Up to [cvs.NetBSD.org] / pkgsrc / lang / go
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.204 / (download) - annotate - [select for diffs], Tue Mar 5 19:37:52 2024 UTC (3 weeks, 1 day ago) by bsiegert
Branch: MAIN
CVS Tags: HEAD
Changes since 1.203: +2 -2
lines
Diff to previous 1.203 (colored) to selected 1.56 (colored)
go122: update to 1.22.1 (security) This minor release includes 5 security fixes following the security policy: - crypto/x509: Verify panics on certificates with an unknown public key algorithm Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783 and Go issue https://go.dev/issue/65390. - net/http: memory exhaustion in Request.ParseMultipartForm When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. ParseMultipartForm now correctly limits the maximum size of form lines. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-45290 and Go issue https://go.dev/issue/65383. - net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289 and Go issue https://go.dev/issue/65065. - html/template: errors returned from MarshalJSON methods may break template escaping If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2024-24785 and Go issue https://go.dev/issue/65697. - net/mail: comments in display names are incorrectly handled The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Thanks to Juho Nurminen of Mattermost and Slonser (https://github.com/Slonser) for reporting this issue. This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
Revision 1.203 / (download) - annotate - [select for diffs], Tue Mar 5 19:27:58 2024 UTC (3 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.202: +2 -2
lines
Diff to previous 1.202 (colored) to selected 1.56 (colored)
go121: update to 1.21.8 (security) This minor release includes 5 security fixes following the security policy: - crypto/x509: Verify panics on certificates with an unknown public key algorithm Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783 and Go issue https://go.dev/issue/65390. - net/http: memory exhaustion in Request.ParseMultipartForm When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. ParseMultipartForm now correctly limits the maximum size of form lines. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-45290 and Go issue https://go.dev/issue/65383. - net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289 and Go issue https://go.dev/issue/65065. - html/template: errors returned from MarshalJSON methods may break template escaping If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2024-24785 and Go issue https://go.dev/issue/65697. - net/mail: comments in display names are incorrectly handled The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Thanks to Juho Nurminen of Mattermost and Slonser (https://github.com/Slonser) for reporting this issue. This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
Revision 1.202 / (download) - annotate - [select for diffs], Fri Feb 9 20:34:10 2024 UTC (6 weeks, 5 days ago) by bsiegert
Branch: MAIN
Changes since 1.201: +2 -1
lines
Diff to previous 1.201 (colored) to selected 1.56 (colored)
Add a new package for go122-1.22.0 The latest Go release, version 1.22, arrives six months after Go 1.21. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Release notes: https://go.dev/doc/go1.22
Revision 1.201 / (download) - annotate - [select for diffs], Wed Feb 7 14:44:16 2024 UTC (7 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.200: +2 -2
lines
Diff to previous 1.200 (colored) to selected 1.56 (colored)
go121: update 1.21.7 go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command, the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on the Go issue tracker for details.
Revision 1.200 / (download) - annotate - [select for diffs], Wed Feb 7 14:37:50 2024 UTC (7 weeks, 1 day ago) by bsiegert
Branch: MAIN
Changes since 1.199: +2 -2
lines
Diff to previous 1.199 (colored) to selected 1.56 (colored)
go120: update to 1.20.14 go1.20.14 (released 2024-02-06) includes fixes to the crypto/x509 package. See the Go 1.20.14 milestone on the issue tracker for details.
Revision 1.199 / (download) - annotate - [select for diffs], Wed Jan 10 16:49:29 2024 UTC (2 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.198: +2 -2
lines
Diff to previous 1.198 (colored) to selected 1.56 (colored)
go121: update to 1.21.6 go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and the crypto/tls, maps, and runtime/pprof packages. It also includes a fix for a slow memory leak on Linux.
Revision 1.198 / (download) - annotate - [select for diffs], Wed Jan 10 16:41:22 2024 UTC (2 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.197: +2 -2
lines
Diff to previous 1.197 (colored) to selected 1.56 (colored)
go120: update to 1.20.13 go1.20.13 (released 2024-01-09) includes fixes to the runtime and the crypto/tls package.
Revision 1.189.2.3 / (download) - annotate - [select for diffs], Wed Dec 6 12:08:36 2023 UTC (3 months, 3 weeks ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189.2.2: +3 -3
lines
Diff to previous 1.189.2.2 (colored) to branchpoint 1.189 (colored) next main 1.190 (colored) to selected 1.56 (colored)
Pullup ticket #6822 - requested by bsiegert lang/go120: security update lang/go121: security update lang/go: metadata update audio/gospt: revision bump audio/ymuse: revision bump chat/coyim: revision bump chat/gomuks: revision bump chat/matterircd: revision bump chat/senpai: revision bump chat/ssh-chat: revision bump databases/go-ldap: revision bump databases/influxdb: revision bump databases/mongo-tools: revision bump databases/mysqld_exporter: revision bump databases/postgres_exporter: revision bump databases/prometheus: revision bump databases/promscale: revision bump databases/sqlc: revision bump databases/timescaledb-tune: revision bump devel/asmfmt: revision bump devel/conftest: revision bump devel/errcheck: revision bump devel/fq: revision bump devel/git-lfs: revision bump devel/go-ed25519: revision bump devel/go-gocode: revision bump devel/go-golang-lru: revision bump devel/go-gopkgs: revision bump devel/go-goptlib: revision bump devel/go-goreturns: revision bump devel/go-gox: revision bump devel/go-impl: revision bump devel/go-logrus: revision bump devel/go-nbreader: revision bump devel/go-pty: revision bump devel/go-review: revision bump devel/go-siphash: revision bump devel/go-staticcheck: revision bump devel/go-swagger: revision bump devel/go-sys: revision bump devel/go-tools: revision bump devel/go-wire: revision bump devel/go-xerrors: revision bump devel/golangci-lint: revision bump devel/golint: revision bump devel/gomodifytags: revision bump devel/gopls: revision bump devel/goredo: revision bump devel/gotags: revision bump devel/gotests: revision bump devel/govulncheck: revision bump devel/lazygit: revision bump devel/mob: revision bump devel/nancy: revision bump devel/opa: revision bump devel/packr: revision bump devel/reftools: revision bump devel/regal: revision bump devel/revive: revision bump devel/shfmt: revision bump devel/syft: revision bump editors/micro: revision bump filesystems/kubo: revision bump graphics/gif2png: revision bump lang/joker: revision bump mail/opensmtpd-filter-rspamd: revision bump mail/opensmtpd-filter-senderscore: revision bump mail/postforward: revision bump misc/exercism: revision bump net/amazon-ecs-cli: revision bump net/amfora: revision bump net/bombadillo: revision bump net/croc: revision bump net/czds: revision bump net/dnscontrol: revision bump net/dnscrypt-proxy2: revision bump net/gh: revision bump net/go-dnstap: revision bump net/go-net: revision bump net/go-websocket: revision bump net/gunison: revision bump net/gvproxy: revision bump net/hub: revision bump net/ipget: revision bump net/kubectl: revision bump net/libquic: revision bump net/mangos: revision bump net/nats-server: revision bump net/obfs4proxy: revision bump net/rclone: revision bump net/stern: revision bump net/syncthing: revision bump net/terraform-provider-archive: revision bump net/terraform-provider-aws: revision bump net/terraform-provider-kubernetes: revision bump net/terraform-provider-local: revision bump net/terraform-provider-null: revision bump net/terraform-provider-random: revision bump net/terraform-provider-template: revision bump net/terraform-provider-vultr: revision bump net/terraform: revision bump net/tut: revision bump net/vultr-cli: revision bump pkgtools/pkglint: revision bump security/2fa: revision bump security/age: revision bump security/amass: revision bump security/authelia: revision bump security/cfssl: revision bump security/dnsx: revision bump security/go-asn1-ber: revision bump security/go-crypto: revision bump security/go-getpass: revision bump security/go-mkcert: revision bump security/gopass: revision bump security/httpx: revision bump security/nuclei: revision bump security/oauth2c: revision bump security/osv-scanner: revision bump security/subfinder: revision bump security/tlsx: revision bump security/trufflehog: revision bump security/vault: revision bump shells/elvish: revision bump shells/oh-my-posh: revision bump sysutils/beats: revision bump sysutils/consul: revision bump sysutils/direnv: revision bump sysutils/fzf: revision bump sysutils/goreman: revision bump sysutils/lf: revision bump sysutils/node_exporter: revision bump sysutils/packer: revision bump sysutils/podman: revision bump sysutils/restic: revision bump sysutils/vultr: revision bump textproc/glow: revision bump textproc/go-kr-text: revision bump textproc/go-md2man: revision bump textproc/go-mmark: revision bump textproc/go-text: revision bump textproc/miller: revision bump textproc/sift: revision bump www/apisprout: revision bump www/caddy: revision bump www/gitea: revision bump www/go-ffuf: revision bump www/go-minify: revision bump www/gotosocial: revision bump www/grafana: revision bump www/hugo: revision bump www/jira-cli: revision bump www/mycorrhiza: revision bump www/pup: revision bump www/restish: revision bump www/shoutrrr: revision bump Revisions pulled up: - lang/go/version.mk 1.194 - lang/go120/PLIST 1.10 - lang/go120/distinfo 1.12 - lang/go121/PLIST 1.4 - lang/go121/distinfo 1.4 - audio/gospt/Makefile by patch - audio/ymuse/Makefile by patch - chat/coyim/Makefile by patch - chat/gomuks/Makefile by patch - chat/matterircd/Makefile by patch - chat/senpai/Makefile by patch - chat/ssh-chat/Makefile by patch - databases/go-ldap/Makefile by patch - databases/influxdb/Makefile by patch - databases/mongo-tools/Makefile by patch - databases/mysqld_exporter/Makefile by patch - databases/postgres_exporter/Makefile by patch - databases/prometheus/Makefile by patch - databases/promscale/Makefile by patch - databases/sqlc/Makefile by patch - databases/timescaledb-tune/Makefile by patch - devel/asmfmt/Makefile by patch - devel/conftest/Makefile by patch - devel/errcheck/Makefile by patch - devel/fq/Makefile by patch - devel/git-lfs/Makefile by patch - devel/go-ed25519/Makefile by patch - devel/go-gocode/Makefile by patch - devel/go-golang-lru/Makefile by patch - devel/go-gopkgs/Makefile by patch - devel/go-goptlib/Makefile by patch - devel/go-goreturns/Makefile by patch - devel/go-gox/Makefile by patch - devel/go-impl/Makefile by patch - devel/go-logrus/Makefile by patch - devel/go-nbreader/Makefile by patch - devel/go-pty/Makefile by patch - devel/go-review/Makefile by patch - devel/go-siphash/Makefile by patch - devel/go-staticcheck/Makefile by patch - devel/go-swagger/Makefile by patch - devel/go-sys/Makefile by patch - devel/go-tools/Makefile by patch - devel/go-wire/Makefile by patch - devel/go-xerrors/Makefile by patch - devel/golangci-lint/Makefile by patch - devel/golint/Makefile by patch - devel/gomodifytags/Makefile by patch - devel/gopls/Makefile by patch - devel/goredo/Makefile by patch - devel/gotags/Makefile by patch - devel/gotests/Makefile by patch - devel/govulncheck/Makefile by patch - devel/lazygit/Makefile by patch - devel/mob/Makefile by patch - devel/nancy/Makefile by patch - devel/opa/Makefile by patch - devel/packr/Makefile by patch - devel/reftools/Makefile by patch - devel/regal/Makefile by patch - devel/revive/Makefile by patch - devel/shfmt/Makefile by patch - devel/syft/Makefile by patch - editors/micro/Makefile by patch - filesystems/kubo/Makefile by patch - graphics/gif2png/Makefile by patch - lang/joker/Makefile by patch - mail/opensmtpd-filter-rspamd/Makefile by patch - mail/opensmtpd-filter-senderscore/Makefile by patch - mail/postforward/Makefile by patch - misc/exercism/Makefile by patch - net/amazon-ecs-cli/Makefile by patch - net/amfora/Makefile by patch - net/bombadillo/Makefile by patch - net/croc/Makefile by patch - net/czds/Makefile by patch - net/dnscontrol/Makefile by patch - net/dnscrypt-proxy2/Makefile by patch - net/gh/Makefile by patch - net/go-dnstap/Makefile by patch - net/go-net/Makefile by patch - net/go-websocket/Makefile by patch - net/gunison/Makefile by patch - net/gvproxy/Makefile by patch - net/hub/Makefile by patch - net/ipget/Makefile by patch - net/kubectl/Makefile by patch - net/libquic/Makefile by patch - net/mangos/Makefile by patch - net/nats-server/Makefile by patch - net/obfs4proxy/Makefile by patch - net/rclone/Makefile by patch - net/stern/Makefile by patch - net/syncthing/Makefile by patch - net/terraform-provider-archive/Makefile by patch - net/terraform-provider-aws/Makefile by patch - net/terraform-provider-kubernetes/Makefile by patch - net/terraform-provider-local/Makefile by patch - net/terraform-provider-null/Makefile by patch - net/terraform-provider-random/Makefile by patch - net/terraform-provider-template/Makefile by patch - net/terraform-provider-vultr/Makefile by patch - net/terraform/Makefile by patch - net/tut/Makefile by patch - net/vultr-cli/Makefile by patch - pkgtools/pkglint/Makefile by patch - security/2fa/Makefile by patch - security/age/Makefile by patch - security/amass/Makefile by patch - security/authelia/Makefile by patch - security/cfssl/Makefile by patch - security/dnsx/Makefile by patch - security/go-asn1-ber/Makefile by patch - security/go-crypto/Makefile by patch - security/go-getpass/Makefile by patch - security/go-mkcert/Makefile by patch - security/gopass/Makefile by patch - security/httpx/Makefile by patch - security/nuclei/Makefile by patch - security/oauth2c/Makefile by patch - security/osv-scanner/Makefile by patch - security/subfinder/Makefile by patch - security/tlsx/Makefile by patch - security/trufflehog/Makefile by patch - security/vault/Makefile by patch - shells/elvish/Makefile by patch - shells/oh-my-posh/Makefile by patch - sysutils/beats/Makefile by patch - sysutils/consul/Makefile by patch - sysutils/direnv/Makefile by patch - sysutils/fzf/Makefile by patch - sysutils/goreman/Makefile by patch - sysutils/lf/Makefile by patch - sysutils/node_exporter/Makefile by patch - sysutils/packer/Makefile by patch - sysutils/podman/Makefile by patch - sysutils/restic/Makefile by patch - sysutils/vultr/Makefile by patch - textproc/glow/Makefile by patch - textproc/go-kr-text/Makefile by patch - textproc/go-md2man/Makefile by patch - textproc/go-mmark/Makefile by patch - textproc/go-text/Makefile by patch - textproc/miller/Makefile by patch - textproc/sift/Makefile by patch - www/apisprout/Makefile by patch - www/caddy/Makefile by patch - www/gitea/Makefile by patch - www/go-ffuf/Makefile by patch - www/go-minify/Makefile by patch - www/gotosocial/Makefile by patch - www/grafana/Makefile by patch - www/hugo/Makefile by patch - www/jira-cli/Makefile by patch - www/mycorrhiza/Makefile by patch - www/pup/Makefile by patch - www/restish/Makefile by patch - www/shoutrrr/Makefile by patch ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Nov 10 15:39:34 UTC 2023 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go120: PLIST distinfo pkgsrc/lang/go121: PLIST distinfo Log Message: Update go120 to 1.20.11 and go121 to 1.21.4 (security). These minor releases include 2 security fixes following the security policy: - path/filepath: recognize \??\ as a Root Local Device path prefix. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. The filepath package did not recognize paths with a \??\ prefix as special. Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b. IsAbs did not report paths beginning with \??\ as absolute. It now does so. VolumeName now reports the \??\ prefix as a volume name. Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b. This is CVE-2023-45283 and https://go.dev/issue/63713. - path/filepath: recognize device names with trailing spaces and superscripts The IsLocal function did not correctly detect reserved names in some cases: reserved names followed by spaces, such as "COM1 ". "COM" or "LPT" followed by a superscript 1, 2, or 3. IsLocal now correctly reports these names as non-local. This is CVE-2023-45284 and https://go.dev/issue/63713. To generate a diff of this commit: cvs rdiff -u -r1.193 -r1.194 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go120/PLIST cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go120/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo
Revision 1.197 / (download) - annotate - [select for diffs], Tue Dec 5 19:28:26 2023 UTC (3 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q4-base,
pkgsrc-2023Q4
Changes since 1.196: +2 -2
lines
Diff to previous 1.196 (colored) to selected 1.56 (colored)
go121: update to 1.21.5 (security) This minor release includes 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
Revision 1.196 / (download) - annotate - [select for diffs], Tue Dec 5 19:17:57 2023 UTC (3 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.195: +2 -2
lines
Diff to previous 1.195 (colored) to selected 1.56 (colored)
go120: update to 1.20.12 (security) This minor release includes 3 security fixes following the security policy: - net/http: limit chunked data overhead A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-39326 and Go issue https://go.dev/issue/64433. - cmd/go: go get may unexpectedly fallback to insecure git Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). Thanks to David Leadbeater for reporting this issue. This is CVE-2023-45285 and Go issue https://go.dev/issue/63845. - path/filepath: retain trailing \ when cleaning paths like \\?\c:\ Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \\?\, resulting in filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other effects). The previous behavior has been restored. This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
Revision 1.195 / (download) - annotate - [select for diffs], Wed Nov 15 15:54:40 2023 UTC (4 months, 1 week ago) by jperkin
Branch: MAIN
Changes since 1.194: +4 -2
lines
Diff to previous 1.194 (colored) to selected 1.56 (colored)
go: Add support for GO_VERSION_REQD. This isn't full multi support like other languages yet, but for now simply a way for a package to indicate that it requires a specific version of go. Useful for things like wireguard-go which currently do not build with 1.21.
Revision 1.194 / (download) - annotate - [select for diffs], Fri Nov 10 15:39:34 2023 UTC (4 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.193: +3 -3
lines
Diff to previous 1.193 (colored) to selected 1.56 (colored)
Update go120 to 1.20.11 and go121 to 1.21.4 (security). These minor releases include 2 security fixes following the security policy: - path/filepath: recognize \??\ as a Root Local Device path prefix. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. The filepath package did not recognize paths with a \??\ prefix as special. Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. It will now convert this path into .\??\b. IsAbs did not report paths beginning with \??\ as absolute. It now does so. VolumeName now reports the \??\ prefix as a volume name. Join(`\`, `??`, `b`) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. It will now convert this to \.\??\b. This is CVE-2023-45283 and https://go.dev/issue/63713. - path/filepath: recognize device names with trailing spaces and superscripts The IsLocal function did not correctly detect reserved names in some cases: reserved names followed by spaces, such as "COM1 ". "COM" or "LPT" followed by a superscript 1, 2, or 3. IsLocal now correctly reports these names as non-local. This is CVE-2023-45284 and https://go.dev/issue/63713.
Revision 1.189.2.2 / (download) - annotate - [select for diffs], Sat Nov 4 13:00:31 2023 UTC (4 months, 3 weeks ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189.2.1: +2 -2
lines
Diff to previous 1.189.2.1 (colored) to branchpoint 1.189 (colored) to selected 1.56 (colored)
Pullup ticket #6816 - requested by bsiegert lang/go121: security update lang/go: metadata update Revisions pulled up: - lang/go/version.mk 1.191 - lang/go121/PLIST 1.3 - lang/go121/distinfo 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sun Oct 15 09:26:35 UTC 2023 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go121: PLIST distinfo Log Message: go121: update to 1.21.3 (security) 1.21.3 net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. 1.21.2 cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. To generate a diff of this commit: cvs rdiff -u -r1.190 -r1.191 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo
Revision 1.193 / (download) - annotate - [select for diffs], Sun Oct 29 14:40:35 2023 UTC (4 months, 4 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.192: +2 -2
lines
Diff to previous 1.192 (colored) to selected 1.56 (colored)
Set Go 1.21 as the default Go version. I did a verification bulk build with this change and updated all the packages that were broken by this (kubo, ipget, caddy, etc.), so I hope that this does not introduce any breakage.
Revision 1.189.2.1 / (download) - annotate - [select for diffs], Sun Oct 22 18:44:03 2023 UTC (5 months ago) by spz
Branch: pkgsrc-2023Q3
Changes since 1.189: +2 -2
lines
Diff to previous 1.189 (colored) to selected 1.56 (colored)
Pullup ticket #6812 - requested by bsiegert lang/go120: security update lang/go: version info update audio/gospt: RevBump audio/ymuse: RevBump chat/coyim: RevBump chat/gomuks: RevBump chat/matterircd: RevBump chat/senpai: RevBump chat/ssh-chat: RevBump databases/go-ldap: RevBump databases/influxdb: RevBump databases/mongo-tools: RevBump databases/mysqld_exporter: RevBump databases/postgres_exporter: RevBump databases/prometheus: RevBump databases/promscale: RevBump databases/sqlc: RevBump databases/timescaledb-tune: RevBump devel/asmfmt: RevBump devel/conftest: RevBump devel/errcheck: RevBump devel/fq: RevBump devel/git-lfs: RevBump devel/go-ed25519: RevBump devel/go-gocode: RevBump devel/go-golang-lru: RevBump devel/go-gopkgs: RevBump devel/go-goptlib: RevBump devel/go-goreturns: RevBump devel/go-gox: RevBump devel/go-impl: RevBump devel/go-logrus: RevBump devel/go-nbreader: RevBump devel/go-pty: RevBump devel/go-review: RevBump devel/go-siphash: RevBump devel/go-staticcheck: RevBump devel/go-swagger: RevBump devel/go-sys: RevBump devel/go-tools: RevBump devel/go-wire: RevBump devel/go-xerrors: RevBump devel/golangci-lint: RevBump devel/golint: RevBump devel/gomodifytags: RevBump devel/gopls: RevBump devel/goredo: RevBump devel/gotags: RevBump devel/gotests: RevBump devel/govulncheck: RevBump devel/lazygit: RevBump devel/mob: RevBump devel/nancy: RevBump devel/opa: RevBump devel/packr: RevBump devel/reftools: RevBump devel/regal: RevBump devel/revive: RevBump devel/shfmt: RevBump devel/syft: RevBump editors/micro: RevBump filesystems/kubo: RevBump graphics/gif2png: RevBump lang/joker: RevBump mail/opensmtpd-filter-rspamd: RevBump mail/opensmtpd-filter-senderscore: RevBump mail/postforward: RevBump meta-pkgs/bulk-test-essential: RevBump misc/exercism: RevBump net/amazon-ecs-cli: RevBump net/amfora: RevBump net/bombadillo: RevBump net/croc: RevBump net/czds: RevBump net/dnscontrol: RevBump net/dnscrypt-proxy2: RevBump net/gh: RevBump net/go-dnstap: RevBump net/go-net: RevBump net/go-websocket: RevBump net/gunison: RevBump net/gvproxy: RevBump net/hub: RevBump net/ipget: RevBump net/kubectl: RevBump net/libquic: RevBump net/mangos: RevBump net/nats-server: RevBump net/obfs4proxy: RevBump net/rclone: RevBump net/stern: RevBump net/syncthing: RevBump net/terraform-provider-archive: RevBump net/terraform-provider-aws: RevBump net/terraform-provider-kubernetes: RevBump net/terraform-provider-local: RevBump net/terraform-provider-null: RevBump net/terraform-provider-random: RevBump net/terraform-provider-template: RevBump net/terraform-provider-vultr: RevBump net/terraform: RevBump net/tut: RevBump net/vultr-cli: RevBump pkgtools/pkglint: RevBump security/2fa: RevBump security/age: RevBump security/amass: RevBump security/authelia: RevBump security/cfssl: RevBump security/dnsx: RevBump security/go-asn1-ber: RevBump security/go-crypto: RevBump security/go-getpass: RevBump security/go-mkcert: RevBump security/gopass: RevBump security/httpx: RevBump security/nuclei: RevBump security/oauth2c: RevBump security/osv-scanner: RevBump security/subfinder: RevBump security/tlsx: RevBump security/trufflehog: RevBump security/vault: RevBump shells/elvish: RevBump shells/oh-my-posh: RevBump sysutils/beats: RevBump sysutils/consul: RevBump sysutils/direnv: RevBump sysutils/fzf: RevBump sysutils/goreman: RevBump sysutils/lf: RevBump sysutils/node_exporter: RevBump sysutils/packer: RevBump sysutils/podman: RevBump sysutils/restic: RevBump sysutils/vultr: RevBump textproc/glow: RevBump textproc/go-kr-text: RevBump textproc/go-md2man: RevBump textproc/go-mmark: RevBump textproc/go-text: RevBump textproc/miller: RevBump textproc/sift: RevBump www/apisprout: RevBump www/caddy: RevBump www/gitea: RevBump www/go-ffuf: RevBump www/go-minify: RevBump www/gotosocial: RevBump www/grafana: RevBump www/hugo: RevBump www/jira-cli: RevBump www/mycorrhiza: RevBump www/pup: RevBump www/restish: RevBump www/shoutrrr: RevBump Revisions pulled up: - lang/go/version.mk 1.190,1.192 - lang/go120/PLIST 1.9 - lang/go120/distinfo 1.10-1.11 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sat Oct 7 18:09:35 UTC 2023 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go120: PLIST distinfo Log Message: go120: update to 1.20.9 (security). cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. View the release notes for more information: https://go.dev/doc/devel/release#go1.20.9 To generate a diff of this commit: cvs rdiff -u -r1.189 -r1.190 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go120/PLIST cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go120/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sun Oct 15 11:02:08 UTC 2023 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go120: distinfo Log Message: go120: update to 1.20.10 (security) net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. To generate a diff of this commit: cvs rdiff -u -r1.191 -r1.192 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go120/distinfo
Revision 1.192 / (download) - annotate - [select for diffs], Sun Oct 15 11:02:08 2023 UTC (5 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.191: +2 -2
lines
Diff to previous 1.191 (colored) to selected 1.56 (colored)
go120: update to 1.20.10 (security) net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.
Revision 1.191 / (download) - annotate - [select for diffs], Sun Oct 15 09:26:34 2023 UTC (5 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.190: +2 -2
lines
Diff to previous 1.190 (colored) to selected 1.56 (colored)
go121: update to 1.21.3 (security) 1.21.3 net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. 1.21.2 cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.
Revision 1.190 / (download) - annotate - [select for diffs], Sat Oct 7 18:09:35 2023 UTC (5 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.189: +2 -2
lines
Diff to previous 1.189 (colored) to selected 1.56 (colored)
go120: update to 1.20.9 (security). cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. View the release notes for more information: https://go.dev/doc/devel/release#go1.20.9
Revision 1.189 / (download) - annotate - [select for diffs], Fri Sep 8 19:02:04 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base
Branch point for: pkgsrc-2023Q3
Changes since 1.188: +2 -2
lines
Diff to previous 1.188 (colored) to selected 1.56 (colored)
go119: update to 1.19.13 go1.19.13 (released 2023-09-06) includes fixes to the go command, and the crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue tracker for details.
Revision 1.188 / (download) - annotate - [select for diffs], Fri Sep 8 18:49:45 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.187: +2 -2
lines
Diff to previous 1.187 (colored) to selected 1.56 (colored)
go120: update to 1.20.8 (security) This minor releases includes 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39318 and Go issue https://go.dev/issue/62196. - html/template: improper handling of special tags within script contexts The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197. - crypto/tls: panic when processing post-handshake message on QUIC connections Processing an incomplete post-handshake message for a QUIC connection caused a panic. Thanks to Marten Seemann for reporting this issue. This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Revision 1.187 / (download) - annotate - [select for diffs], Fri Sep 8 13:06:29 2023 UTC (6 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.186: +2 -2
lines
Diff to previous 1.186 (colored) to selected 1.56 (colored)
go121: update to 1.21.1 (security) This minor releases includes 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39318 and Go issue https://go.dev/issue/62196. - html/template: improper handling of special tags within script contexts The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197. - crypto/tls: panic when processing post-handshake message on QUIC connections Processing an incomplete post-handshake message for a QUIC connection caused a panic. Thanks to Marten Seemann for reporting this issue. This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266. View the release notes for more information: https://go.dev/doc/devel/release#go1.21.1
Revision 1.186 / (download) - annotate - [select for diffs], Sat Aug 26 16:35:29 2023 UTC (7 months ago) by bsiegert
Branch: MAIN
Changes since 1.185: +2 -1
lines
Diff to previous 1.185 (colored) to selected 1.56 (colored)
New package, go121-1.21.0. This will not be the default Go version in the next branch, since the freeze date is close.
Revision 1.185 / (download) - annotate - [select for diffs], Fri Aug 25 18:29:24 2023 UTC (7 months ago) by bsiegert
Branch: MAIN
Changes since 1.184: +2 -2
lines
Diff to previous 1.184 (colored) to selected 1.56 (colored)
go120: update to 1.20.7 (security) go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls package, as well as bug fixes to the assembler and the compiler. See the Go 1.20.7 milestone on our issue tracker for details.
Revision 1.184 / (download) - annotate - [select for diffs], Sat Aug 12 13:02:54 2023 UTC (7 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.183: +2 -2
lines
Diff to previous 1.183 (colored) to selected 1.56 (colored)
Update go119 to 1.19.12 (security). crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue.
Revision 1.183 / (download) - annotate - [select for diffs], Sat Jul 15 10:40:37 2023 UTC (8 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.182: +2 -2
lines
Diff to previous 1.182 (colored) to selected 1.56 (colored)
go120: update to 1.20.6 (security) This minor release includes 1 security fix following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374
Revision 1.182 / (download) - annotate - [select for diffs], Sat Jul 15 10:35:14 2023 UTC (8 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.181: +2 -2
lines
Diff to previous 1.181 (colored) to selected 1.56 (colored)
go119: update to 1.19.11 (security) This minor release includes 1 security fix following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374
Revision 1.181 / (download) - annotate - [select for diffs], Sat Jun 10 11:41:31 2023 UTC (9 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base,
pkgsrc-2023Q2
Changes since 1.180: +2 -2
lines
Diff to previous 1.180 (colored) to selected 1.56 (colored)
go120: update to 1.20.5 (security) This minor release includes 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Revision 1.180 / (download) - annotate - [select for diffs], Tue Jun 6 18:49:04 2023 UTC (9 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.179: +2 -2
lines
Diff to previous 1.179 (colored) to selected 1.56 (colored)
go119: update to 1.19.10 (security) This minor release includes 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Revision 1.179 / (download) - annotate - [select for diffs], Fri May 5 18:33:15 2023 UTC (10 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.178: +2 -2
lines
Diff to previous 1.178 (colored) to selected 1.56 (colored)
go120: update to 1.20.4 (security) This minor release includes 3 security fixes following the security policy: * html/template: improper sanitization of CSS values Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24539 and Go issue https://go.dev/issue/59720. * html/template: improper handling of JavaScript whitespace Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24540 and Go issue https://go.dev/issue/59721. * html/template: improper handling of empty HTML attributes Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Revision 1.178 / (download) - annotate - [select for diffs], Wed May 3 19:24:54 2023 UTC (10 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.177: +2 -2
lines
Diff to previous 1.177 (colored) to selected 1.56 (colored)
go119: update to 1.19.9 (security) This minor release includes 3 security fixes following the security policy: * html/template: improper sanitization of CSS values Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24539 and Go issue https://go.dev/issue/59720. * html/template: improper handling of JavaScript whitespace Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-24540 and Go issue https://go.dev/issue/59721. * html/template: improper handling of empty HTML attributes Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Revision 1.177 / (download) - annotate - [select for diffs], Tue Apr 4 18:33:25 2023 UTC (11 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.176: +2 -2
lines
Diff to previous 1.176 (colored) to selected 1.56 (colored)
go120: update to 1.20.3 (security) This minor release includes 4 security fixes following the security policy: - go/parser: infinite loop in parsing Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2023-24537 and Go issue https://go.dev/issue/59180. - html/template: backticks not treated as string delimiters Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release. Users who rely on this behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. This is CVE-2023-24538 and Go issue https://go.dev/issue/59234. - net/http, net/textproto: denial of service from excessive memory allocation HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24534 and Go issue https://go.dev/issue/58975. - net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.
Revision 1.176 / (download) - annotate - [select for diffs], Tue Apr 4 18:22:14 2023 UTC (11 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.175: +2 -2
lines
Diff to previous 1.175 (colored) to selected 1.56 (colored)
go119: update to 1.19.8 (security) This minor release includes 4 security fixes following the security policy: - go/parser: infinite loop in parsing Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2023-24537 and Go issue https://go.dev/issue/59180. - html/template: backticks not treated as string delimiters Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a Go template action within a Javascript template literal, the contents of the action could be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, we've decided to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. Template.Parse will now return an Error when it encounters templates like this, with a currently unexported ErrorCode with a value of 12. This ErrorCode will be exported in the next major release. Users who rely on this behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue. This is CVE-2023-24538 and Go issue https://go.dev/issue/59234. - net/http, net/textproto: denial of service from excessive memory allocation HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs. Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. Header parsing now correctly allocates only the memory required to hold parsed headers. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24534 and Go issue https://go.dev/issue/58975. - net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm could undercount the amount of memory consumed, leading it to accept larger inputs than intended. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. ReadForm could allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, mime/multipart.Reader now imposes the following limits on the size of parsed forms: Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. Thanks to Jakob Ackermann (@das7pad) for discovering this issue. This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.
Revision 1.175 / (download) - annotate - [select for diffs], Wed Mar 8 13:14:58 2023 UTC (12 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1
Changes since 1.174: +2 -2
lines
Diff to previous 1.174 (colored) to selected 1.56 (colored)
go119: update to 1.19.7 This minor release includes 1 security fix following the security policy: crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug bounty program. This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.
Revision 1.174 / (download) - annotate - [select for diffs], Wed Mar 8 08:51:16 2023 UTC (12 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.173: +3 -3
lines
Diff to previous 1.173 (colored) to selected 1.56 (colored)
go120: update to 1.20.2 This minor release includes 1 security fix following the security policy: crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug bounty program. This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.
Revision 1.173 / (download) - annotate - [select for diffs], Thu Feb 16 13:55:55 2023 UTC (13 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.172: +2 -2
lines
Diff to previous 1.172 (colored) to selected 1.56 (colored)
go119: update to 1.19.6 (security) This minor release includes 4 security fixes following the security policy: - path/filepath: path traversal in filepath.Clean on Windows On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2022-41722 and Go issue https://go.dev/issue/57274. - net/http, mime/multipart: denial of service from excessive resource consumption Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this issue. This is CVE-2022-41725 and Go issue https://go.dev/issue/58006. - crypto/tls: large handshake records may cause panics Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). Thanks to Marten Seemann for reporting this issue. This is CVE-2022-41724 and Go issue https://go.dev/issue/58001. - net/http: avoid quadratic complexity in HPACK decoding A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
Revision 1.172 / (download) - annotate - [select for diffs], Thu Feb 16 10:39:59 2023 UTC (13 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.171: +2 -2
lines
Diff to previous 1.171 (colored) to selected 1.56 (colored)
go120: update to 1.20.1 (security) This minor release includes 4 security fixes following the security policy: - path/filepath: path traversal in filepath.Clean on Windows On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2022-41722 and Go issue https://go.dev/issue/57274. - net/http, mime/multipart: denial of service from excessive resource consumption Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this issue. This is CVE-2022-41725 and Go issue https://go.dev/issue/58006. - crypto/tls: large handshake records may cause panics Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). Thanks to Marten Seemann for reporting this issue. This is CVE-2022-41724 and Go issue https://go.dev/issue/58001. - net/http: avoid quadratic complexity in HPACK decoding A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually configuring HTTP/2. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
Revision 1.171 / (download) - annotate - [select for diffs], Sun Feb 5 13:25:25 2023 UTC (13 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.170: +2 -1
lines
Diff to previous 1.170 (colored) to selected 1.56 (colored)
Import Go 1.20 from pkgsrc-wip into pkgsrc itself. The latest Go release, version 1.20, arrives six months after Go 1.19. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. https://go.dev/doc/go1.20
Revision 1.170 / (download) - annotate - [select for diffs], Sat Jan 28 12:34:30 2023 UTC (13 months, 4 weeks ago) by jperkin
Branch: MAIN
Changes since 1.169: +7 -1
lines
Diff to previous 1.169 (colored) to selected 1.56 (colored)
go: Switch illumos platforms to native GOOS=illumos. Ensures that native interfaces such as flock(3C) that aren't available on Solaris can be used.
Revision 1.169 / (download) - annotate - [select for diffs], Wed Jan 11 17:24:29 2023 UTC (14 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.168: +2 -2
lines
Diff to previous 1.168 (colored) to selected 1.56 (colored)
go119: update to 1.19.5 go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and the crypto/x509, net/http, sync/atomic, and syscall packages. See the Go 1.19.5 milestone on our issue tracker for details.
Revision 1.168 / (download) - annotate - [select for diffs], Wed Jan 11 15:21:43 2023 UTC (14 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.167: +2 -6
lines
Diff to previous 1.167 (colored) to selected 1.56 (colored)
go118: update to 1.18.10 go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the linker, and the crypto/x509, net/http, and syscall packages. See the Go 1.18.10 milestone on our issue tracker for details. While here, clean up obsolete Go versions in version.mk.
Revision 1.167 / (download) - annotate - [select for diffs], Thu Dec 8 10:37:25 2022 UTC (15 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base,
pkgsrc-2022Q4
Changes since 1.166: +2 -2
lines
Diff to previous 1.166 (colored) to selected 1.56 (colored)
Update go119 to 1.19.4 (security). This minor release includes 2 security fixes following the security policy <https://go.dev/security>: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \ (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
Revision 1.166 / (download) - annotate - [select for diffs], Thu Dec 8 10:28:44 2022 UTC (15 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.165: +2 -2
lines
Diff to previous 1.165 (colored) to selected 1.56 (colored)
Update go118 to 1.18.9 (security release). This minor release includes 2 security fixes following the security policy <https://go.dev/security>: - os, net/http: avoid escapes from os.DirFS and http.Dir on Windows The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permitted access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") would open the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory \ (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. The behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. This is CVE-2022-41720 and Go issue https://go.dev/issue/56694. - net/http: limit canonical header cache by bytes, not entries An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2. Thanks to Josselin Costanzi for reporting this issue. This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
Revision 1.165 / (download) - annotate - [select for diffs], Tue Nov 1 17:41:11 2022 UTC (16 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.164: +2 -2
lines
Diff to previous 1.164 (colored) to selected 1.56 (colored)
go119: update to 1.19.3 This release includes 1 security fixes following the security policy: syscall, os/exec: unsanitized NUL in environment variables On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. View the release notes for more information: https://go.dev/doc/devel/release#go1.19.3
Revision 1.164 / (download) - annotate - [select for diffs], Tue Nov 1 17:26:16 2022 UTC (16 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.163: +2 -2
lines
Diff to previous 1.163 (colored) to selected 1.56 (colored)
go118: update to 1.18.8 This release includes 1 security fixes following the security policy: syscall, os/exec: unsanitized NUL in environment variables On Windows, syscall.StartProcess and os/exec.Cmd did not properly check for invalid environment variable values. A malicious environment variable value could exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" set the variables "A=B" and "C=D". Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This is CVE-2022-41716 and Go issue https://go.dev/issue/56284. View the release notes for more information: https://go.dev/doc/devel/release#go1.18.8
Revision 1.159.2.2 / (download) - annotate - [select for diffs], Fri Oct 7 18:19:31 2022 UTC (17 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2022Q3
Changes since 1.159.2.1: +2 -2
lines
Diff to previous 1.159.2.1 (colored) to branchpoint 1.159 (colored) next main 1.160 (colored) to selected 1.56 (colored)
Pullup ticket #6680 - requested by taca lang/go119: security fix Revisions pulled up: - lang/go/version.mk 1.163 - lang/go119/PLIST 1.3 - lang/go119/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Oct 5 11:20:24 UTC 2022 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go119: PLIST distinfo Log Message: Update go119 to 1.19.2 This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
Revision 1.159.2.1 / (download) - annotate - [select for diffs], Fri Oct 7 16:34:02 2022 UTC (17 months, 2 weeks ago) by bsiegert
Branch: pkgsrc-2022Q3
Changes since 1.159: +2 -2
lines
Diff to previous 1.159 (colored) to selected 1.56 (colored)
Pullup ticket #6679 - requested by taca lang/go118: security fix Revisions pulled up: - lang/go/version.mk 1.162 - lang/go118/PLIST 1.8 - lang/go118/distinfo 1.8 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Oct 5 09:51:52 UTC 2022 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go118: PLIST distinfo Log Message: go118: update to 1.18.7 This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
Revision 1.163 / (download) - annotate - [select for diffs], Wed Oct 5 11:20:24 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.162: +2 -2
lines
Diff to previous 1.162 (colored) to selected 1.56 (colored)
Update go119 to 1.19.2 This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
Revision 1.162 / (download) - annotate - [select for diffs], Wed Oct 5 09:51:52 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.161: +2 -2
lines
Diff to previous 1.161 (colored) to selected 1.56 (colored)
go118: update to 1.18.7 This minor release includes 3 security fixes following the security policy: - archive/tar: unbounded memory consumption when reading headers Reader.Read did not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. Reader.Read now limits the maximum size of header blocks to 1 MiB. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-2879 and Go issue https://go.dev/issue/54853. - net/http/httputil: ReverseProxy should not forward unparseable query parameters Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. Thanks to Gal Goldstein (Security Researcher, Oxeye) and Daniel Abeles (Head of Research, Oxeye) for reporting this issue. This is CVE-2022-2880 and Go issue https://go.dev/issue/54663. - regexp/syntax: limit memory used by parsing regexps The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. Each regexp being parsed is now limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are now rejected. Normal use of regular expressions is unaffected. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
Revision 1.161 / (download) - annotate - [select for diffs], Sat Oct 1 11:20:05 2022 UTC (17 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.160: +1 -11
lines
Diff to previous 1.160 (colored) to selected 1.56 (colored)
go: remove the logic that makes Go 1.9 or 1.10 default for some OSes Removal agreed on tech-pkg@
Revision 1.160 / (download) - annotate - [select for diffs], Mon Sep 26 15:46:00 2022 UTC (18 months ago) by bsiegert
Branch: MAIN
Changes since 1.159: +2 -2
lines
Diff to previous 1.159 (colored) to selected 1.56 (colored)
Make Go 1.19 the default Go version This switches ~all Go packages to be built with Go 1.19 instead of 1.18. Discussed on tech-pkg@ "ok after the freeze"
Revision 1.159 / (download) - annotate - [select for diffs], Mon Sep 12 12:16:05 2022 UTC (18 months, 2 weeks ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base
Branch point for: pkgsrc-2022Q3
Changes since 1.158: +5 -1
lines
Diff to previous 1.158 (colored) to selected 1.56 (colored)
go: Force GOHOSTARCH for Darwin x86_64. Fixes builds of go118 and newer in x86_64 chroots on an arm64 host. The go build system parses "uname -v" and incorrectly assumes that if you're running on an arm64 host you always want arm64 binaries.
Revision 1.158 / (download) - annotate - [select for diffs], Wed Sep 7 06:36:32 2022 UTC (18 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.157: +2 -2
lines
Diff to previous 1.157 (colored) to selected 1.56 (colored)
go118: update to 1.18.6 (security) This minor release includes 2 security fixes following the security policy: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Revision 1.157 / (download) - annotate - [select for diffs], Tue Sep 6 19:11:13 2022 UTC (18 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.156: +2 -2
lines
Diff to previous 1.156 (colored) to selected 1.56 (colored)
go119: update to 1.19.1 (security) This minor release includes 2 security fixes following the security policy: net/http: handle server errors after sending GOAWAY A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service. Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this. This is CVE-2022-27664 and Go issue https://go.dev/issue/54658. net/url: JoinPath does not strip relative path components in all circumstances JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result. Thanks to q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Revision 1.156 / (download) - annotate - [select for diffs], Sun Aug 21 11:42:19 2022 UTC (19 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.155: +2 -1
lines
Diff to previous 1.155 (colored) to selected 1.56 (colored)
Add a package for Go 1.19 Release notes: https://go.dev/doc/go1.19
Revision 1.155 / (download) - annotate - [select for diffs], Fri Aug 12 16:15:04 2022 UTC (19 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.154: +2 -2
lines
Diff to previous 1.154 (colored) to selected 1.56 (colored)
go118: update to 1.18.5 (security) 1 security fix following the security policy: encoding/gob & math/big: decoding big.Float and big.Rat can panic Decoding big.Float and big.Rat types can panic if the encoded message is too short. This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.
Revision 1.154 / (download) - annotate - [select for diffs], Fri Aug 12 15:48:35 2022 UTC (19 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.153: +2 -2
lines
Diff to previous 1.153 (colored) to selected 1.56 (colored)
go117: update to 1.17.13 (security). 1 security fix following the security policy: encoding/gob & math/big: decoding big.Float and big.Rat can panic Decoding big.Float and big.Rat types can panic if the encoded message is too short. This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.
Revision 1.153 / (download) - annotate - [select for diffs], Wed Jul 13 15:02:02 2022 UTC (20 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.152: +2 -2
lines
Diff to previous 1.152 (colored) to selected 1.56 (colored)
go118: update to 1.18.4 (security update) This minor release includes 9 security fixes following the security policy: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
Revision 1.152 / (download) - annotate - [select for diffs], Wed Jul 13 14:14:18 2022 UTC (20 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.151: +2 -2
lines
Diff to previous 1.151 (colored) to selected 1.56 (colored)
go117: update to 1.17.12 (security update) This minor release includes 9 security fixes following the security policy: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
Revision 1.151 / (download) - annotate - [select for diffs], Thu Jun 2 18:50:40 2022 UTC (21 months, 3 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base,
pkgsrc-2022Q2
Changes since 1.150: +2 -2
lines
Diff to previous 1.150 (colored) to selected 1.56 (colored)
Update go118 to 1.18.3 This minor release includes 4 security fixes following the security policy <https://go.dev/security>: - crypto/rand: rand.Read hangs with extremely large buffers On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue. This is CVE-2022-30634 and Go issue https://go.dev/issue/52561. - crypto/tls: session tickets lack random ticket_age_add Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Thanks to GitHub user @nervuri for reporting this. This is CVE-2022-30629 and Go issue https://go.dev/issue/52814. - os/exec: empty Cmd.Path can result in running unintended binary on Windows If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed. Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson ( bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3) for reporting this. This is CVE-2022-30580 and Go issue https://go.dev/issue/52574. - path/filepath: Clean(`.\c:`) returns `c:` on Windows On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. Thanks to Unrud for reporting this issue. This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
Revision 1.150 / (download) - annotate - [select for diffs], Thu Jun 2 18:19:26 2022 UTC (21 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.149: +2 -2
lines
Diff to previous 1.149 (colored) to selected 1.56 (colored)
Update go117 to 1.17.11 This minor release includes 4 security fixes following the security policy <https://go.dev/security>: - crypto/rand: rand.Read hangs with extremely large buffers On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes. Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset, for reporting this issue. This is CVE-2022-30634 and Go issue https://go.dev/issue/52561. - crypto/tls: session tickets lack random ticket_age_add Session tickets generated by crypto/tls did not contain a randomly generated ticket_age_add. This allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. Thanks to GitHub user @nervuri for reporting this. This is CVE-2022-30629 and Go issue https://go.dev/issue/52814. - os/exec: empty Cmd.Path can result in running unintended binary on Windows If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed. Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson ( bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3) for reporting this. This is CVE-2022-30580 and Go issue https://go.dev/issue/52574. - path/filepath: Clean(`.\c:`) returns `c:` on Windows On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. Thanks to Unrud for reporting this issue. This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
Revision 1.149 / (download) - annotate - [select for diffs], Wed May 11 19:00:55 2022 UTC (22 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.148: +2 -2
lines
Diff to previous 1.148 (colored) to selected 1.56 (colored)
go118: update to 1.18.2 (security) go1.18.2 (released 2022-05-10) includes security fixes to the syscall package, as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509, go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2 milestone on our issue tracker for details.
Revision 1.148 / (download) - annotate - [select for diffs], Wed May 11 18:39:42 2022 UTC (22 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.147: +2 -2
lines
Diff to previous 1.147 (colored) to selected 1.56 (colored)
go117: update to 1.17.10 (security) go1.17.10 (released 2022-05-10) includes security fixes to the syscall package, as well as bug fixes to the compiler, runtime, and the crypto/x509 and net/http/httptest packages. See the Go 1.17.10 milestone on our issue tracker for details.
Revision 1.147 / (download) - annotate - [select for diffs], Tue Apr 19 11:56:21 2022 UTC (23 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.146: +2 -2
lines
Diff to previous 1.146 (colored) to selected 1.56 (colored)
go: make 1.18 the default version I did a bulk build and identified 5 packages that would break (apisprout, caddy, go-staticcheck, gvproxy and restish) and fixed them. Please email tech-pkg@ if you find other breakage!
Revision 1.146 / (download) - annotate - [select for diffs], Wed Apr 13 07:46:56 2022 UTC (23 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.145: +2 -2
lines
Diff to previous 1.145 (colored) to selected 1.56 (colored)
go118: update to 1.18.1 This minor release includes three security fixes following the security policy: - encoding/pem: fix stack overflow in Decode A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash. Thanks to Juho Nurminen of Mattermost who reported the error. This is CVE-2022-24675 and https://go.dev/issue/51853. - crypto/elliptic: tolerate all oversized scalars in generic P-256 A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. This was discovered thanks to a Project Wycheproof test vector. This is CVE-2022-28327 and https://go.dev/issue/52075. - crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18 Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash. Thanks to Tailscale for doing weird things and finding this. This is CVE-2022-27536 and https://go.dev/issue/51759.
Revision 1.145 / (download) - annotate - [select for diffs], Wed Apr 13 07:36:53 2022 UTC (23 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.144: +2 -2
lines
Diff to previous 1.144 (colored) to selected 1.56 (colored)
go117: update to 1.17.9 This minor release includes three security fixes following the security policy: - encoding/pem: fix stack overflow in Decode A large (more than 5 MB) PEM input can cause a stack overflow in Decode, leading the program to crash. Thanks to Juho Nurminen of Mattermost who reported the error. This is CVE-2022-24675 and https://go.dev/issue/51853. - crypto/elliptic: tolerate all oversized scalars in generic P-256 A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected. This was discovered thanks to a Project Wycheproof test vector. This is CVE-2022-28327 and https://go.dev/issue/52075. - crypto/x509: non-compliant certificates can cause a panic in Verify on macOS in Go 1.18 Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash. Thanks to Tailscale for doing weird things and finding this. This is CVE-2022-27536 and https://go.dev/issue/51759.
Revision 1.144 / (download) - annotate - [select for diffs], Tue Mar 15 20:13:45 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base,
pkgsrc-2022Q1
Changes since 1.143: +2 -1
lines
Diff to previous 1.143 (colored) to selected 1.56 (colored)
go118: add Go 1.18 (final release). Due to how close the freeze is, this will not be the default for the next quarterly release. There are lots of news, including support for Generics. Read the release notes for details.
Revision 1.143 / (download) - annotate - [select for diffs], Mon Mar 7 08:44:52 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
Changes since 1.142: +2 -2
lines
Diff to previous 1.142 (colored) to selected 1.56 (colored)
Update go117 to 1.17.8 (security). This minor release includes a security fix following the security policy: regexp: stack exhaustion compiling deeply nested expressions On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB. Thanks to Juho Nurminen of Mattermost for reporting this. This is CVE-2022-24921 and https://go.dev/issue/51112.
Revision 1.142 / (download) - annotate - [select for diffs], Sun Mar 6 09:53:43 2022 UTC (2 years ago) by bsiegert
Branch: MAIN
Changes since 1.141: +2 -2
lines
Diff to previous 1.141 (colored) to selected 1.56 (colored)
Update go116 to 1.16.15. This minor release includes a security fix following the security policy: regexp: stack exhaustion compiling deeply nested expressions On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB. Thanks to Juho Nurminen of Mattermost for reporting this. This is CVE-2022-24921 and https://go.dev/issue/51112.
Revision 1.141 / (download) - annotate - [select for diffs], Sat Feb 12 20:14:01 2022 UTC (2 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.140: +2 -2
lines
Diff to previous 1.140 (colored) to selected 1.56 (colored)
Update go117 to 1.17.7 (security update). crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Thanks to Guido Vranken for reporting this. This is CVE-2022-23806 and https://go.dev/issue/50974. math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://go.dev/issue/50699. cmd/go: prevent branches from materializing into versions A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches. This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.
Revision 1.140 / (download) - annotate - [select for diffs], Sat Feb 12 19:52:40 2022 UTC (2 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.139: +2 -2
lines
Diff to previous 1.139 (colored) to selected 1.56 (colored)
Update go116 to 1.16.14 (security update). crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Thanks to Guido Vranken for reporting this. This is CVE-2022-23806 and https://go.dev/issue/50974. math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://go.dev/issue/50699. cmd/go: prevent branches from materializing into versions A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches. This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.
Revision 1.139 / (download) - annotate - [select for diffs], Sun Jan 9 19:54:46 2022 UTC (2 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.138: +2 -2
lines
Diff to previous 1.138 (colored) to selected 1.56 (colored)
Update go117 to 1.17.6. go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6 milestone on our issue tracker for details.
Revision 1.138 / (download) - annotate - [select for diffs], Sun Jan 9 19:18:51 2022 UTC (2 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.137: +2 -2
lines
Diff to previous 1.137 (colored) to selected 1.56 (colored)
Update go116 to 1.16.13. go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the net/http package. See the Go 1.16.13 milestone on our issue tracker for details.
Revision 1.137 / (download) - annotate - [select for diffs], Thu Dec 9 17:25:56 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base,
pkgsrc-2021Q4
Changes since 1.136: +2 -2
lines
Diff to previous 1.136 (colored) to selected 1.56 (colored)
Update go117 to 1.17.5. go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime, and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on our issue tracker for details. go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.17.5 milestone on our issue tracker for details. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
Revision 1.136 / (download) - annotate - [select for diffs], Thu Dec 9 17:13:49 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.135: +2 -2
lines
Diff to previous 1.135 (colored) to selected 1.56 (colored)
Update go116 to 1.16.12. go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.16.12 milestone on our issue tracker for details. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
Revision 1.135 / (download) - annotate - [select for diffs], Fri Dec 3 17:08:35 2021 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.134: +2 -2
lines
Diff to previous 1.134 (colored) to selected 1.56 (colored)
Update go116 to 1.16.11. go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on our issue tracker for details.
Revision 1.134 / (download) - annotate - [select for diffs], Mon Nov 29 16:29:34 2021 UTC (2 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.133: +3 -3
lines
Diff to previous 1.133 (colored) to selected 1.56 (colored)
go: Use OPSYS_VERSION.
Revision 1.133 / (download) - annotate - [select for diffs], Fri Nov 5 19:35:00 2021 UTC (2 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.132: +2 -2
lines
Diff to previous 1.132 (colored) to selected 1.56 (colored)
Update go117 to 1.17.3. go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the go command, the misc/wasm directory, and to the net/http and syscall packages. See the Go 1.17.3 milestone on our issue tracker for details.
Revision 1.132 / (download) - annotate - [select for diffs], Thu Nov 4 19:18:59 2021 UTC (2 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.131: +2 -2
lines
Diff to previous 1.131 (colored) to selected 1.56 (colored)
Update go116 to 1.16.10. go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the misc/wasm directory, and to the net/http package. See the Go 1.16.10 milestone on our issue tracker for details.
Revision 1.131 / (download) - annotate - [select for diffs], Fri Oct 8 14:47:44 2021 UTC (2 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.130: +2 -2
lines
Diff to previous 1.130 (colored) to selected 1.56 (colored)
Update go117 to 1.17.2. This minor release includes a security fix according to the new security policy. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules. This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
Revision 1.130 / (download) - annotate - [select for diffs], Fri Oct 8 14:21:44 2021 UTC (2 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.129: +2 -2
lines
Diff to previous 1.129 (colored) to selected 1.56 (colored)
Update go116 to 1.16.9. This minor release includes a security fix according to the new security policy. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules. This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue.
Revision 1.129 / (download) - annotate - [select for diffs], Fri Sep 17 13:17:19 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base,
pkgsrc-2021Q3
Changes since 1.128: +2 -2
lines
Diff to previous 1.128 (colored) to selected 1.56 (colored)
go117: update to 1.17.1 (security). go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages.
Revision 1.128 / (download) - annotate - [select for diffs], Fri Sep 17 12:56:18 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.127: +2 -2
lines
Diff to previous 1.127 (colored) to selected 1.56 (colored)
Update go116 to 1.16.8 (security). go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template, net/http, and runtime/pprof packages.
Revision 1.127 / (download) - annotate - [select for diffs], Sat Sep 4 15:46:42 2021 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.126: +2 -2
lines
Diff to previous 1.126 (colored) to selected 1.56 (colored)
Make go 1.17 the default. I ran a bulk build and found three packages that broke. Two are fixed. I don't know how to fix net/amazon-ecs-cli, but it did not build for me on Go 1.16 either, so it is not a direct regression.
Revision 1.126 / (download) - annotate - [select for diffs], Sun Aug 22 14:18:51 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.125: +1 -2
lines
Diff to previous 1.125 (colored) to selected 1.56 (colored)
We say goodbye to go115. go115 became EOL upstream as soon as 1.17 was released.
Revision 1.125 / (download) - annotate - [select for diffs], Sun Aug 22 13:10:18 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.124: +2 -1
lines
Diff to previous 1.124 (colored) to selected 1.56 (colored)
Add Go 1.17. Some relevant changes: - new register-based calling convention (not on NetBSD though IIUC) - new language feature to cast slices into array pointers - the usual amount of bugfixes
Revision 1.124 / (download) - annotate - [select for diffs], Wed Aug 11 19:00:24 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.123: +2 -2
lines
Diff to previous 1.123 (colored) to selected 1.56 (colored)
go116: update to 1.16.7. This minor release includes a security fix according to the new security policy. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition. This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to Andrew Crump (VMware) for reporting this issue.
Revision 1.123 / (download) - annotate - [select for diffs], Wed Aug 11 16:46:48 2021 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.122: +2 -2
lines
Diff to previous 1.122 (colored) to selected 1.56 (colored)
go115: update to 1.15.15. This minor release includes a security fix according to the new security policy. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition. This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to Andrew Crump (VMware) for reporting this issue.
Revision 1.122 / (download) - annotate - [select for diffs], Tue Jul 13 10:12:00 2021 UTC (2 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.121: +2 -2
lines
Diff to previous 1.121 (colored) to selected 1.56 (colored)
Update go116 to 1.16.6. This minor release includes a security fix according to the new security policy. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0ãà.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue.
Revision 1.121 / (download) - annotate - [select for diffs], Tue Jul 13 10:05:08 2021 UTC (2 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.120: +2 -2
lines
Diff to previous 1.120 (colored) to selected 1.56 (colored)
Update go115 to 1.15.14. This minor release includes a security fix according to the new security policy. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0ãà.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue.
Revision 1.120 / (download) - annotate - [select for diffs], Sat Jun 5 12:40:07 2021 UTC (2 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.119: +2 -2
lines
Diff to previous 1.119 (colored) to selected 1.56 (colored)
Update go116 to 1.16.5. go1.16.5 (released 2021-06-03) includes security fixes to the archive/zip, math /big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the net/http package. See the Go 1.16.5 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat <https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue <https://github.com/golang/go/issues/44910> and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue <https://github.com/golang/go/issues/46313> and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net <https://pkg.go.dev/net>, and their respective methods on the Resolver <https://pkg.go.dev/net#Resolver> type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 <https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue <https://github.com/golang/go/issues/46241> and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip <https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue <https://github.com/golang/go/issues/46242>and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
Revision 1.119 / (download) - annotate - [select for diffs], Fri Jun 4 16:43:20 2021 UTC (2 years, 9 months ago) by bsiegert
Branch: MAIN
Changes since 1.118: +2 -2
lines
Diff to previous 1.118 (colored) to selected 1.56 (colored)
Update go115 to 1.15.13. go1.15.13 (released 2021-06-03) includes security fixes to the archive/zip, math/big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the math/big and net/http packages. See the Go 1.15.13 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat <https://pkg.go.dev/math/big#Rat> may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue <https://github.com/golang/go/issues/44910> and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil <https://pkg.go.dev/net/http/httputil> could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue <https://github.com/golang/go/issues/46313> and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net <https://pkg.go.dev/net>, and their respective methods on the Resolver <https://pkg.go.dev/net#Resolver> type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 <https://datatracker.ietf.org/doc/html/rfc1035>rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue <https://github.com/golang/go/issues/46241> and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip <https://pkg.go.dev/archive/zip> can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue <https://github.com/golang/go/issues/46242>and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it.
Revision 1.118 / (download) - annotate - [select for diffs], Fri May 7 18:29:14 2021 UTC (2 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.117: +2 -2
lines
Diff to previous 1.117 (colored) to selected 1.56 (colored)
Update go116 to 1.16.4. go1.16.3 (released 2021/04/01) includes fixes to the compiler, linker, runtime, the go command, and the testing and time packages. See the Go 1.16.3 milestone on our issue tracker for details. go1.16.4 (released 2021/05/06) includes a security fix to the net/http package, as well as bug fixes to the runtime, the compiler, and the archive/zip, time, and syscall packages. See the Go 1.16.4 milestone on our issue tracker for details.
Revision 1.117 / (download) - annotate - [select for diffs], Fri May 7 16:30:41 2021 UTC (2 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.116: +2 -2
lines
Diff to previous 1.116 (colored) to selected 1.56 (colored)
Update go115 to 1.15.12. go1.15.11 (released 2021/04/01) includes fixes to cgo, the compiler, linker, runtime, the go command, and the database/sql and net/http packages. See the Go 1.15.11 milestone on our issue tracker for details. go1.15.12 (released 2021/05/06) includes a security fix to the net/http package, as well as bug fixes to the runtime and the time package. See the Go 1.15.12 milestone on our issue tracker for details.
Revision 1.116 / (download) - annotate - [select for diffs], Sat Mar 20 09:28:34 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1
Changes since 1.115: +1 -3
lines
Diff to previous 1.115 (colored) to selected 1.56 (colored)
We say goodbye to Go 1.14. The policy of the Go project is to support the last two stable branches, so 1.14 is end of life.
Revision 1.115 / (download) - annotate - [select for diffs], Sat Mar 20 09:26:11 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.114: +2 -4
lines
Diff to previous 1.114 (colored) to selected 1.56 (colored)
Use Go 1.16 as the default version. macOS on ARM has had 1.16 as the default already for a while. The next branch should have it for all OSes. Some build breakage has been fixed already in separate commits. ok before freeze wiz@
Revision 1.114 / (download) - annotate - [select for diffs], Fri Mar 19 17:22:54 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.113: +2 -2
lines
Diff to previous 1.113 (colored) to selected 1.56 (colored)
Update go115 to 1.15.10. go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime, the go command, and the net/http package. See the Go 1.15.8 milestone on our issue tracker for details. go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml package. See the Go 1.15.9 milestone on our issue tracker for details. go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command, and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone on our issue tracker for details.
Revision 1.113 / (download) - annotate - [select for diffs], Sun Mar 14 18:15:16 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.112: +2 -2
lines
Diff to previous 1.112 (colored) to selected 1.56 (colored)
Update go116 to 1.16.2. go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker, the go command, and the syscall and time packages. See the Go 1.16.2 milestone on our issue tracker for details.
Revision 1.112 / (download) - annotate - [select for diffs], Wed Mar 10 19:55:17 2021 UTC (3 years ago) by bsiegert
Branch: MAIN
Changes since 1.111: +2 -2
lines
Diff to previous 1.111 (colored) to selected 1.56 (colored)
Update go116 to 1.16.1, fixing two security issues: - encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. Thanks to Sam Whited for reporting this issue. This issue is CVE-2021-27918 and Go issue golang.org/issue/44913. - archive/zip: panic when calling Reader.Open The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../". This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
Revision 1.111 / (download) - annotate - [select for diffs], Wed Feb 17 08:07:03 2021 UTC (3 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.110: +2 -2
lines
Diff to previous 1.110 (colored) to selected 1.56 (colored)
go116: update to the final 1.16 release I did not find a detailed changelog from rc1.
Revision 1.110 / (download) - annotate - [select for diffs], Fri Jan 29 17:22:29 2021 UTC (3 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.109: +2 -2
lines
Diff to previous 1.109 (colored) to selected 1.56 (colored)
Update go116 to 1.16 RC1. This RC contains the recent security updates for Go and fixes a number of bugs.
Revision 1.109 / (download) - annotate - [select for diffs], Sat Jan 23 14:07:37 2021 UTC (3 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.108: +2 -2
lines
Diff to previous 1.108 (colored) to selected 1.56 (colored)
Update go115 to 1.15.7. * cmd/go: packages using cgo can cause arbitrary code execution at build time The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running ãà×Èo getãà or any other command that builds code. Only users who build untrusted code (and donãàÑÕ execute it) are affected. In addition to Windows users, this can also affect Unix users who have ãàãàlisted explicitly in their PATH and are running ãà×Èo getãàor build commands outside of a module or with module mode disabled. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This issue is CVE-2021-3115 and Go issue golang.org/issue/43783. For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security. * crypto/elliptic: incorrect operations on the P-224 curve The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
Revision 1.108 / (download) - annotate - [select for diffs], Fri Jan 22 20:08:32 2021 UTC (3 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.107: +2 -2
lines
Diff to previous 1.107 (colored) to selected 1.56 (colored)
Update go114 to 1.14.14. * cmd/go: packages using cgo can cause arbitrary code execution at build time The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running ãà×Èo getãà or any other command that builds code. Only users who build untrusted code (and donãàÑÕ execute it) are affected. In addition to Windows users, this can also affect Unix users who have ãàãàlisted explicitly in their PATH and are running ãà×Èo getãàor build commands outside of a module or with module mode disabled. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This issue is CVE-2021-3115 and Go issue golang.org/issue/43783. For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security. * crypto/elliptic: incorrect operations on the P-224 curve The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
Revision 1.107 / (download) - annotate - [select for diffs], Sat Dec 19 18:03:52 2020 UTC (3 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.106: +3 -1
lines
Diff to previous 1.106 (colored) to selected 1.56 (colored)
Default to go116 on Darwin-*-aarch64
Revision 1.106 / (download) - annotate - [select for diffs], Sat Dec 19 17:58:06 2020 UTC (3 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.105: +2 -1
lines
Diff to previous 1.105 (colored) to selected 1.56 (colored)
Add a package for go116-1.16.beta1. Normally, we would not package beta versions, except maybe in pkgsrc-wip. This is different though, since 1.16.beta1 is the first Go version supporting macOS on Apple Silicon. Discussion about this was on tech-pkg@.
Revision 1.105 / (download) - annotate - [select for diffs], Fri Nov 13 18:45:50 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.104: +2 -2
lines
Diff to previous 1.104 (colored) to selected 1.56 (colored)
Update go115 to 1.15.5 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates donãàÑÕ chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively.
Revision 1.104 / (download) - annotate - [select for diffs], Fri Nov 13 18:27:35 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.103: +2 -2
lines
Diff to previous 1.103 (colored) to selected 1.56 (colored)
Update go114 to 1.14.12 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates donãàÑÕ chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively.
Revision 1.103 / (download) - annotate - [select for diffs], Sun Nov 8 20:38:09 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.102: +2 -2
lines
Diff to previous 1.102 (colored) to selected 1.56 (colored)
Update go115 to 1.15.4 go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker, runtime, and the compress/flate, net/http, reflect, and time packages. See the Go 1.15.4 milestone on our issue tracker for details.
Revision 1.102 / (download) - annotate - [select for diffs], Sun Nov 8 20:12:31 2020 UTC (3 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.101: +2 -2
lines
Diff to previous 1.101 (colored) to selected 1.56 (colored)
Update go114 to 1.14.11 go1.14.11 (released 2020/11/05) includes fixes to the runtime, and the net/http and time packages. See the Go 1.14.11 milestone on our issue tracker for details.
Revision 1.101 / (download) - annotate - [select for diffs], Thu Oct 15 12:43:33 2020 UTC (3 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.100: +2 -2
lines
Diff to previous 1.100 (colored) to selected 1.56 (colored)
Update go115 to 1.15.3. go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime, documentation, the go command, and the net/mail, os, sync, and testing packages. See the Go 1.15.2 milestone on our issue tracker for details. go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the go command, and the bytes, plugin, and testing packages. See the Go 1.15.3 milestone on our issue tracker for details.
Revision 1.100 / (download) - annotate - [select for diffs], Thu Oct 15 12:01:14 2020 UTC (3 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.99: +2 -2
lines
Diff to previous 1.99 (colored) to selected 1.56 (colored)
Update go114 to 1.14.10. go1.14.9 (released 2020/09/09) includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages. See the Go 1.14.9 milestone on our issue tracker for details. go1.14.10 (released 2020/10/14) includes fixes to the compiler, runtime, and the plugin and testing packages. See the Go 1.14.10 milestone on our issue tracker for details.
Revision 1.99 / (download) - annotate - [select for diffs], Thu Sep 3 07:03:26 2020 UTC (3 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3
Changes since 1.98: +2 -2
lines
Diff to previous 1.98 (colored) to selected 1.56 (colored)
Update go114 to 1.14.8. go1.14.8 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.14.8 milestone on our issue tracker for details.
Revision 1.98 / (download) - annotate - [select for diffs], Thu Sep 3 06:47:21 2020 UTC (3 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.97: +3 -3
lines
Diff to previous 1.97 (colored) to selected 1.56 (colored)
Update go115 to 1.15.1. go1.15.1 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.15.1 milestone on our issue tracker for details.
Revision 1.97 / (download) - annotate - [select for diffs], Fri Aug 21 19:50:22 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.96: +2 -1
lines
Diff to previous 1.96 (colored) to selected 1.56 (colored)
Add a package for Go 1.15. The latest Go release, version 1.15, arrives six months after Go 1.14. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Go 1.15 includes substantial improvements to the linker, improves allocation for small objects at high core counts, and deprecates X.509 CommonName. GOPROXY now supports skipping proxies that return errors and a new embedded tzdata package has been added. There are no changes to the language.
Revision 1.96 / (download) - annotate - [select for diffs], Fri Aug 14 18:45:56 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.95: +2 -2
lines
Diff to previous 1.95 (colored) to selected 1.56 (colored)
Update go114 to 1.14.7. go1.14.7 (released 2020/08/06) includes security fixes to the encoding/binary package. See the Go 1.14.7 milestone on our issue tracker for details.
Revision 1.95 / (download) - annotate - [select for diffs], Fri Aug 14 18:28:29 2020 UTC (3 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.94: +2 -2
lines
Diff to previous 1.94 (colored) to selected 1.56 (colored)
Update go113 to 1.13.15. go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary package. See the Go 1.13.15 milestone on our issue tracker for details.
Revision 1.92.2.2 / (download) - annotate - [select for diffs], Mon Jul 20 14:59:01 2020 UTC (3 years, 8 months ago) by spz
Branch: pkgsrc-2020Q2
Changes since 1.92.2.1: +2 -2
lines
Diff to previous 1.92.2.1 (colored) to branchpoint 1.92 (colored) next main 1.93 (colored) to selected 1.56 (colored)
Pullup ticket #6279 - requested by bsiegert lang/go114: security update Revisions pulled up: - lang/go/version.mk 1.94 - lang/go114/PLIST 1.5 - lang/go114/distinfo 1.8 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jul 17 17:20:06 UTC 2020 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go114: PLIST distinfo Log Message: Update go114 to 1.14.6. go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.14.5 milestone on our issue tracker for details. go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler, the linker, vet, and the database/sql, encoding/json, net/http, reflect, and testing packages. See the Go 1.14.6 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.93 -r1.94 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go114/PLIST cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go114/distinfo
Revision 1.92.2.1 / (download) - annotate - [select for diffs], Mon Jul 20 14:52:20 2020 UTC (3 years, 8 months ago) by spz
Branch: pkgsrc-2020Q2
Changes since 1.92: +2 -2
lines
Diff to previous 1.92 (colored) to selected 1.56 (colored)
Pullup ticket #6278 - requested by bsiegert lang/go113: security update Revisions pulled up: - lang/go/version.mk 1.93 - lang/go113/PLIST 1.4 - lang/go113/distinfo 1.8 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jul 17 17:10:20 UTC 2020 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go113: PLIST distinfo Log Message: Update go113 to 1.13.14. go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the go/types and math/big packages. See the Go 1.13.12 milestone on our issue tracker for details. go1.13.13 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.13.13 milestone on our issue tracker for details. go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.92 -r1.93 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go113/PLIST cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go113/distinfo
Revision 1.94 / (download) - annotate - [select for diffs], Fri Jul 17 17:20:05 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.93: +2 -2
lines
Diff to previous 1.93 (colored) to selected 1.56 (colored)
Update go114 to 1.14.6. go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.14.5 milestone on our issue tracker for details. go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler, the linker, vet, and the database/sql, encoding/json, net/http, reflect, and testing packages. See the Go 1.14.6 milestone on our issue tracker for details.
Revision 1.93 / (download) - annotate - [select for diffs], Fri Jul 17 17:10:20 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.92: +2 -2
lines
Diff to previous 1.92 (colored) to selected 1.56 (colored)
Update go113 to 1.13.14. go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the go/types and math/big packages. See the Go 1.13.12 milestone on our issue tracker for details. go1.13.13 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.13.13 milestone on our issue tracker for details. go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on our issue tracker for details.
Revision 1.92 / (download) - annotate - [select for diffs], Wed Jun 17 09:37:25 2020 UTC (3 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base
Branch point for: pkgsrc-2020Q2
Changes since 1.91: +2 -2
lines
Diff to previous 1.91 (colored) to selected 1.56 (colored)
Update go114 to 1.14.4. go1.14.3 (released 2020/05/14) includes fixes to cgo, the compiler, the runtime, and the go/doc and math/big packages. See the Go 1.14.3 milestone on our issue tracker for details. go1.14.4 (released 2020/06/01) includes fixes to the go doc command, the runtime, and the encoding/json and os packages. See the Go 1.14.4 milestone on our issue tracker for details.
Revision 1.91 / (download) - annotate - [select for diffs], Sat May 16 08:33:07 2020 UTC (3 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.90: +2 -2
lines
Diff to previous 1.90 (colored) to selected 1.56 (colored)
Update go113 to 1.13.11. go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11 milestone on our issue tracker for details.
Revision 1.90 / (download) - annotate - [select for diffs], Fri May 1 16:39:59 2020 UTC (3 years, 10 months ago) by tnn
Branch: MAIN
Changes since 1.89: +7 -2
lines
Diff to previous 1.89 (colored) to selected 1.56 (colored)
go/version.mk: now supports aarch64
Revision 1.89 / (download) - annotate - [select for diffs], Sun Apr 12 11:09:03 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.88: +2 -3
lines
Diff to previous 1.88 (colored) to selected 1.56 (colored)
Update go113 to 1.13.10. go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime, os/exec, and time packages. See the Go 1.13.10 milestone on our issue tracker for details.
Revision 1.88 / (download) - annotate - [select for diffs], Sun Apr 12 09:41:18 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.87: +2 -2
lines
Diff to previous 1.87 (colored) to selected 1.56 (colored)
Set 1.14 as default Go version. 1.14.2 is good now :)
Revision 1.87 / (download) - annotate - [select for diffs], Thu Apr 9 13:28:38 2020 UTC (3 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.86: +2 -2
lines
Diff to previous 1.86 (colored) to selected 1.56 (colored)
Update go114 to 1.14.2. go1.14.2 (released 2020/04/08) includes fixes to cgo, the go command, the runtime, os/exec, and testing packages. See the Go 1.14.2 milestone on our issue tracker for details. From what I know from work, 1.14.1 had a nasty runtime bug that is now fixed.
Revision 1.86 / (download) - annotate - [select for diffs], Sat Mar 21 16:51:10 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1
Changes since 1.85: +2 -2
lines
Diff to previous 1.85 (colored) to selected 1.56 (colored)
Update go113 to 1.13.9. This release includes fixes to the go command, tools, the runtime, the toolchain, and to the crypto/cypher package. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.13.minor
Revision 1.85 / (download) - annotate - [select for diffs], Sat Mar 21 10:07:48 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
Changes since 1.84: +1 -3
lines
Diff to previous 1.84 (colored) to selected 1.56 (colored)
Remove GO112_VERSION and GO111_VERSION.
Revision 1.84 / (download) - annotate - [select for diffs], Fri Mar 20 19:50:48 2020 UTC (4 years ago) by bsiegert
Branch: MAIN
Changes since 1.83: +2 -2
lines
Diff to previous 1.83 (colored) to selected 1.56 (colored)
Update go114 to 1.14.1. This release include fixes to the go command, tools, the runtime, the toolchain, and to the crypto/cypher package. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.14.minor
Revision 1.83 / (download) - annotate - [select for diffs], Thu Feb 27 16:34:31 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.82: +2 -2
lines
Diff to previous 1.82 (colored) to selected 1.56 (colored)
Update go113 to 1.13.8. This release includes fixes to the runtime, the crypto/x509, and net/http packages.
Revision 1.82 / (download) - annotate - [select for diffs], Thu Feb 27 14:32:57 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.81: +2 -1
lines
Diff to previous 1.81 (colored) to selected 1.56 (colored)
Add a package for Go 1.14. The default will remain at 1.13 for the next branch. The latest Go release, version 1.14, arrives six months after Go 1.13. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. See the release notes at https://golang.org/doc/go1.14.
Revision 1.81 / (download) - annotate - [select for diffs], Sun Feb 23 19:21:27 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.80: +2 -2
lines
Diff to previous 1.80 (colored) to selected 1.56 (colored)
Update go112 to 1.12.7. These releases include fixes to the runtime, the crypto/x509, and net/http packages.
Revision 1.80 / (download) - annotate - [select for diffs], Sun Feb 2 09:36:40 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.79: +2 -2
lines
Diff to previous 1.79 (colored) to selected 1.56 (colored)
Update go113 to 1.13.7 (security release). Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Revision 1.79 / (download) - annotate - [select for diffs], Sun Feb 2 09:26:39 2020 UTC (4 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.78: +2 -2
lines
Diff to previous 1.78 (colored) to selected 1.56 (colored)
Update go112 to 1.12.16 (security release). Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Thanks to Project Wycheproof for providing the test cases that led to the discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837. This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Revision 1.78 / (download) - annotate - [select for diffs], Fri Jan 10 12:56:35 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.77: +2 -2
lines
Diff to previous 1.77 (colored) to selected 1.56 (colored)
go: use go113 as the default for building packages. I did a preliminary bulk build to find build failures resulting from this change and fixed the fallout in www/grafana. Everything else seemed to be ok.
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jan 10 12:53:01 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.76: +2 -2
lines
Diff to previous 1.76 (colored) to selected 1.56 (colored)
Update go112 to 1.12.15. These releases include fixes to the runtime and to the net/http package. The macOS releases enable the Hardened Runtime. See https://golang.org/issue/34986 for details. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.13.minor
Revision 1.76 / (download) - annotate - [select for diffs], Fri Jan 10 12:40:43 2020 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.75: +2 -2
lines
Diff to previous 1.75 (colored) to selected 1.56 (colored)
Update go113 to 1.13.6. These releases include fixes to the runtime and to the net/http package. The macOS releases enable the Hardened Runtime. See https://golang.org/issue/34986 for details. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.13.minor
Revision 1.75 / (download) - annotate - [select for diffs], Fri Dec 13 07:39:33 2019 UTC (4 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base,
pkgsrc-2019Q4
Changes since 1.74: +2 -2
lines
Diff to previous 1.74 (colored) to selected 1.56 (colored)
Update go112 to 1.12.14. go1.12.13 (released 2019/10/31) fixes an issue on macOS 10.15 Catalina where the non-notarized installer and binaries were being rejected by Gatekeeper. Only macOS users who hit this issue need to update. go1.12.14 (released 2019/12/04) includes a fix to the runtime. See the Go 1.12.14 milestone on our issue tracker for details.
Revision 1.74 / (download) - annotate - [select for diffs], Mon Dec 9 09:59:31 2019 UTC (4 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.73: +8 -6
lines
Diff to previous 1.73 (colored) to selected 1.56 (colored)
go: Split *_SUPPORTED variables out into new go-vars.mk. It's not always possible to include go-package.mk earlier than bsd.prefs.mk in a package, for example if the package defines its own do-install target, so move out the *_SUPPORTED variables that need to be included first.
Revision 1.73 / (download) - annotate - [select for diffs], Sun Dec 8 14:42:02 2019 UTC (4 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.72: +2 -1
lines
Diff to previous 1.72 (colored) to selected 1.56 (colored)
Add go113. I forgot to include this file in the go113 commit, thanks wiz@ for notifying me!
Revision 1.72 / (download) - annotate - [select for diffs], Sat Dec 7 18:15:13 2019 UTC (4 years, 3 months ago) by rillig
Branch: MAIN
Changes since 1.71: +4 -1
lines
Diff to previous 1.71 (colored) to selected 1.56 (colored)
lang/go: add go to the tools directory This makes it easier to run the Go compiler from within the build environment created by "bmake build-env".
Revision 1.69.2.1 / (download) - annotate - [select for diffs], Sun Nov 17 08:30:02 2019 UTC (4 years, 4 months ago) by spz
Branch: pkgsrc-2019Q3
Changes since 1.69: +2 -2
lines
Diff to previous 1.69 (colored) next main 1.70 (colored) to selected 1.56 (colored)
Pullup ticket #6083 - requested by leot lang/go112: security update lang/go: update available version Revisions pulled up: - lang/go/version.mk 1.70 - lang/go112/PLIST 1.8 - lang/go112/distinfo 1.8 Revision bump for: - archivers/go-xz/Makefile - chat/coyim/Makefile - chat/matterircd/Makefile - databases/go-etcd/Makefile - databases/go-ldap/Makefile - databases/influxdb/Makefile - databases/postgres_exporter/Makefile - databases/prometheus/Makefile - devel/git-lfs/Makefile - devel/go-afero/Makefile - devel/go-amber/Makefile - devel/go-appengine/Makefile - devel/go-assert/Makefile - devel/go-blackfriday/Makefile - devel/go-buffruneio/Makefile - devel/go-cast/Makefile - devel/go-check/Makefile - devel/go-cli/Makefile - devel/go-cobra/Makefile - devel/go-colorable/Makefile - devel/go-colortext/Makefile - devel/go-colour/Makefile - devel/go-consul-api/Makefile - devel/go-debounce/Makefile - devel/go-ed25519/Makefile - devel/go-emoji/Makefile - devel/go-errors/Makefile - devel/go-flags-svent/Makefile - devel/go-fnmatch/Makefile - devel/go-fs/Makefile - devel/go-fsnotify/Makefile - devel/go-fsync/Makefile - devel/go-gitmap/Makefile - devel/go-glog/Makefile - devel/go-gls/Makefile - devel/go-gocode/Makefile - devel/go-godef/Makefile - devel/go-godirwalk/Makefile - devel/go-godotenv/Makefile - devel/go-golang-lru/Makefile - devel/go-goorgeous/Makefile - devel/go-gopkgs/Makefile - devel/go-goptlib/Makefile - devel/go-goreturns/Makefile - devel/go-gox/Makefile - devel/go-hashstructure/Makefile - devel/go-homedir/Makefile - devel/go-humanize/Makefile - devel/go-i18n/Makefile - devel/go-immutable-radix/Makefile - devel/go-ini/Makefile - devel/go-iochan/Makefile - devel/go-isatty/Makefile - devel/go-jwalterweatherman/Makefile - devel/go-kingpin.v3-unstable/Makefile - devel/go-locker/Makefile - devel/go-logrus/Makefile - devel/go-mapstructure/Makefile - devel/go-mapstructure-bep/Makefile - devel/go-mow-cli/Makefile - devel/go-nbreader/Makefile - devel/go-nitro/Makefile - devel/go-osext/Makefile - devel/go-pflag/Makefile - devel/go-properties/Makefile - devel/go-protobuf/Makefile - devel/go-purell/Makefile - devel/go-ratelimit/Makefile - devel/go-repr/Makefile - devel/go-review/Makefile - devel/go-sanitized_anchor_name/Makefile - devel/go-shellwords/Makefile - devel/go-shuffle/Makefile - devel/go-siphash/Makefile - devel/go-sync/Makefile - devel/go-sys/Makefile - devel/go-termbox/Makefile - devel/go-testify/Makefile - devel/go-thrift/Makefile - devel/go-tools/Makefile - devel/go-try/Makefile - devel/go-viper/Makefile - devel/go-yaml/Makefile - devel/golint/Makefile - devel/google-api-go-client/Makefile - graphics/go-image/Makefile - graphics/go-imaging/Makefile - graphics/go-resize/Makefile - graphics/go-smartcrop/Makefile - lang/go-hcl/Makefile - mail/postforward/Makefile - math/go-stats/Makefile - math/go-units/Makefile - misc/go-genproto/Makefile - misc/go-genproto-googleapis-rpc/Makefile - net/aws-sdk-go/Makefile - net/dnscrypt-proxy2/Makefile - net/gcloud-golang-metadata/Makefile - net/go-dns/Makefile - net/go-dnstap/Makefile - net/go-framestream/Makefile - net/go-grpc/Makefile - net/go-net/Makefile - net/go-ovh/Makefile - net/go-websocket/Makefile - net/hub/Makefile - net/obfs4proxy/Makefile - net/syncthing/Makefile - pkgtools/pkglint/Makefile - security/2fa/Makefile - security/go-asn1-ber/Makefile - security/go-crypt/Makefile - security/go-crypto/Makefile - security/go-mkcert/Makefile - security/go-oauth2/Makefile - security/go-sftp/Makefile - security/vault/Makefile - sysutils/beats/Makefile - sysutils/consul/Makefile - sysutils/fzf/Makefile - sysutils/goreman/Makefile - sysutils/lf/Makefile - sysutils/node_exporter/Makefile - sysutils/vultr/Makefile - textproc/go-chroma/Makefile - textproc/go-diff/Makefile - textproc/go-glob/Makefile - textproc/go-inflect/Makefile - textproc/go-md2man/Makefile - textproc/go-mmark/Makefile - textproc/go-prose/Makefile - textproc/go-regexp2/Makefile - textproc/go-runewidth/Makefile - textproc/go-sentences/Makefile - textproc/go-tablewriter/Makefile - textproc/go-text/Makefile - textproc/sift/Makefile - www/caddy/Makefile - www/gitea/Makefile - www/go-ace/Makefile - www/go-cssmin/Makefile - www/go-gogs-client/Makefile - www/go-gohtml/Makefile - www/go-libsass/Makefile - www/go-minify/Makefile - www/go-parse/Makefile - www/go-spritewell/Makefile - www/go-tocss/Makefile - www/go-toml-burntsushi/Makefile - www/go-toml-pelletier/Makefile - www/go-urlesc/Makefile - www/go-webhooks/Makefile - www/grafana/Makefile - www/hugo/Makefile - www/pup/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Oct 18 14:48:29 UTC 2019 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go112: PLIST distinfo Log Message: Update go112 to 1.12.12. qo1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.70 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go112/PLIST pkgsrc/lang/go112/distinfo
Revision 1.71 / (download) - annotate - [select for diffs], Sun Nov 3 19:04:01 2019 UTC (4 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.70: +12 -12
lines
Diff to previous 1.70 (colored) to selected 1.56 (colored)
lang: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
Revision 1.70 / (download) - annotate - [select for diffs], Fri Oct 18 14:48:29 2019 UTC (4 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.69: +2 -2
lines
Diff to previous 1.69 (colored) to selected 1.56 (colored)
Update go112 to 1.12.12. qo1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details.
Revision 1.69 / (download) - annotate - [select for diffs], Thu Sep 26 18:36:46 2019 UTC (4 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base
Branch point for: pkgsrc-2019Q3
Changes since 1.68: +2 -2
lines
Diff to previous 1.68 (colored) to selected 1.56 (colored)
Update go112 to 1.12.10. Commit ok'd by wiz@ for PMC. Go 1.12.10: net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications. The issue is CVE-2019-16276 and Go issue golang.org/issue/34540. Go 1.12.9: go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and math/big packages. See the Go 1.12.9 milestone on our issue tracker for details.
Revision 1.68 / (download) - annotate - [select for diffs], Tue Sep 17 04:39:20 2019 UTC (4 years, 6 months ago) by dbj
Branch: MAIN
Changes since 1.67: +6 -1
lines
Diff to previous 1.67 (colored) to selected 1.56 (colored)
lang/go: on osx 10.9 and earlier, use go110 go 1.11 removed support for osx 10.8 and 10.9 https://github.com/golang/go/issues/23122
Revision 1.67 / (download) - annotate - [select for diffs], Wed Aug 14 15:42:52 2019 UTC (4 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.66: +2 -2
lines
Diff to previous 1.66 (colored) to selected 1.56 (colored)
go112: update to 1.12.8 (security release). net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages. The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606. Thanks to Jonathan Looney from Netflix for discovering and reporting these issues. This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2. net/url: parsing validation issue url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse. The issue is CVE-2019-14809 and Go issue golang.org/issue/29098. Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue.
Revision 1.66 / (download) - annotate - [select for diffs], Wed Aug 14 15:17:41 2019 UTC (4 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.65: +2 -2
lines
Diff to previous 1.65 (colored) to selected 1.56 (colored)
go111: update to 1.11.13 (security release). net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages. The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606. Thanks to Jonathan Looney from Netflix for discovering and reporting these issues. This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2. net/url: parsing validation issue url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse. The issue is CVE-2019-14809 and Go issue golang.org/issue/29098. Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue.
Revision 1.65 / (download) - annotate - [select for diffs], Sun Jul 14 15:19:55 2019 UTC (4 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.64: +2 -2
lines
Diff to previous 1.64 (colored) to selected 1.56 (colored)
Update go112 to 1.12.7. This fixes a nasty code-generation bug, among other things: go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker, the go command, and the crypto/x509, net/http, and os packages. See the Go 1.12.6 milestone on our issue tracker for details. go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler, and the linker. See the Go 1.12.7 milestone on our issue tracker for details.
Revision 1.64 / (download) - annotate - [select for diffs], Sun Jul 14 12:25:18 2019 UTC (4 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.63: +2 -2
lines
Diff to previous 1.63 (colored) to selected 1.56 (colored)
Update go111 to 1.11.12. go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details. go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details.
Revision 1.63 / (download) - annotate - [select for diffs], Mon May 27 15:16:38 2019 UTC (4 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.62: +2 -2
lines
Diff to previous 1.62 (colored) to selected 1.56 (colored)
Update go112 to 1.12.5. This release includes fixes to the compiler, the linker, the go command, the runtime, and the os package. Same as for go111, remove the pkg/bootstrap tree from the package.
Revision 1.62 / (download) - annotate - [select for diffs], Mon May 27 14:33:10 2019 UTC (4 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.61: +2 -2
lines
Diff to previous 1.61 (colored) to selected 1.56 (colored)
Update go111 to 1.11.10. This release includes fixes to the compiler, the linker, the go command, the runtime, and the os package. While here, remove pkg/bootstrap from the package, as it is only used for bootstrapping.
Revision 1.61 / (download) - annotate - [select for diffs], Tue Apr 16 18:30:27 2019 UTC (4 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.60: +2 -2
lines
Diff to previous 1.60 (colored) to selected 1.56 (colored)
Update go112 to 1.12.4. go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go command, the runtime, and the doc, net, net/http/httputil, and os packages. See the Go 1.12.2 milestone on our issue tracker for details. go1.12.3 (released 2019/04/08) was accidentally released without its intended fix. It is identical to go1.12.2, except for its version number. The intended fix is in go1.12.4. go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt binary releases on older versions of GNU/Linux led to failures when linking programs that used cgo. Only Linux users who hit this issue need to update.
Revision 1.60 / (download) - annotate - [select for diffs], Tue Apr 16 18:13:49 2019 UTC (4 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.59: +2 -2
lines
Diff to previous 1.59 (colored) to selected 1.56 (colored)
Update go111 to 1.11.9. go1.11.7 (released 2019/04/05) includes fixes to the runtime and the net packages. See the Go 1.11.7 milestone on our issue tracker for details. go1.11.8 (released 2019/04/08) was accidentally released without its intended fix. It is identical to go1.11.7, except for its version number. The intended fix is in go1.11.9. go1.11.9 (released 2019/04/11) fixes an issue where using the prebuilt binary releases on older versions of GNU/Linux led to failures when linking programs that used cgo. Only Linux users who hit this issue need to update.
Revision 1.59 / (download) - annotate - [select for diffs], Sat Mar 16 08:27:56 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1
Changes since 1.58: +2 -2
lines
Diff to previous 1.58 (colored) to selected 1.56 (colored)
Update go112 to 1.12.1. go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go command, and the fmt, net/smtp, os, path/filepath, sync, and text/template packages. See the Go 1.12.1 milestone on our issue tracker for details.
Revision 1.58 / (download) - annotate - [select for diffs], Sat Mar 16 08:19:00 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.57: +2 -2
lines
Diff to previous 1.57 (colored) to selected 1.56 (colored)
Update go111 to 1.11.6. go1.11.6 (released 2019/03/14) includes fixes to cgo, the compiler, linker, runtime, go command, and the crypto/x509, encoding/json, net, and net/url packages. See the Go 1.11.6 milestone on our issue tracker for details.
Revision 1.57 / (download) - annotate - [select for diffs], Sat Mar 9 10:00:44 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.56: +2 -2
lines
Diff to previous 1.56 (colored)
go: switch default version to 1.12. This means all builds of packages written in Go use 1.12.
Revision 1.56 / (download) - annotate - [selected], Sat Mar 9 09:29:30 2019 UTC (5 years ago) by bsiegert
Branch: MAIN
Changes since 1.55: +2 -1
lines
Diff to previous 1.55 (colored)
Add a package for Go 1.12. Some of the highlights include opt-in support for TLS 1.3, improved modules support (in preparation for being the default in Go 1.13), support for windows/arm, and improved macOS & iOS forwards compatibility. See https://blog.golang.org/go1.12. In pkgsrc, this is _not_ the default version for Go package builds just yet.
Revision 1.53.2.2 / (download) - annotate - [select for diffs], Fri Feb 8 11:31:19 2019 UTC (5 years, 1 month ago) by spz
Branch: pkgsrc-2018Q4
Changes since 1.53.2.1: +2 -2
lines
Diff to previous 1.53.2.1 (colored) to branchpoint 1.53 (colored) next main 1.54 (colored) to selected 1.56 (colored)
Pullup ticket #5906 - requested by bsiegert lang/go111: security update Revisions pulled up: - lang/go/version.mk 1.54 - lang/go111/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Jan 24 09:26:21 UTC 2019 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go111: distinfo Log Message: Update go111 to 1.11.5 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go111/distinfo
Revision 1.53.2.1 / (download) - annotate - [select for diffs], Fri Feb 8 11:30:52 2019 UTC (5 years, 1 month ago) by spz
Branch: pkgsrc-2018Q4
Changes since 1.53: +2 -2
lines
Diff to previous 1.53 (colored) to selected 1.56 (colored)
Pullup ticket #5905 - requested by bsiegert lang/go110: security update Revisions pulled up: - lang/go/version.mk 1.55 - lang/go110/distinfo 1.4 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Jan 24 09:33:08 UTC 2019 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go110: distinfo Log Message: Update go110 to 1.10.8 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go110/distinfo
Revision 1.55 / (download) - annotate - [select for diffs], Thu Jan 24 09:33:08 2019 UTC (5 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.54: +2 -2
lines
Diff to previous 1.54 (colored) to selected 1.56 (colored)
Update go110 to 1.10.8 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
Revision 1.54 / (download) - annotate - [select for diffs], Thu Jan 24 09:26:21 2019 UTC (5 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.53: +2 -2
lines
Diff to previous 1.53 (colored) to selected 1.56 (colored)
Update go111 to 1.11.5 (security). This release addresses a recently supported security issue. This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
Revision 1.53 / (download) - annotate - [select for diffs], Thu Dec 20 17:38:23 2018 UTC (5 years, 3 months ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base
Branch point for: pkgsrc-2018Q4
Changes since 1.52: +2 -2
lines
Diff to previous 1.52 (colored) to selected 1.56 (colored)
go: Actually bump to 1.11.4. Unbreaks build.
Revision 1.52 / (download) - annotate - [select for diffs], Sat Dec 15 10:23:32 2018 UTC (5 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.51: +2 -2
lines
Diff to previous 1.51 (colored) to selected 1.56 (colored)
Update go110 to 1.10.7 (security fix). These releases include fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. They include a fix to a bug introduced in Go 1.11.3 and Go 1.10.6 that broke "go get" for import path patterns containing "...". View the release notes for more information: https://golang.org/doc/devel/release.html#go1.10.minor
Revision 1.51 / (download) - annotate - [select for diffs], Mon Nov 12 14:40:21 2018 UTC (5 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.50: +2 -1
lines
Diff to previous 1.50 (colored) to selected 1.56 (colored)
*: Add CTF_SUPPORTED/CTF_FILES_SKIP where necessary.
Revision 1.50 / (download) - annotate - [select for diffs], Mon Nov 12 13:48:45 2018 UTC (5 years, 4 months ago) by jperkin
Branch: MAIN
Changes since 1.49: +3 -2
lines
Diff to previous 1.49 (colored) to selected 1.56 (colored)
go: Set STRIP_DEBUG_SUPPORTED=no Stripping golang binaries renders them useless.
Revision 1.49 / (download) - annotate - [select for diffs], Sun Nov 4 18:22:47 2018 UTC (5 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.48: +2 -2
lines
Diff to previous 1.48 (colored) to selected 1.56 (colored)
This file was missing from the previous commit. go111-1.11.2.
Revision 1.48 / (download) - annotate - [select for diffs], Sun Nov 4 12:36:09 2018 UTC (5 years, 4 months ago) by bsiegert
Branch: MAIN
Changes since 1.47: +2 -2
lines
Diff to previous 1.47 (colored) to selected 1.56 (colored)
Update go110 to 1.10.5. go1.10.5 (released 2018/11/02) includes fixes to the go command, linker, runtime and the database/sql package. See the Go 1.10.5 milestone on our issue tracker for details.
Revision 1.47 / (download) - annotate - [select for diffs], Fri Oct 26 13:49:23 2018 UTC (5 years, 5 months ago) by leot
Branch: MAIN
Changes since 1.46: +5 -2
lines
Diff to previous 1.46 (colored) to selected 1.56 (colored)
go: Improve PRINT_PLIST_AWK patterns and avoid possible double definition - Move GO_PLATFORM definition in lang/go/version.mk in order that also lang/go* packages can (re)use it - Change PRINT_PLIST_AWK pattern that replace all ${GO_PLATFORM} and apply it only when ${GO_PLATFORM} is a directory (between two "/"). There are only 3 exceptions to that in lang/go14. Move it to version.mk so lang/go* PLIST can be mostly automatically generated. These changes should help to avoid (most) manual editing of lang/go*/PLIST. Discussed with and thanks to <bsiegert>!
Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 2 18:19:56 2018 UTC (5 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.45: +2 -2
lines
Diff to previous 1.45 (colored) to selected 1.56 (colored)
Update go111 to 1.11.1. go1.11.1 (released 2018/10/01) includes fixes to the compiler, documentation, go command, runtime, and the crypto/x509, encoding/json, go/types, net, net/http, and reflect packages. See the Go 1.11.1 milestone on our issue tracker for details. Also correct the PLIST and use ln -sf instead of ln -s.
Revision 1.45 / (download) - annotate - [select for diffs], Sat Sep 22 19:44:21 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base,
pkgsrc-2018Q3
Changes since 1.44: +15 -2
lines
Diff to previous 1.44 (colored) to selected 1.56 (colored)
Move most of the version selection logic into version.mk. Provide a new variable, GO_PACKAGE_DEP, with the correct dependency on the user-selected Go version, to be used for fixing syncthing and friends.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Sep 18 20:52:11 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.43: +3 -2
lines
Diff to previous 1.43 (colored) to selected 1.56 (colored)
Add a versioned Go 1.10 package as lang/go110. This uses a similar approach as go111. Its revision is one higher than the existing lang/go. Next steps: - make builds use this for dependent packages - delete lang/go to complete the move
Revision 1.43 / (download) - annotate - [select for diffs], Tue Sep 18 16:22:14 2018 UTC (5 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.42: +2 -1
lines
Diff to previous 1.42 (colored) to selected 1.56 (colored)
Add Go 1.11 as lang/go111. This installs the go tool as go111; all the supporting files go under $PREFIX/go111, so it does not conflict with other Go versions. Go packages in pkgsrc do not use it to build yet. Changes: There are many changes and improvements to the toolchain, runtime, and libraries, but two features stand out as being especially exciting: modules and WebAssembly support. This release adds preliminary support for a new concept called "modules," an alternative to GOPATH with integrated support for versioning and package distribution. Module support is considered experimental, and there are still a few rough edges to smooth out, so please make liberal use of the issue tracker. Go 1.11 also adds an experimental port to WebAssembly (js/wasm). This allows programmers to compile Go programs to a binary format compatible with four major web browsers.
Revision 1.42 / (download) - annotate - [select for diffs], Mon Aug 27 15:01:09 2018 UTC (5 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.41: +2 -2
lines
Diff to previous 1.41 (colored) to selected 1.56 (colored)
Update Go to 1.10.4. go1.10.4 (released 2018/08/24) includes fixes to the go command, linker, and the net/http, mime/multipart, ld/macho, bytes, and strings packages. See the Go 1.10.4 milestone on our issue tracker for details. pkgsrc note: After the import of Go 1.11, this package will be renamed to lang/go110.
Revision 1.41 / (download) - annotate - [select for diffs], Sun Jul 8 18:40:40 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.40: +2 -2
lines
Diff to previous 1.40 (colored) to selected 1.56 (colored)
Update go19 to 1.9.7, latest on that branch. go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and net/http/pprof package. See the Go 1.9.5 milestone on our issue tracker for details. go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command. See the Go 1.9.6 milestone on our issue tracker for details. go1.9.7 (released 2018/06/05) includes fixes to the go command, and the crypto/x509, and strings packages. In particular, it adds minimal support to the go command for the vgo transition. See the Go 1.9.7 milestone on our issue tracker for details.
Revision 1.40 / (download) - annotate - [select for diffs], Sun Jul 8 18:00:56 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.39: +2 -1
lines
Diff to previous 1.39 (colored) to selected 1.56 (colored)
Forgot this in the last commit. Add GO19_VERSION.
Revision 1.39 / (download) - annotate - [select for diffs], Sun Jul 8 13:53:42 2018 UTC (5 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.38: +5 -1
lines
Diff to previous 1.38 (colored) to selected 1.56 (colored)
Move definition of $GO to version.mk. We have some packages, like mongodb-tools, that cannot include go-package.mk but need to call the go tool.
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jun 12 17:37:59 2018 UTC (5 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2
Changes since 1.37: +2 -2
lines
Diff to previous 1.37 (colored) to selected 1.56 (colored)
Update Go to 1.10.3. go1.10.3 (released 2018/06/05) includes fixes to the go command, and the crypto/tls, crypto/x509, and strings packages. In particular, it adds minimal support to the go command for the vgo transition. See the Go 1.10.3 milestone on our issue tracker for details.
Revision 1.37 / (download) - annotate - [select for diffs], Fri May 4 18:07:40 2018 UTC (5 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.36: +2 -2
lines
Diff to previous 1.36 (colored) to selected 1.56 (colored)
Update Go to 1.10.2. As far as I can see, only non-security-relevant bugfixes. go1.10.2 (released 2018/05/01) includes fixes to the compiler, linker, and go command. See the Go 1.10.2 milestone on our issue tracker for details.
Revision 1.36 / (download) - annotate - [select for diffs], Fri Mar 30 11:52:18 2018 UTC (6 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base,
pkgsrc-2018Q1
Changes since 1.35: +2 -2
lines
Diff to previous 1.35 (colored) to selected 1.56 (colored)
Update Go to 1.10.1. This fixes a security issue (https://github.com/golang/go/issues/23867). Also: These releases include fixes to the compiler, runtime, go command, and the archive/zip, crypto/tls, crypto/x509, encoding/json, net, net/http, and net/http/pprof packages. ok wiz@ for committing during freeze
Revision 1.35 / (download) - annotate - [select for diffs], Sun Mar 4 12:54:06 2018 UTC (6 years ago) by bsiegert
Branch: MAIN
Changes since 1.34: +2 -2
lines
Diff to previous 1.34 (colored) to selected 1.56 (colored)
Update Go to 1.10. Via wip. Full release notes at https://golang.org/doc/go1.10. The latest Go release, version 1.10, arrives six months after Go 1.9. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. This release improves caching of built packages, adds caching of successful test results, runs vet automatically during tests, and permits passing string values directly between Go and C using cgo. A new compiler option whitelist may cause unexpected invalid flag errors in code that built successfully with older releases. As announced in the Go 1.9 release notes, Go 1.10 now requires FreeBSD 10.3 or later; support for FreeBSD 9.3 has been removed. Go now runs on NetBSD again but requires the unreleased NetBSD 8. Only GOARCH amd64 and 386 have been fixed. The arm port is still broken. On 32-bit MIPS systems, the new environment variable settings GOMIPS=hardfloat (the default) and GOMIPS=softfloat select whether to use hardware instructions or software emulation for floating-point computations. Go 1.10 is the last release that will run on OpenBSD 6.0. Go 1.11 will require OpenBSD 6.2. Go 1.10 is the last release that will run on OS X 10.8 Mountain Lion or OS X 10.9 Mavericks. Go 1.11 will require OS X 10.10 Yosemite or later. Go 1.10 is the last release that will run on Windows XP or Windows Vista. Go 1.11 will require Windows 7 or later.
Revision 1.30.2.1 / (download) - annotate - [select for diffs], Sat Feb 24 11:16:59 2018 UTC (6 years, 1 month ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.30: +9 -4
lines
Diff to previous 1.30 (colored) next main 1.31 (colored) to selected 1.56 (colored)
Pullup ticket #5703 - requested by bsiegert lang/go: security update Revisions pulled up: - lang/go/Makefile 1.59-1.60 - lang/go/PLIST 1.35-1.38 - lang/go/distinfo 1.54-1.57 - lang/go/patches/patch-src_cmd_dist_util.go 1.1 - lang/go/patches/patch-src_cmd_link_internal_ld_elf.go 1.1-1.2 - lang/go/patches/patch-src_runtime_os__netbsd.go 1.3 - lang/go/patches/patch-src_runtime_rt0__netbsd__arm.s 1.1 - lang/go/version.mk 1.31-1.32,1.34 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: christos Date: Sat Jan 20 16:55:06 UTC 2018 Modified Files: pkgsrc/lang/go: Makefile PLIST distinfo version.mk Added Files: pkgsrc/lang/go/patches: patch-src_cmd_dist_util.go patch-src_cmd_link_internal_ld_elf.go patch-src_runtime_os__netbsd.go patch-src_runtime_rt0__netbsd__arm.s Log Message: Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.34 -r1.35 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.53 -r1.54 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.30 -r1.31 pkgsrc/lang/go/version.mk cvs rdiff -u -r0 -r1.1 pkgsrc/lang/go/patches/patch-src_cmd_dist_util.go \ pkgsrc/lang/go/patches/patch-src_cmd_link_internal_ld_elf.go \ pkgsrc/lang/go/patches/patch-src_runtime_rt0__netbsd__arm.s cvs rdiff -u -r0 -r1.3 pkgsrc/lang/go/patches/patch-src_runtime_os__netbsd.go ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sun Jan 21 01:28:39 UTC 2018 Modified Files: pkgsrc/lang/go: PLIST Log Message: Fix packaging To generate a diff of this commit: cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/go/PLIST ------------------------------------------------------------------- Module Name: pkgsrc Committed By: christos Date: Sat Jan 20 18:13:25 UTC 2018 Modified Files: pkgsrc/lang/go: distinfo pkgsrc/lang/go/patches: patch-src_cmd_link_internal_ld_elf.go Log Message: fix the path To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/lang/go/patches/patch-src_cmd_link_internal_ld_elf.go ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sun Jan 28 11:31:03 UTC 2018 Modified Files: pkgsrc/lang/go: Makefile PLIST distinfo version.mk Log Message: Update Go to 1.9.3. This release includes fixes to the compiler, runtime, and the database/sql, math/big, net/http, and net/url packages. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.9.minor To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.60 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.55 -r1.56 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.31 -r1.32 pkgsrc/lang/go/version.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Feb 8 19:32:17 UTC 2018 Modified Files: pkgsrc/lang/go: PLIST distinfo version.mk Log Message: Update Go to 1.9.4. By using the clang or gcc plugin mechanism, it was possible for an attacker to trick the ×Èo getãàcommand into executing arbitrary code. The go command now restricts the set of allowed host compiler and linker arguments in cgo source files to a list of allowed flags, in particular disallowing -fplugin= and -plugin=. The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go issue for details. Thanks to Christopher Brown of Mattermost for reporting this problem. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.56 -r1.57 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.33 -r1.34 pkgsrc/lang/go/version.mk
Revision 1.34 / (download) - annotate - [select for diffs], Thu Feb 8 19:32:17 2018 UTC (6 years, 1 month ago) by bsiegert
Branch: MAIN
Changes since 1.33: +2 -2
lines
Diff to previous 1.33 (colored) to selected 1.56 (colored)
Update Go to 1.9.4. By using the clang or gcc plugin mechanism, it was possible for an attacker to trick the ×Èo getãàcommand into executing arbitrary code. The go command now restricts the set of allowed host compiler and linker arguments in cgo source files to a list of allowed flags, in particular disallowing -fplugin= and -plugin=. The issue is CVE-2018-6574 and Go issue golang.org/issue/23672. See the Go issue for details. Thanks to Christopher Brown of Mattermost for reporting this problem.
Revision 1.33 / (download) - annotate - [select for diffs], Tue Jan 30 17:05:21 2018 UTC (6 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.32: +3 -1
lines
Diff to previous 1.32 (colored) to selected 1.56 (colored)
go*: Disable SSP support completely. It's not supported by the go linker, and can cause issues when building third-party modules if the SSP libraries are handled by pkgsrc.
Revision 1.32 / (download) - annotate - [select for diffs], Sun Jan 28 11:31:03 2018 UTC (6 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.31: +2 -2
lines
Diff to previous 1.31 (colored) to selected 1.56 (colored)
Update Go to 1.9.3. This release includes fixes to the compiler, runtime, and the database/sql, math/big, net/http, and net/url packages. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.9.minor
Revision 1.31 / (download) - annotate - [select for diffs], Sat Jan 20 16:55:05 2018 UTC (6 years, 2 months ago) by christos
Branch: MAIN
Changes since 1.30: +8 -3
lines
Diff to previous 1.30 (colored) to selected 1.56 (colored)
Add Yasushi Oshima patches for arm from: https://github.com/oshimaya/pkgsrc/tree/master/lang/go
Revision 1.30 / (download) - annotate - [select for diffs], Sat Oct 28 18:20:14 2017 UTC (6 years, 5 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Changes since 1.29: +2 -2
lines
Diff to previous 1.29 (colored) to selected 1.56 (colored)
Update Go to 1.9.2. This release includes fixes to the compiler, linker, runtime, documentation, go command, and the crypto/x509, database/sql, log, and net/smtp packages. It includes a fix to a bug introduced in Go 1.9.1 that broke "go get" of non-Git repositories under certain conditions.
Revision 1.28.4.1 / (download) - annotate - [select for diffs], Mon Oct 9 12:30:42 2017 UTC (6 years, 5 months ago) by spz
Branch: pkgsrc-2017Q3
Changes since 1.28: +2 -2
lines
Diff to previous 1.28 (colored) next main 1.29 (colored) to selected 1.56 (colored)
Pullup ticket #5565 - requested by sevan lang/go: security update Revisions pulled up: - lang/go/distinfo 1.52 - lang/go/version.mk 1.29 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Oct 6 18:38:25 UTC 2017 Modified Files: pkgsrc/lang/go: distinfo version.mk Log Message: Update Go to 1.9.1 (security fix). Two security-related issues were recently reported. To address this issue, we have just released Go 1.8.4 and Go 1.9.1. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.9.1). The issues addressed by these releases are: By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the "go get" command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git). The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues. Thanks to Simon Rawet for the report. In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims. This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues. Thanks to Stevie Johnstone for the report. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/go/version.mk
Revision 1.29 / (download) - annotate - [select for diffs], Fri Oct 6 18:38:25 2017 UTC (6 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.28: +2 -2
lines
Diff to previous 1.28 (colored) to selected 1.56 (colored)
Update Go to 1.9.1 (security fix). Two security-related issues were recently reported. To address this issue, we have just released Go 1.8.4 and Go 1.9.1. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.9.1). The issues addressed by these releases are: By nesting a git checkout inside another version control repository, it was possible for an attacker to trick the "go get" command into executing arbitrary code. The go command now refuses to use version control checkouts found inside other version control systems, with an exception for git submodules (git inside git). The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues. Thanks to Simon Rawet for the report. In the smtp package, PlainAuth is documented as sending credentials only over authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also send credentials on non-TLS connections when the remote server advertises that PLAIN authentication is supported. The change was meant to allow use of PLAIN authentication on localhost, but it has the effect of allowing a man-in-the-middle attacker to harvest credentials. PlainAuth now requires either TLS or a localhost connection before sending credentials, regardless of what the remote server claims. This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues. Thanks to Stevie Johnstone for the report.
Revision 1.28 / (download) - annotate - [select for diffs], Sun Sep 3 07:12:07 2017 UTC (6 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base
Branch point for: pkgsrc-2017Q3
Changes since 1.27: +2 -2
lines
Diff to previous 1.27 (colored) to selected 1.56 (colored)
Update Go to 1.9. The latest Go release, version 1.9, arrives six months after Go 1.8 and is the tenth release in the Go 1.x series. There are two changes to the language: adding support for type aliases and defining when implementations may fuse floating point operations. Most of the changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. The release adds transparent monotonic time support, parallelizes compilation of functions within a package, better supports test helper functions, includes a new bit manipulation package, and has a new concurrent map type. There are some instabilities on FreeBSD that are known but not understood. These can lead to program crashes in rare cases. See issue 15658. Any help in solving this FreeBSD-specific issue would be appreciated. Go stopped running NetBSD builders during the Go 1.9 development cycle due to NetBSD kernel crashes, up to and including NetBSD 7.1. As Go 1.9 is being released, NetBSD 7.1.1 is being released with a fix. However, at this time we have no NetBSD builders passing our test suite. Any help investigating the various NetBSD issues would be appreciated.
Revision 1.23.2.2 / (download) - annotate - [select for diffs], Thu May 25 21:11:03 2017 UTC (6 years, 10 months ago) by spz
Branch: pkgsrc-2017Q1
Changes since 1.23.2.1: +1 -1
lines
Diff to previous 1.23.2.1 (colored) to branchpoint 1.23 (colored) next main 1.24 (colored) to selected 1.56 (colored)
Pullup ticket #5433 - requested by bsiegert lang/go: security update Revisions pulled up: - lang/go/Makefile 1.52 - lang/go/distinfo 1.49 - lang/go/version.mk 1.26 - lang/go/PLIST 1.31 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu May 25 09:06:43 UTC 2017 Modified Files: pkgsrc/lang/go: Makefile distinfo version.mk Log Message: SECURITY: Update Go to 1.8.2, fixing CVE-2017-8932, carry bug in x86-64 P-256. A security-related issue was recently reported in Go's crypto/elliptic package. To address this issue, we have just released Go 1.7.6 and Go 1.8.2. The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare for reporting the issue and providing a fix. The issue affects Go's P-256 implementation on the 64-bit x86 architecture. This is CVE-2017-8932 and was addressed by this change: https://golang.org/cl/41070, tracked in this issue: https://golang.org/issue/20040 To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.48 -r1.49 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.25 -r1.26 pkgsrc/lang/go/version.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wen Date: Sun Apr 9 08:23:43 UTC 2017 Modified Files: pkgsrc/lang/go: PLIST distinfo version.mk Log Message: Update to 1.8.1 Upstream changes: go1.8.1 (released 2017/04/07) includes fixes to the compiler, linker, runtime, +documentation, go command and the crypto/tls, encoding/xml, image/png, net, +net/http, reflect, text/template, and time packages. See the Go 1.8.1 milestone +on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.44 -r1.45 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.23 -r1.24 pkgsrc/lang/go/version.mk
Revision 1.27 / (download) - annotate - [select for diffs], Thu May 25 09:24:21 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.26: +2 -2
lines
Diff to previous 1.26 (colored) to selected 1.56 (colored)
Update Go to 1.8.3, a non-security release. This release includes fixes to the compiler, runtime, documentation, and the database/sql package. https://golang.org/doc/devel/release.html#go1.8.minor It also includes the security fix to the crypto/elliptic package from Go 1.8.2.
Revision 1.26 / (download) - annotate - [select for diffs], Thu May 25 09:06:43 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.25: +2 -2
lines
Diff to previous 1.25 (colored) to selected 1.56 (colored)
SECURITY: Update Go to 1.8.2, fixing CVE-2017-8932, carry bug in x86-64 P-256. A security-related issue was recently reported in Go's crypto/elliptic package. To address this issue, we have just released Go 1.7.6 and Go 1.8.2. The Go team would like to thank Vlad Krasnov and Filippo Valsorda at Cloudflare for reporting the issue and providing a fix. The issue affects Go's P-256 implementation on the 64-bit x86 architecture. This is CVE-2017-8932 and was addressed by this change: https://golang.org/cl/41070, tracked in this issue: https://golang.org/issue/20040
Revision 1.23.2.1 / (download) - annotate - [select for diffs], Mon May 1 09:55:46 2017 UTC (6 years, 10 months ago) by bsiegert
Branch: pkgsrc-2017Q1
Changes since 1.23: +2 -2
lines
Diff to previous 1.23 (colored) to selected 1.56 (colored)
Pullup ticket #5392 - requested by sevan lang/go: build fix Revisions pulled up: - lang/go/version.mk 1.25 --- Module Name: pkgsrc Committed By: maya Date: Sun Apr 30 23:02:09 UTC 2017 Modified Files: pkgsrc/lang/go: version.mk Log Message: go: match even more ARM with wildcards part 1 of PR pkg/52178 from aikchar
Revision 1.25 / (download) - annotate - [select for diffs], Sun Apr 30 23:02:09 2017 UTC (6 years, 10 months ago) by maya
Branch: MAIN
Changes since 1.24: +2 -2
lines
Diff to previous 1.24 (colored) to selected 1.56 (colored)
go: match even more ARM with wildcards part 1 of PR pkg/52178 from aikchar
Revision 1.24 / (download) - annotate - [select for diffs], Sun Apr 9 08:23:43 2017 UTC (6 years, 11 months ago) by wen
Branch: MAIN
Changes since 1.23: +2 -2
lines
Diff to previous 1.23 (colored) to selected 1.56 (colored)
Update to 1.8.1 Upstream changes: go1.8.1 (released 2017/04/07) includes fixes to the compiler, linker, runtime, documentation, go command and the crypto/tls, encoding/xml, image/png, net, net/http, reflect, text/template, and time packages. See the Go 1.8.1 milestone on our issue tracker for details.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Mar 15 19:38:09 2017 UTC (7 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base
Branch point for: pkgsrc-2017Q1
Changes since 1.22: +2 -2
lines
Diff to previous 1.22 (colored) to selected 1.56 (colored)
Update Go to 1.8. The compiler back end introduced in Go 1.7 for 64-bit x86 is now used on all architectures, and those architectures should see significant performance improvements. For instance, the CPU time required by our benchmark programs was reduced by 20-30% on 32-bit ARM systems. There are also some modest performance improvements in this release for 64-bit x86 systems. The compiler and linker have been made faster. Compile times should be improved by about 15% over Go 1.7. There is still more work to be done in this area: expect faster compilation speeds in future releases. Garbage collection pauses should be significantly shorter, usually under 100 microseconds and often as low as 10 microseconds. The HTTP server adds support for HTTP/2 Push, allowing servers to preemptively send responses to a client. This is useful for minimizing network latency by eliminating roundtrips. The HTTP server also adds support for graceful shutdown, allowing servers to minimize downtime by shutting down only after serving all requests that are in flight. Contexts (added to the standard library in Go 1.7) provide a cancelation and timeout mechanism. Go 1.8 adds support for contexts in more parts of the standard library, including the database/sql and net packages and Server.Shutdown in the net/http package. Go 1.8 includes many more additions, improvements, and fixes. Find the complete set of changes, and more information about the improvements listed above, in the Go 1.8 release notes: https://golang.org/doc/go1.8
Revision 1.22 / (download) - annotate - [select for diffs], Mon Jan 30 03:04:53 2017 UTC (7 years, 1 month ago) by wen
Branch: MAIN
Changes since 1.21: +2 -2
lines
Diff to previous 1.21 (colored) to selected 1.56 (colored)
Update to 1.7.5 Upstream changes: go1.7.5 (released 2017/01/26) includes fixes to the compiler, runtime, and the crypto/x509 and time packages. See the Go 1.7.5 milestone on our issue tracker for details.
Revision 1.17.2.1 / (download) - annotate - [select for diffs], Mon Dec 12 06:50:02 2016 UTC (7 years, 3 months ago) by spz
Branch: pkgsrc-2016Q3
Changes since 1.17: +2 -2
lines
Diff to previous 1.17 (colored) next main 1.18 (colored) to selected 1.56 (colored)
Pullup ticket #5170 - requested by bsiegert lang/go: security update Revisions pulled up: - lang/go/Makefile 1.48 - lang/go/PLIST 1.28 - lang/go/distinfo 1.42,1.41 - lang/go/patches/patch-src_net_http_h2__bundle.go deleted - lang/go/version.mk 1.21,1.18 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sun Dec 4 16:08:55 UTC 2016 Modified Files: pkgsrc/lang/go: distinfo version.mk Log Message: Update Go to 1.7.4. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.4 and Go 1.7.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.7.4). The issues addressed by these releases are: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141. Thanks to Xy Ziemba for identifying and reporting this issue. The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965. Thanks to Simon Rawet for the report. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/go/version.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Oct 27 18:58:00 UTC 2016 Modified Files: pkgsrc/lang/go: Makefile PLIST distinfo version.mk Removed Files: pkgsrc/lang/go/patches: patch-src_net_http_h2__bundle.go Log Message: Update Go to 1.7.3. go1.7.2 should not be used. It was tagged but not fully released. The release was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to the summary of changes below. go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.27 -r1.28 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.1 -r0 \ pkgsrc/lang/go/patches/patch-src_net_http_h2__bundle.go
Revision 1.21 / (download) - annotate - [select for diffs], Sun Dec 4 16:08:55 2016 UTC (7 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base,
pkgsrc-2016Q4
Changes since 1.20: +2 -2
lines
Diff to previous 1.20 (colored) to selected 1.56 (colored)
Update Go to 1.7.4. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.4 and Go 1.7.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.7.4). The issues addressed by these releases are: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141. Thanks to Xy Ziemba for identifying and reporting this issue. The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965. Thanks to Simon Rawet for the report.
Revision 1.20 / (download) - annotate - [select for diffs], Fri Dec 2 20:26:01 2016 UTC (7 years, 3 months ago) by maya
Branch: MAIN
Changes since 1.19: +2 -2
lines
Diff to previous 1.19 (colored) to selected 1.56 (colored)
go: more wildcards for arm my rpi1's machine_platform is ..-earmv6hf and needs this to match
Revision 1.19 / (download) - annotate - [select for diffs], Sun Nov 27 21:07:21 2016 UTC (7 years, 4 months ago) by maya
Branch: MAIN
Changes since 1.18: +3 -3
lines
Diff to previous 1.18 (colored) to selected 1.56 (colored)
go: match more netbsd/arm, which can be machine arch earm, and not just evbarm. PR pkg/51653 Note that this does not resolve the PR, as the build hangs.
Revision 1.18 / (download) - annotate - [select for diffs], Thu Oct 27 18:58:00 2016 UTC (7 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.17: +2 -2
lines
Diff to previous 1.17 (colored) to selected 1.56 (colored)
Update Go to 1.7.3. go1.7.2 should not be used. It was tagged but not fully released. The release was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to the summary of changes below. go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3 milestone on our issue tracker for details.
Revision 1.17 / (download) - annotate - [select for diffs], Sat Sep 10 09:09:23 2016 UTC (7 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base
Branch point for: pkgsrc-2016Q3
Changes since 1.16: +2 -2
lines
Diff to previous 1.16 (colored) to selected 1.56 (colored)
Update go to 1.7.1. go1.7.1 (released 2016/09/07) includes fixes to the compiler, runtime, documentation, and the compress/flate, hash/crc32, io, net, net/http, path/filepath, reflect, and syscall packages. See the Go 1.7.1 milestone on our issue tracker for details.
Revision 1.16 / (download) - annotate - [select for diffs], Fri Aug 19 09:38:06 2016 UTC (7 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.15: +2 -2
lines
Diff to previous 1.15 (colored) to selected 1.56 (colored)
Update Go to 1.7. The latest Go release, version 1.7, arrives six months after 1.6. Most of its changes are in the implementation of the toolchain, runtime, and libraries. There is one minor change to the language specification. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. There is one tiny language change in this release. The section on terminating statements clarifies that to determine whether a statement list ends in a terminating statement, the ãà×Çinal non-empty statementãàis considered the end, matching the existing behavior of the gc and gccgo compiler toolchains. In earlier releases the definition referred only to the ãà×Çinal statement,ãàleaving the effect of trailing empty statements at the least unclear. The go/types package has been updated to match the gc and gccgo compiler toolchains in this respect. This change has no effect on the correctness of existing programs. Go 1.7 adds support for macOS 10.12 Sierra. This support was backported to Go 1.6.3. Binaries built with versions of Go before 1.6.3 will not work correctly on Sierra.
Revision 1.14.2.1 / (download) - annotate - [select for diffs], Wed Jul 20 03:02:31 2016 UTC (7 years, 8 months ago) by spz
Branch: pkgsrc-2016Q2
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored) next main 1.15 (colored) to selected 1.56 (colored)
Pullup ticket #5064 - requested by bsiegert lang/go: security update Revisions pulled up: - lang/go/Makefile 1.43 - lang/go/distinfo 1.37 - lang/go/version.mk 1.15 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Mon Jul 18 20:37:40 UTC 2016 Modified Files: pkgsrc/lang/go: Makefile distinfo version.mk Log Message: Update Go to 1.6.3. A security-related issue was recently reported in Go's net/http/cgi = package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 = contain a fix for this issue. Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation = flaw in the CGI components resulting in the HTTP_PROXY environment variable = being set by the incoming Proxy header. This environment variable was also used to = set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405 The Go team would like to thank Dominic Scheirlinck for coordinating = disclosure of this issue across multiple languages and CGI environments. Read more = about "httpoxy" here: https://httpoxy.org/ Go 1.6.3 also adds support for macOS Sierra. See = https://golang.org/issue/16354 for details. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/go/version.mk
Revision 1.15 / (download) - annotate - [select for diffs], Mon Jul 18 20:37:40 2016 UTC (7 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored) to selected 1.56 (colored)
Update Go to 1.6.3. A security-related issue was recently reported in Go's net/http/cgi package and net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 contain a fix for this issue. Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in the CGI components resulting in the HTTP_PROXY environment variable being set by the incoming Proxy header. This environment variable was also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. This is CVE-2016-5386 and was addressed by this change: https://golang.org/cl/25010, tracked in this issue: https://golang.org/issue/16405 The Go team would like to thank Dominic Scheirlinck for coordinating disclosure of this issue across multiple languages and CGI environments. Read more about "httpoxy" here: https://httpoxy.org/ Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354 for details.
Revision 1.14 / (download) - annotate - [select for diffs], Sat Apr 30 11:22:28 2016 UTC (7 years, 10 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base
Branch point for: pkgsrc-2016Q2
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (colored) to selected 1.56 (colored)
Update Go to 1.6.2. This release includes fixes to the compiler, runtime, tools, documentation, and the mime/multipart, net/http, and sort packages. https://golang.org/doc/devel/release.html#go1.6.minor
Revision 1.13 / (download) - annotate - [select for diffs], Wed Apr 13 07:12:00 2016 UTC (7 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.12: +2 -2
lines
Diff to previous 1.12 (colored) to selected 1.56 (colored)
Update Go to 1.6.1. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.1 and Go 1.5.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.6.1). The issues addressed by these releases are: On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable to DLL preloading attacks. For instance, if a user runs a Go executable from a Downloads folder, malicious DLL files also downloaded to that folder could be loaded into that executable. This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428 Thanks to Taru Karttunen for identifying this issue. Go's crypto libraries passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability. This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533 Thanks to David Wong for identifying this issue.
Revision 1.12 / (download) - annotate - [select for diffs], Tue Feb 23 20:12:25 2016 UTC (8 years, 1 month ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1
Changes since 1.11: +2 -2
lines
Diff to previous 1.11 (colored) to selected 1.56 (colored)
Update Go to 1.6. The latest Go release, version 1.6, arrives six months after 1.5. Most of its changes are in the implementation of the language, runtime, and libraries. There are no changes to the language specification. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. The release adds new ports to Linux on 64-bit MIPS and Android on 32-bit x86; defined and enforced rules for sharing Go pointers with C; transparent, automatic support for HTTP/2; and a new mechanism for template reuse. Full changelog at https://golang.org/doc/go1.6.
Revision 1.11 / (download) - annotate - [select for diffs], Sat Jan 16 09:43:44 2016 UTC (8 years, 2 months ago) by fhajny
Branch: MAIN
Changes since 1.10: +2 -2
lines
Diff to previous 1.10 (colored) to selected 1.56 (colored)
Update lang/go to 1.5.3. This is a security-related release, it fixes CVE-2015-8618 that was partically patched in 1.5.2nb1. See full release notes for a description: https://groups.google.com/d/msg/golang-announce/MEATuOi_ei4/JsndUuZwEAAJ
Revision 1.10 / (download) - annotate - [select for diffs], Thu Dec 10 20:04:54 2015 UTC (8 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base,
pkgsrc-2015Q4
Changes since 1.9: +2 -2
lines
Diff to previous 1.9 (colored) to selected 1.56 (colored)
Update Go to 1.5.2, original patch from Kamel Derouiche in PR pkg/50498. go1.5.2 (released 2015/12/02) includes bug fixes to the compiler, linker, and the mime/multipart, net, and runtime packages. See the Go 1.5.2 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.5.2
Revision 1.8.2.1 / (download) - annotate - [select for diffs], Tue Oct 6 16:37:05 2015 UTC (8 years, 5 months ago) by spz
Branch: pkgsrc-2015Q3
Changes since 1.8: +2 -2
lines
Diff to previous 1.8 (colored) next main 1.9 (colored) to selected 1.56 (colored)
Pullup ticket #4819 - requested by bsiegert lang/go14: security update Revisions pulled up: - lang/go/version.mk 1.9 - lang/go14/Makefile 1.5 - lang/go14/PLIST 1.2 - lang/go14/distinfo 1.3 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tnn Date: Sun Sep 27 00:36:02 UTC 2015 Modified Files: pkgsrc/lang/go14: Makefile Log Message: more REPLACE_BASH To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go14/Makefile ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sat Sep 26 17:37:01 UTC 2015 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go14: Makefile PLIST distinfo Log Message: Update go14 to 1.4.3. It fixes four security-related issues. The issues were reported in Go's net/http package. They affect programs usi= ng that package to proxy HTTP requests. We recommend that all users upgrade to= Go 1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we ha= ve released version 1.4.3, which is based on Go 1.4.2 plus fixes for these iss= ues. Affected Go programs=E2=80=94those that use the net/http package as a proxy= server=E2=80=94must be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes. The CVE issue descriptions and fixes are linked below. CVE-2015-5739 "Content Length" treated as valid header: https://go-review.googlesource.com/#/c/11772/ CVE-2015-5740 Double content-length headers does not return 400 error: https://go-review.googlesource.com/#/c/11810/ CVE-2015-5741 Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections: https://go-review.googlesource.com/#/c/11810/ https://go-review.googlesource.com/#/c/12865/ https://go-review.googlesource.com/#/c/13148/ The Go team would like to thank Jed Denlea and R=C3=A9gis Leroy for their contributions to this release. They have been awarded 1337 USD under the Go= ogle Security Bounty program. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go14/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go14/PLIST cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go14/distinfo
Revision 1.9 / (download) - annotate - [select for diffs], Sat Sep 26 17:37:01 2015 UTC (8 years, 6 months ago) by bsiegert
Branch: MAIN
Changes since 1.8: +2 -2
lines
Diff to previous 1.8 (colored) to selected 1.56 (colored)
Update go14 to 1.4.3. It fixes four security-related issues. The issues were reported in Go's net/http package. They affect programs using that package to proxy HTTP requests. We recommend that all users upgrade to Go 1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues. Affected Go programsãàÇÕhose that use the net/http package as a proxy serverãàÇÎust be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes. The CVE issue descriptions and fixes are linked below. CVE-2015-5739 "Content Length" treated as valid header: https://go-review.googlesource.com/#/c/11772/ CVE-2015-5740 Double content-length headers does not return 400 error: https://go-review.googlesource.com/#/c/11810/ CVE-2015-5741 Additional hardening, not sending Content-Length w/Transfer-Encoding, Closing connections: https://go-review.googlesource.com/#/c/11810/ https://go-review.googlesource.com/#/c/12865/ https://go-review.googlesource.com/#/c/13148/ The Go team would like to thank Jed Denlea and Régis Leroy for their contributions to this release. They have been awarded 1337 USD under the Google Security Bounty program.
Revision 1.8 / (download) - annotate - [select for diffs], Sun Sep 13 14:24:58 2015 UTC (8 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base
Branch point for: pkgsrc-2015Q3
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored) to selected 1.56 (colored)
Update Go to 1.5.1. go1.5.1 (released 2015/09/08) includes bug fixes to the compiler, assembler, and the fmt, net/textproto, net/http, and runtime packages. See the Go 1.5.1 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.5.1
Revision 1.7 / (download) - annotate - [select for diffs], Sat Aug 22 10:51:20 2015 UTC (8 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.6: +2 -2
lines
Diff to previous 1.6 (colored) to selected 1.56 (colored)
Update go to 1.5. This release now needs the previous one (lang/go14) to build. The biggest developments in the implementation are: * The compiler and runtime are now written entirely in Go (with a little assembler). C is no longer involved in the implementation, and so the C compiler that was once necessary for building the distribution is gone. * The garbage collector is now concurrent and provides dramatically lower pause times by running, when possible, in parallel with other goroutines. * By default, Go programs run with GOMAXPROCS set to the number of cores available; in prior releases it defaulted to 1. * Support for internal packages is now provided for all repositories, not just the Go core. * The go command now provides experimental support for "vendoring" external dependencies. * A new go tool trace command supports fine-grained tracing of program execution. * A new go doc command (distinct from godoc) is customized for command-line use. Full release notes are at https://golang.org/doc/go1.5.
Revision 1.6 / (download) - annotate - [select for diffs], Fri Jul 31 14:46:25 2015 UTC (8 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.5: +2 -1
lines
Diff to previous 1.5 (colored) to selected 1.56 (colored)
Create lang/go14 as a copy of lang/go but which installs under $PREFIX/go14. Go 1.5 is going to be released soon, and it will depend on an existing installation of Go 1.4 to compile. So let's provide one.
Revision 1.5 / (download) - annotate - [select for diffs], Sun Feb 22 13:14:09 2015 UTC (9 years, 1 month ago) by mspo
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base,
pkgsrc-2015Q2,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Changes since 1.4: +2 -2
lines
Diff to previous 1.4 (colored) to selected 1.56 (colored)
go1.4.2 (released 2015/02/17) includes bug fixes to the go command, the compiler and linker, and the runtime, syscall, reflect, and math/big packages.
Revision 1.4 / (download) - annotate - [select for diffs], Fri Jan 16 11:27:03 2015 UTC (9 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.3: +2 -2
lines
Diff to previous 1.3 (colored) to selected 1.56 (colored)
Update to 1.4.1: We've just released Go version 1.4.1, a minor point release. This release fixes bugs in linker and the log, runtime, and syscall packages.
Revision 1.3 / (download) - annotate - [select for diffs], Wed Dec 31 11:40:14 2014 UTC (9 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.2: +5 -5
lines
Diff to previous 1.2 (colored) to selected 1.56 (colored)
Remove special case for golang.org/x/tools from the go command. We handle it differently in the go-tools package. While here, rename GO_COMPILER to GOCHAR, which is the name upstream uses. Bump PKGREVISION.
Revision 1.2 / (download) - annotate - [select for diffs], Fri Dec 12 09:41:40 2014 UTC (9 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored) to selected 1.56 (colored)
Update to 1.4, ok bsiegert: Today we announce Go 1.4, the fifth major stable release of Go, arriving six months after our previous major release Go 1.3. It contains a small language change, support for more operating systems and processor architectures, and improvements to the tool chain and libraries. As always, Go 1.4 keeps the promise of compatibility, and almost everything will continue to compile and run without change when moved to 1.4. For the full details, see the Go 1.4 release notes. The most notable new feature in this release is official support for Android. Using the support in the core and the libraries in the golang.org/x/mobile repository, it is now possible to write simple Android apps using only Go code. At this stage, the support libraries are still nascent and under heavy development. Early adopters should expect a bumpy ride, but we welcome the community to get involved. The language change is a tweak to the syntax of for-range loops. You may now write "for range s {" to loop over each item from s, without having to assign the value, loop index, or map key. See the release notes for details. The go command has a new subcommand, go generate, to automate the running of tools to generate source code before compilation. For example, it can be used to automate the generation of String methods for typed constants using the new stringer tool. For more information, see the design document. Most programs will run about the same speed or slightly faster in 1.4 than in 1.3; some will be slightly slower. There are many changes, making it hard to be precise about what to expect. See the release notes for more discussion. And, of course, there are many more improvements and bug fixes. In case you missed it, a few weeks ago the sub-repositories were moved to new locations. For example, the go.tools packages are now imported from "golang.org/x/tools". See the announcement post for details. This release also coincides with the project's move from Mercurial to Git (for source control), Rietveld to Gerrit (for code review), and Google Code to Github (for issue tracking and wiki). The move affects the core Go repository and its sub-repositories. You can find the canonical Git repositories at go.googlesource.com, and the issue tracker and wiki at the golang/go GitHub repo.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Nov 18 20:39:11 2014 UTC (9 years, 4 months ago) by bsiegert
Branch: MAIN
Diff to selected 1.56 (colored)
Add a separate Makefile for the version string plus GOARCH. To be used by Go packages.