The NetBSD Project

CVS log for pkgsrc/lang/go114/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / lang / go114

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.13 / (download) - annotate - [select for diffs], Fri Nov 13 18:27:35 2020 UTC (2 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, HEAD
Changes since 1.12: +5 -5 lines
Diff to previous 1.12 (colored)

Update go114 to 1.14.12 (security fix).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large
inputs. For the panic to happen, the divisor or modulo argument must be larger
than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods
are similarly affected.

crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates don chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help developing
and validating the fix.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.


   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.

Revision 1.12 / (download) - annotate - [select for diffs], Sun Nov 8 20:12:31 2020 UTC (2 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.11: +5 -5 lines
Diff to previous 1.11 (colored)

Update go114 to 1.14.11

go1.14.11 (released 2020/11/05) includes fixes to the runtime, and the net/http
and time packages. See the Go 1.14.11 milestone on our issue tracker for
details.

Revision 1.11 / (download) - annotate - [select for diffs], Thu Oct 15 12:01:14 2020 UTC (3 months ago) by bsiegert
Branch: MAIN
Changes since 1.10: +5 -5 lines
Diff to previous 1.10 (colored)

Update go114 to 1.14.10.

go1.14.9 (released 2020/09/09) includes fixes to the compiler, linker, runtime,
documentation, and the net/http and testing packages. See the Go 1.14.9
milestone on our issue tracker for details.

go1.14.10 (released 2020/10/14) includes fixes to the compiler, runtime, and
the plugin and testing packages. See the Go 1.14.10 milestone on our issue
tracker for details.

Revision 1.10 / (download) - annotate - [select for diffs], Thu Sep 3 07:03:27 2020 UTC (4 months, 2 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.9: +5 -5 lines
Diff to previous 1.9 (colored)

Update go114 to 1.14.8.

go1.14.8 (released 2020/09/01) includes security fixes to the net/http/cgi and
net/http/fcgi packages. See the Go 1.14.8 milestone on our issue tracker for
details.

Revision 1.9 / (download) - annotate - [select for diffs], Fri Aug 14 18:45:56 2020 UTC (5 months ago) by bsiegert
Branch: MAIN
Changes since 1.8: +5 -5 lines
Diff to previous 1.8 (colored)

Update go114 to 1.14.7.

go1.14.7 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.14.7 milestone on our issue tracker for details.

Revision 1.7.2.1 / (download) - annotate - [select for diffs], Mon Jul 20 14:59:01 2020 UTC (5 months, 4 weeks ago) by spz
Branch: pkgsrc-2020Q2
Changes since 1.7: +5 -5 lines
Diff to previous 1.7 (colored) next main 1.8 (colored)

Pullup ticket #6279 - requested by bsiegert
lang/go114: security update

Revisions pulled up:
- lang/go/version.mk                                            1.94
- lang/go114/PLIST                                              1.5
- lang/go114/distinfo                                           1.8

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Jul 17 17:20:06 UTC 2020

   Modified Files:
           pkgsrc/lang/go: version.mk
           pkgsrc/lang/go114: PLIST distinfo

   Log Message:
   Update go114 to 1.14.6.

   go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509
   and
   net/http packages. See the Go 1.14.5 milestone on our issue tracker for
   details.

   go1.14.6 (released 2020/07/16) includes fixes to the go command, the
   compiler,
   the linker, vet, and the database/sql, encoding/json, net/http, reflect, and
   testing packages. See the Go 1.14.6 milestone on our issue tracker for
   details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.93 -r1.94 pkgsrc/lang/go/version.mk
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go114/PLIST
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go114/distinfo

Revision 1.8 / (download) - annotate - [select for diffs], Fri Jul 17 17:20:05 2020 UTC (6 months ago) by bsiegert
Branch: MAIN
Changes since 1.7: +5 -5 lines
Diff to previous 1.7 (colored)

Update go114 to 1.14.6.

go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and
net/http packages. See the Go 1.14.5 milestone on our issue tracker for
details.

go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler,
the linker, vet, and the database/sql, encoding/json, net/http, reflect, and
testing packages. See the Go 1.14.6 milestone on our issue tracker for details.

Revision 1.7 / (download) - annotate - [select for diffs], Wed Jun 17 09:37:25 2020 UTC (7 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base
Branch point for: pkgsrc-2020Q2
Changes since 1.6: +5 -5 lines
Diff to previous 1.6 (colored)

Update go114 to 1.14.4.

go1.14.3 (released 2020/05/14) includes fixes to cgo, the compiler, the
runtime, and the go/doc and math/big packages. See the Go 1.14.3
milestone on our issue tracker for details.

go1.14.4 (released 2020/06/01) includes fixes to the go doc command, the
runtime, and the encoding/json and os packages. See the Go 1.14.4
milestone on our issue tracker for details.

Revision 1.6 / (download) - annotate - [select for diffs], Fri May 1 15:58:00 2020 UTC (8 months, 2 weeks ago) by tnn
Branch: MAIN
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)

go114: netbsd/arm64: provide declaration of crosscall1

Revision 1.5 / (download) - annotate - [select for diffs], Mon Apr 27 18:42:12 2020 UTC (8 months, 3 weeks ago) by tnn
Branch: MAIN
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)

go114: fix stack alignment for runtime.pipe2 return value on NetBSD/aarch64

from maya@

Revision 1.4 / (download) - annotate - [select for diffs], Mon Apr 27 03:21:35 2020 UTC (8 months, 3 weeks ago) by tnn
Branch: MAIN
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)

go114: work around aarch64 signal handler issue

Revision 1.3 / (download) - annotate - [select for diffs], Thu Apr 9 13:28:38 2020 UTC (9 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored)

Update go114 to 1.14.2.

go1.14.2 (released 2020/04/08) includes fixes to cgo, the go command, the
runtime, os/exec, and testing packages. See the Go 1.14.2 milestone on our
issue tracker for details.

From what I know from work, 1.14.1 had a nasty runtime bug that is now
fixed.

Revision 1.2 / (download) - annotate - [select for diffs], Fri Mar 20 19:50:48 2020 UTC (9 months, 4 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.1: +5 -5 lines
Diff to previous 1.1 (colored)

Update go114 to 1.14.1.

This release include fixes to the go command, tools, the runtime,
the toolchain, and to the crypto/cypher package.

View the release notes for more information:
    https://golang.org/doc/devel/release.html#go1.14.minor

Revision 1.1 / (download) - annotate - [select for diffs], Thu Feb 27 14:32:57 2020 UTC (10 months, 3 weeks ago) by bsiegert
Branch: MAIN

Add a package for Go 1.14.

The default will remain at 1.13 for the next branch.

The latest Go release, version 1.14, arrives six months after Go 1.13. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of compatibility. We expect
almost all Go programs to continue to compile and run as before.

See the release notes at https://golang.org/doc/go1.14.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>