Up to [cvs.NetBSD.org] / pkgsrc / lang / go115
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.5 / (download) - annotate - [select for diffs], Fri Nov 13 18:45:50 2020 UTC (2 months, 1 week ago) by bsiegert
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, HEAD
Changes since 1.4: +5 -5 lines
Diff to previous 1.4 (colored)
Update go115 to 1.15.5 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat <https://pkg.go.dev/math/big#Rat> methods are similarly affected. crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>, crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>, and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams <https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates donãàÑÕ chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Nov 8 20:38:10 2020 UTC (2 months, 1 week ago) by bsiegert
Changes since 1.3: +5 -5 lines
Diff to previous 1.3 (colored)
Update go115 to 1.15.4 go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker, runtime, and the compress/flate, net/http, reflect, and time packages. See the Go 1.15.4 milestone on our issue tracker for details.
Revision 1.3 / (download) - annotate - [select for diffs], Thu Oct 15 12:43:33 2020 UTC (3 months ago) by bsiegert
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored)
Update go115 to 1.15.3. go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime, documentation, the go command, and the net/mail, os, sync, and testing packages. See the Go 1.15.2 milestone on our issue tracker for details. go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the go command, and the bytes, plugin, and testing packages. See the Go 1.15.3 milestone on our issue tracker for details.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 3 06:47:21 2020 UTC (4 months, 2 weeks ago) by bsiegert
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.1: +5 -5 lines
Diff to previous 1.1 (colored)
Update go115 to 1.15.1. go1.15.1 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.15.1 milestone on our issue tracker for details.
Revision 1.1 / (download) - annotate - [select for diffs], Fri Aug 21 19:50:22 2020 UTC (5 months ago) by bsiegert
Add a package for Go 1.15. The latest Go release, version 1.15, arrives six months after Go 1.14. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Go 1.15 includes substantial improvements to the linker, improves allocation for small objects at high core counts, and deprecates X.509 CommonName. GOPROXY now supports skipping proxies that return errors and a new embedded tzdata package has been added. There are no changes to the language.
This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.