File: [cvs.NetBSD.org] / pkgsrc / lang / go116 / Attic / distinfo (download)
Revision 1.9, Tue Jul 13 10:12:00 2021 UTC (2 years, 8 months ago) by bsiegert
Branch: MAIN
Changes since 1.8: +5 -5
lines
Update go116 to 1.16.6.
This minor release includes a security fix according to the new security policy.
crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected. The panic can be triggered by an attacker in a privileged network
position without access to the server certificate's private key, as long as a
trusted ECDSA or Ed25519 certificate for the server exists (or can be issued),
or the client is configured with Config.InsecureSkipVerify. Clients that
disable all TLS_RSA cipher suites (that is, TLS 1.0ур.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this
issue.
|