
   advertises that
   PLAIN authentication is supported. The change was meant to allow use of
   PLAIN
   authentication on localhost, but it has the effect of allowing a
   man-in-the-middle attacker to harvest credentials. PlainAuth now requires
   either TLS or a localhost connection before sending credentials,
   regardless of
   what the remote server claims.
   This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
   https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
   Thanks to Stevie Johnstone for the report.


   To generate a diff of this commit:
   cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/go/version.mk

Revision 1.29 / (download) - annotate - [select for diffs], Fri Oct 6 18:38:25 2017 UTC (6 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored) to selected 1.56 (colored)

Update Go to 1.9.1 (security fix).

Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.9.1).

The issues addressed by these releases are:

By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the "go get" command into executing arbitrary
code. The go command now refuses to use version control checkouts found inside
other version control systems, with an exception for git submodules (git inside
git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.

In the smtp package, PlainAuth is documented as sending credentials only over
authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also
send credentials on non-TLS connections when the remote server advertises that
PLAIN authentication is supported. The change was meant to allow use of PLAIN
authentication on localhost, but it has the effect of allowing a
man-in-the-middle attacker to harvest credentials. PlainAuth now requires
either TLS or a localhost connection before sending credentials, regardless of
what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.

Revision 1.28 / (download) - annotate - [select for diffs], Sun Sep 3 07:12:07 2017 UTC (6 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base
Branch point for: pkgsrc-2017Q3
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored) to selected 1.56 (colored)

Update Go to 1.9.

The latest Go release, version 1.9, arrives six months after Go 1.8 and
is the tenth release in the Go 1.x series. There are two changes to the
language: adding support for type aliases and defining when
implementations may fuse floating point operations. Most of the changes
are in the implementation of the toolchain, runtime, and libraries. As
always, the release maintains the Go 1 promise of compatibility. We
expect almost all Go programs to continue to compile and run as before.

The release adds transparent monotonic time support, parallelizes
compilation of functions within a package, better supports test helper
functions, includes a new bit manipulation package, and has a new
concurrent map type.


There are some instabilities on FreeBSD that are known but not
understood. These can lead to program crashes in rare cases. See issue
15658. Any help in solving this FreeBSD-specific issue would be
appreciated.

Go stopped running NetBSD builders during the Go 1.9 development cycle
due to NetBSD kernel crashes, up to and including NetBSD 7.1. As Go 1.9
is being released, NetBSD 7.1.1 is being released with a fix. However,
at this time we have no NetBSD builders passing our test suite. Any help
investigating the various NetBSD issues would be appreciated.

Revision 1.23.2.2 / (download) - annotate - [select for diffs], Thu May 25 21:11:03 2017 UTC (6 years, 10 months ago) by spz
Branch: pkgsrc-2017Q1
Changes since 1.23.2.1: +1 -1 lines
Diff to previous 1.23.2.1 (colored) to branchpoint 1.23 (colored) next main 1.24 (colored) to selected 1.56 (colored)

Pullup ticket #5433 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.52
- lang/go/distinfo                                              1.49
- lang/go/version.mk                                            1.26
- lang/go/PLIST                                                 1.31

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	bsiegert
   Date:		Thu May 25 09:06:43 UTC 2017

   Modified Files:
   	pkgsrc/lang/go: Makefile distinfo version.mk

   Log Message:
   SECURITY: Update Go to 1.8.2, fixing CVE-2017-8932,
   carry bug in x86-64 P-256.

   A security-related issue was recently reported in Go's crypto/elliptic package.
   To address this issue, we have just released Go 1.7.6 and Go 1.8.2.

   The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare
   for reporting the issue and providing a fix.

   The issue affects Go's P-256 implementation on the 64-bit x86 architecture.

   This is CVE-2017-8932 and was addressed by this change:
   https://golang.org/cl/41070, tracked in this issue:
   https://golang.org/issue/20040


   To generate a diff of this commit:
   cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.25 -r1.26 pkgsrc/lang/go/version.mk

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	wen
   Date:		Sun Apr  9 08:23:43 UTC 2017

   Modified Files:
   	pkgsrc/lang/go: PLIST distinfo version.mk

   Log Message:
   Update to 1.8.1

   Upstream changes:
   go1.8.1 (released 2017/04/07) includes fixes to the compiler, linker, runtime,
   +documentation, go command and the crypto/tls, encoding/xml, image/png, net,
   +net/http, reflect, text/template, and time packages. See the Go 1.8.1 milestone
   +on our issue tracker for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.30 -r1.31 pkgsrc/lang/go/PLIST
   cvs rdiff -u -r1.44 -r1.45 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.23 -r1.24 pkgsrc/lang/go/version.mk

Revision 1.27 / (download) - annotate - [select for diffs], Thu May 25 09:24:21 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored) to selected 1.56 (colored)

Update Go to 1.8.3, a non-security release.

This release includes fixes to the compiler, runtime, documentation, and the
database/sql package.
    https://golang.org/doc/devel/release.html#go1.8.minor

It also includes the security fix to the crypto/elliptic package from Go 1.8.2.

Revision 1.26 / (download) - annotate - [select for diffs], Thu May 25 09:06:43 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored) to selected 1.56 (colored)

SECURITY: Update Go to 1.8.2, fixing CVE-2017-8932,
carry bug in x86-64 P-256.

A security-related issue was recently reported in Go's crypto/elliptic package.
To address this issue, we have just released Go 1.7.6 and Go 1.8.2.

The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare
for reporting the issue and providing a fix.

The issue affects Go's P-256 implementation on the 64-bit x86 architecture.

This is CVE-2017-8932 and was addressed by this change:
https://golang.org/cl/41070, tracked in this issue:
https://golang.org/issue/20040

Revision 1.23.2.1 / (download) - annotate - [select for diffs], Mon May 1 09:55:46 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: pkgsrc-2017Q1
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored) to selected 1.56 (colored)

Pullup ticket #5392 - requested by sevan
lang/go: build fix

Revisions pulled up:
- lang/go/version.mk                                            1.25

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Sun Apr 30 23:02:09 UTC 2017

   Modified Files:
           pkgsrc/lang/go: version.mk

   Log Message:
   go: match even more ARM with wildcards

   part 1 of PR pkg/52178 from aikchar

Revision 1.25 / (download) - annotate - [select for diffs], Sun Apr 30 23:02:09 2017 UTC (6 years, 10 months ago) by maya
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored) to selected 1.56 (colored)

go: match even more ARM with wildcards

part 1 of PR pkg/52178 from aikchar

Revision 1.24 / (download) - annotate - [select for diffs], Sun Apr 9 08:23:43 2017 UTC (6 years, 11 months ago) by wen
Branch: MAIN
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored) to selected 1.56 (colored)

Update to 1.8.1

Upstream changes:
go1.8.1 (released 2017/04/07) includes fixes to the compiler, linker, runtime, documentation, go command and the crypto/tls, encoding/xml, image/png, net, net/http, reflect, text/template, and time packages. See the Go 1.8.1 milestone on our issue tracker for details.

Revision 1.23 / (download) - annotate - [select for diffs], Wed Mar 15 19:38:09 2017 UTC (7 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base
Branch point for: pkgsrc-2017Q1
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored) to selected 1.56 (colored)

Update Go to 1.8.

The compiler back end introduced in Go 1.7 for 64-bit x86 is now used on all
architectures, and those architectures should see significant performance
improvements. For instance, the CPU time required by our benchmark programs was
reduced by 20-30% on 32-bit ARM systems. There are also some modest performance
improvements in this release for 64-bit x86 systems. The compiler and linker
have been made faster. Compile times should be improved by about 15% over Go
1.7. There is still more work to be done in this area: expect faster
compilation speeds in future releases.

Garbage collection pauses should be significantly shorter, usually under 100
microseconds and often as low as 10 microseconds.

The HTTP server adds support for HTTP/2 Push, allowing servers to preemptively
send responses to a client. This is useful for minimizing network latency by
eliminating roundtrips. The HTTP server also adds support for graceful
shutdown, allowing servers to minimize downtime by shutting down only after
serving all requests that are in flight.

Contexts (added to the standard library in Go 1.7) provide a cancelation and
timeout mechanism. Go 1.8 adds support for contexts in more parts of the
standard library, including the database/sql and net packages and
Server.Shutdown in the net/http package.

Go 1.8 includes many more additions, improvements, and fixes. Find the complete
set of changes, and more information about the improvements listed above, in
the Go 1.8 release notes: https://golang.org/doc/go1.8

Revision 1.22 / (download) - annotate - [select for diffs], Mon Jan 30 03:04:53 2017 UTC (7 years, 1 month ago) by wen
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored) to selected 1.56 (colored)

Update to 1.7.5

Upstream changes:
go1.7.5 (released 2017/01/26) includes fixes to the compiler, runtime, and the crypto/x509 and time packages. See the Go 1.7.5 milestone on our issue tracker for details.

Revision 1.17.2.1 / (download) - annotate - [select for diffs], Mon Dec 12 06:50:02 2016 UTC (7 years, 3 months ago) by spz
Branch: pkgsrc-2016Q3
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored) next main 1.18 (colored) to selected 1.56 (colored)

Pullup ticket #5170 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.48
- lang/go/PLIST                                                 1.28
- lang/go/distinfo                                              1.42,1.41
- lang/go/patches/patch-src_net_http_h2__bundle.go              deleted
- lang/go/version.mk                                            1.21,1.18

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Sun Dec  4 16:08:55 UTC 2016

   Modified Files:
           pkgsrc/lang/go: distinfo version.mk

   Log Message:
   Update Go to 1.7.4.

   Two security-related issues were recently reported, and to address these issues
   we have just released Go 1.6.4 and Go 1.7.4.

   We recommend that all users update to one of these releases (if you're not sure
   which, choose Go 1.7.4).

   The issues addressed by these releases are:

   On Darwin, user's trust preferences for root certificates were not honored. If
   the user had a root certificate loaded in their Keychain that was explicitly
   not trusted, a Go program would still verify a connection using that root
   certificate.  This is addressed by https://golang.org/cl/33721, tracked in
   https://golang.org/issue/18141.
   Thanks to Xy Ziemba for identifying and reporting this issue.

   The net/http package's Request.ParseMultipartForm method starts writing to
   temporary files once the request body size surpasses the given "maxMemory"
   limit. It was possible for an attacker to generate a multipart request crafted
   such that the server ran out of file descriptors.  This is addressed by
   https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
   Thanks to Simon Rawet for the report.


   To generate a diff of this commit:
   cvs rdiff -u -r1.41 -r1.42 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/go/version.mk

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Thu Oct 27 18:58:00 UTC 2016

   Modified Files:
           pkgsrc/lang/go: Makefile PLIST distinfo version.mk
   Removed Files:
           pkgsrc/lang/go/patches: patch-src_net_http_h2__bundle.go

   Log Message:
   Update Go to 1.7.3.

   go1.7.2 should not be used. It was tagged but not fully released. The release
   was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to
   the summary of changes below.

   go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the
   crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3
   milestone on our issue tracker for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.27 -r1.28 pkgsrc/lang/go/PLIST
   cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/lang/go/patches/patch-src_net_http_h2__bundle.go

Revision 1.21 / (download) - annotate - [select for diffs], Sun Dec 4 16:08:55 2016 UTC (7 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored) to selected 1.56 (colored)

Update Go to 1.7.4.

Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.4 and Go 1.7.4.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.7.4).

The issues addressed by these releases are:

On Darwin, user's trust preferences for root certificates were not honored. If
the user had a root certificate loaded in their Keychain that was explicitly
not trusted, a Go program would still verify a connection using that root
certificate.  This is addressed by https://golang.org/cl/33721, tracked in
https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.

The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors.  This is addressed by
https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.

Revision 1.20 / (download) - annotate - [select for diffs], Fri Dec 2 20:26:01 2016 UTC (7 years, 3 months ago) by maya
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored) to selected 1.56 (colored)

go: more wildcards for arm

my rpi1's machine_platform is ..-earmv6hf and needs this to match

Revision 1.19 / (download) - annotate - [select for diffs], Sun Nov 27 21:07:21 2016 UTC (7 years, 4 months ago) by maya
Branch: MAIN
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored) to selected 1.56 (colored)

go: match more netbsd/arm, which can be machine arch earm,
and not just evbarm.

PR pkg/51653

Note that this does not resolve the PR, as the build hangs.

Revision 1.18 / (download) - annotate - [select for diffs], Thu Oct 27 18:58:00 2016 UTC (7 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored) to selected 1.56 (colored)

Update Go to 1.7.3.

go1.7.2 should not be used. It was tagged but not fully released. The release
was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to
the summary of changes below.

go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the
crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3
milestone on our issue tracker for details.

Revision 1.17 / (download) - annotate - [select for diffs], Sat Sep 10 09:09:23 2016 UTC (7 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base
Branch point for: pkgsrc-2016Q3
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored) to selected 1.56 (colored)

Update go to 1.7.1.

go1.7.1 (released 2016/09/07) includes fixes to the compiler, runtime,
documentation, and the compress/flate, hash/crc32, io, net, net/http,
path/filepath, reflect, and syscall packages. See the Go 1.7.1 milestone on our
issue tracker for details.

Revision 1.16 / (download) - annotate - [select for diffs], Fri Aug 19 09:38:06 2016 UTC (7 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored) to selected 1.56 (colored)

Update Go to 1.7.

The latest Go release, version 1.7, arrives six months after 1.6. Most of its
changes are in the implementation of the toolchain, runtime, and libraries.
There is one minor change to the language specification. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs
to continue to compile and run as before.

There is one tiny language change in this release. The section on terminating
statements clarifies that to determine whether a statement list ends in a
terminating statement, the ãà×Çinal non-empty statementãàis considered the end,
matching the existing behavior of the gc and gccgo compiler toolchains. In
earlier releases the definition referred only to the ãà×Çinal statement,ãàleaving
the effect of trailing empty statements at the least unclear. The go/types
package has been updated to match the gc and gccgo compiler toolchains in this
respect. This change has no effect on the correctness of existing programs.

Go 1.7 adds support for macOS 10.12 Sierra. This support was backported to Go
1.6.3. Binaries built with versions of Go before 1.6.3 will not work correctly
on Sierra.

Revision 1.14.2.1 / (download) - annotate - [select for diffs], Wed Jul 20 03:02:31 2016 UTC (7 years, 8 months ago) by spz
Branch: pkgsrc-2016Q2
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored) next main 1.15 (colored) to selected 1.56 (colored)

Pullup ticket #5064 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.43
- lang/go/distinfo                                              1.37
- lang/go/version.mk                                            1.15

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Mon Jul 18 20:37:40 UTC 2016

   Modified Files:
           pkgsrc/lang/go: Makefile distinfo version.mk

   Log Message:
   Update Go to 1.6.3.

   A security-related issue was recently reported in Go's net/http/cgi =
   package and
   net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 =
   contain
   a fix for this issue.

   Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation =
   flaw in
   the CGI components resulting in the HTTP_PROXY environment variable =
   being set
   by the incoming Proxy header. This environment variable was also used to =
   set
   the outgoing proxy, enabling an attacker to insert a proxy into outgoing
   requests of a CGI program.

   This is CVE-2016-5386 and was addressed by this change:
   https://golang.org/cl/25010, tracked in this issue:
   https://golang.org/issue/16405

   The Go team would like to thank Dominic Scheirlinck for coordinating =
   disclosure
   of this issue across multiple languages and CGI environments. Read more =
   about
   "httpoxy" here: https://httpoxy.org/

   Go 1.6.3 also adds support for macOS Sierra. See =
   https://golang.org/issue/16354
   for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/go/version.mk

Revision 1.15 / (download) - annotate - [select for diffs], Mon Jul 18 20:37:40 2016 UTC (7 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored) to selected 1.56 (colored)

Update Go to 1.6.3.

A security-related issue was recently reported in Go's net/http/cgi package and
net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 contain
a fix for this issue.

Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in
the CGI components resulting in the HTTP_PROXY environment variable being set
by the incoming Proxy header. This environment variable was also used to set
the outgoing proxy, enabling an attacker to insert a proxy into outgoing
requests of a CGI program.

This is CVE-2016-5386 and was addressed by this change:
https://golang.org/cl/25010, tracked in this issue:
https://golang.org/issue/16405

The Go team would like to thank Dominic Scheirlinck for coordinating disclosure
of this issue across multiple languages and CGI environments. Read more about
"httpoxy" here: https://httpoxy.org/

Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354
for details.

Revision 1.14 / (download) - annotate - [select for diffs], Sat Apr 30 11:22:28 2016 UTC (7 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base
Branch point for: pkgsrc-2016Q2
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored) to selected 1.56 (colored)

Update Go to 1.6.2.

This release includes fixes to the compiler, runtime, tools, documentation, and
the mime/multipart, net/http, and sort packages.

    https://golang.org/doc/devel/release.html#go1.6.minor

Revision 1.13 / (download) - annotate - [select for diffs], Wed Apr 13 07:12:00 2016 UTC (7 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored) to selected 1.56 (colored)

Update Go to 1.6.1.

Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.1 and Go 1.5.4.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.6.1).

The issues addressed by these releases are:

On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable
to DLL preloading attacks. For instance, if a user runs a Go executable from a
Downloads folder, malicious DLL files also downloaded to that folder could be
loaded into that executable.
This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428
Thanks to Taru Karttunen for identifying this issue.

Go's crypto libraries passed certain parameters unchecked to the underlying big
integer library, possibly leading to extremely long-running computations, which
in turn makes Go programs vulnerable to remote denial of service attacks.
Programs using HTTPS client certificates or the Go SSH server libraries are
both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533
Thanks to David Wong for identifying this issue.

Revision 1.12 / (download) - annotate - [select for diffs], Tue Feb 23 20:12:25 2016 UTC (8 years, 1 month ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored) to selected 1.56 (colored)

Update Go to 1.6.

The latest Go release, version 1.6, arrives six months after 1.5. Most of its
changes are in the implementation of the language, runtime, and libraries.
There are no changes to the language specification. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs
to continue to compile and run as before.

The release adds new ports to Linux on 64-bit MIPS and Android on 32-bit x86;
defined and enforced rules for sharing Go pointers with C; transparent,
automatic support for HTTP/2; and a new mechanism for template reuse.

Full changelog at https://golang.org/doc/go1.6.

Revision 1.11 / (download) - annotate - [select for diffs], Sat Jan 16 09:43:44 2016 UTC (8 years, 2 months ago) by fhajny
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored) to selected 1.56 (colored)

Update lang/go to 1.5.3.

This is a security-related release, it fixes CVE-2015-8618 that was
partically patched in 1.5.2nb1.

See full release notes for a description:

https://groups.google.com/d/msg/golang-announce/MEATuOi_ei4/JsndUuZwEAAJ

Revision 1.10 / (download) - annotate - [select for diffs], Thu Dec 10 20:04:54 2015 UTC (8 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored) to selected 1.56 (colored)

Update Go to 1.5.2, original patch from Kamel Derouiche in PR pkg/50498.

go1.5.2 (released 2015/12/02) includes bug fixes to the compiler,
linker, and the mime/multipart, net, and runtime packages. See the Go
1.5.2 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.5.2

Revision 1.8.2.1 / (download) - annotate - [select for diffs], Tue Oct 6 16:37:05 2015 UTC (8 years, 5 months ago) by spz
Branch: pkgsrc-2015Q3
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored) next main 1.9 (colored) to selected 1.56 (colored)

Pullup ticket #4819 - requested by bsiegert
lang/go14: security update

Revisions pulled up:
- lang/go/version.mk                                            1.9
- lang/go14/Makefile                                            1.5
- lang/go14/PLIST                                               1.2
- lang/go14/distinfo                                            1.3

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tnn
   Date:           Sun Sep 27 00:36:02 UTC 2015

   Modified Files:
           pkgsrc/lang/go14: Makefile

   Log Message:
   more REPLACE_BASH


   To generate a diff of this commit:
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go14/Makefile

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Sat Sep 26 17:37:01 UTC 2015

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go14: Makefile PLIST distinfo

   Log Message:
   Update go14 to 1.4.3. It fixes four security-related issues.

   The issues were reported in Go's net/http package. They affect programs usi=
   ng
   that package to proxy HTTP requests. We recommend that all users upgrade to=
    Go
   1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we ha=
   ve
   released version 1.4.3, which is based on Go 1.4.2 plus fixes for these iss=
   ues.
   Affected Go programs=E2=80=94those that use the net/http package as a proxy=
    server=E2=80=94must
   be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.

   The CVE issue descriptions and fixes are linked below.

   CVE-2015-5739
   "Content Length" treated as valid header:
   https://go-review.googlesource.com/#/c/11772/

   CVE-2015-5740
   Double content-length headers does not return 400 error:
   https://go-review.googlesource.com/#/c/11810/

   CVE-2015-5741
   Additional hardening, not sending Content-Length w/Transfer-Encoding,
   Closing connections:
   https://go-review.googlesource.com/#/c/11810/
   https://go-review.googlesource.com/#/c/12865/
   https://go-review.googlesource.com/#/c/13148/

   The Go team would like to thank Jed Denlea and R=C3=A9gis Leroy for their
   contributions to this release. They have been awarded 1337 USD under the Go=
   ogle
   Security Bounty program.


   To generate a diff of this commit:
   cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go14/Makefile
   cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go14/PLIST
   cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go14/distinfo

Revision 1.9 / (download) - annotate - [select for diffs], Sat Sep 26 17:37:01 2015 UTC (8 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored) to selected 1.56 (colored)

Update go14 to 1.4.3. It fixes four security-related issues.

The issues were reported in Go's net/http package. They affect programs using
that package to proxy HTTP requests. We recommend that all users upgrade to Go
1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have
released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues.
Affected Go programsãàÇÕhose that use the net/http package as a proxy serverãàÇÎust
be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.

The CVE issue descriptions and fixes are linked below.

CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/

CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/

CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/
https://go-review.googlesource.com/#/c/12865/
https://go-review.googlesource.com/#/c/13148/

The Go team would like to thank Jed Denlea and Régis Leroy for their
contributions to this release. They have been awarded 1337 USD under the Google
Security Bounty program.

Revision 1.8 / (download) - annotate - [select for diffs], Sun Sep 13 14:24:58 2015 UTC (8 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base
Branch point for: pkgsrc-2015Q3
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored) to selected 1.56 (colored)

Update Go to 1.5.1.

go1.5.1 (released 2015/09/08) includes bug fixes to the compiler, assembler,
and the fmt, net/textproto, net/http, and runtime packages. See the Go 1.5.1
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.5.1

Revision 1.7 / (download) - annotate - [select for diffs], Sat Aug 22 10:51:20 2015 UTC (8 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored) to selected 1.56 (colored)

Update go to 1.5.

This release now needs the previous one (lang/go14) to build.

The biggest developments in the implementation are:

* The compiler and runtime are now written entirely in Go (with a little
  assembler). C is no longer involved in the implementation, and so the
  C compiler that was once necessary for building the distribution is
  gone.
* The garbage collector is now concurrent and provides dramatically
  lower pause times by running, when possible, in parallel with other
  goroutines.
* By default, Go programs run with GOMAXPROCS set to the number of cores
  available; in prior releases it defaulted to 1.
* Support for internal packages is now provided for all repositories,
  not just the Go core.
* The go command now provides experimental support for "vendoring"
  external dependencies.
* A new go tool trace command supports fine-grained tracing of program
  execution.
* A new go doc command (distinct from godoc) is customized for
  command-line use.

Full release notes are at https://golang.org/doc/go1.5.

Revision 1.6 / (download) - annotate - [select for diffs], Fri Jul 31 14:46:25 2015 UTC (8 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored) to selected 1.56 (colored)

Create lang/go14 as a copy of lang/go but which installs under
$PREFIX/go14.

Go 1.5 is going to be released soon, and it will depend on an existing
installation of Go 1.4 to compile. So let's provide one.

Revision 1.5 / (download) - annotate - [select for diffs], Sun Feb 22 13:14:09 2015 UTC (9 years, 1 month ago) by mspo
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2, pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored) to selected 1.56 (colored)

go1.4.2 (released 2015/02/17) includes bug fixes to the go command, the compiler and linker, and the runtime, syscall, reflect, and math/big packages.

Revision 1.4 / (download) - annotate - [select for diffs], Fri Jan 16 11:27:03 2015 UTC (9 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored) to selected 1.56 (colored)

Update to 1.4.1:

We've just released Go version 1.4.1, a minor point release.  This
release fixes bugs in linker and the log, runtime, and syscall
packages.

Revision 1.3 / (download) - annotate - [select for diffs], Wed Dec 31 11:40:14 2014 UTC (9 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored) to selected 1.56 (colored)

Remove special case for golang.org/x/tools from the go command.

We handle it differently in the go-tools package. While here, rename
GO_COMPILER to GOCHAR, which is the name upstream uses.

Bump PKGREVISION.

Revision 1.2 / (download) - annotate - [select for diffs], Fri Dec 12 09:41:40 2014 UTC (9 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored) to selected 1.56 (colored)

Update to 1.4, ok bsiegert:

Today we announce Go 1.4, the fifth major stable release of Go,
arriving six months after our previous major release Go 1.3. It
contains a small language change, support for more operating systems
and processor architectures, and improvements to the tool chain
and libraries. As always, Go 1.4 keeps the promise of compatibility,
and almost everything will continue to compile and run without
change when moved to 1.4. For the full details, see the Go 1.4
release notes.

The most notable new feature in this release is official support
for Android. Using the support in the core and the libraries in
the golang.org/x/mobile repository, it is now possible to write
simple Android apps using only Go code. At this stage, the support
libraries are still nascent and under heavy development. Early
adopters should expect a bumpy ride, but we welcome the community
to get involved.

The language change is a tweak to the syntax of for-range loops.
You may now write "for range s {" to loop over each item from s,
without having to assign the value, loop index, or map key. See
the release notes for details.

The go command has a new subcommand, go generate, to automate the
running of tools to generate source code before compilation. For
example, it can be used to automate the generation of String methods
for typed constants using the new stringer tool. For more information,
see the design document.

Most programs will run about the same speed or slightly faster in
1.4 than in 1.3; some will be slightly slower. There are many
changes, making it hard to be precise about what to expect. See
the release notes for more discussion.

And, of course, there are many more improvements and bug fixes.

In case you missed it, a few weeks ago the sub-repositories were
moved to new locations. For example, the go.tools packages are now
imported from "golang.org/x/tools". See the announcement post for
details.

This release also coincides with the project's move from Mercurial
to Git (for source control), Rietveld to Gerrit (for code review),
and Google Code to Github (for issue tracking and wiki). The move
affects the core Go repository and its sub-repositories. You can
find the canonical Git repositories at go.googlesource.com, and
the issue tracker and wiki at the golang/go GitHub repo.

Revision 1.1 / (download) - annotate - [select for diffs], Tue Nov 18 20:39:11 2014 UTC (9 years, 4 months ago) by bsiegert
Branch: MAIN
Diff to selected 1.56 (colored)

Add a separate Makefile for the version string plus GOARCH. To be used
by Go packages.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>