pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/lang go117: update to 1.17.12 (security update)
details: https://anonhg.NetBSD.org/pkgsrc/rev/1b4e23662576
branches: trunk
changeset: 381787:1b4e23662576
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Wed Jul 13 14:14:18 2022 +0000
description:
go117: update to 1.17.12 (security update)
This minor release includes 9 security fixes following the security policy:
net/http: improper sanitization of Transfer-Encoding header
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.
This is CVE-2022-1705 and https://go.dev/issue/53188.
When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.
This is https://go.dev/issue/53423 and CVE-2022-32148.
Thanks to Christian Mehlmauer for reporting this issue.
compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.
encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.
This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.
encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.
The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.
This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.
This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.
path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.
io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
diffstat:
lang/go/version.mk | 4 ++--
lang/go117/Makefile | 8 ++++++--
lang/go117/PLIST | 8 +++++---
lang/go117/distinfo | 8 ++++----
4 files changed, 17 insertions(+), 11 deletions(-)
diffs (86 lines):
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go/version.mk
--- a/lang/go/version.mk Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go/version.mk Wed Jul 13 14:14:18 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.151 2022/06/02 18:50:40 bsiegert Exp $
+# $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
.include "go-vars.mk"
GO118_VERSION= 1.18.3
-GO117_VERSION= 1.17.11
+GO117_VERSION= 1.17.12
GO116_VERSION= 1.16.15
GO110_VERSION= 1.10.8
GO19_VERSION= 1.9.7
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/Makefile
--- a/lang/go117/Makefile Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/Makefile Wed Jul 13 14:14:18 2022 +0000
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.6 2022/06/28 11:34:12 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2022/07/13 14:14:18 bsiegert Exp $
-PKGREVISION= 1
.include "../../lang/go/version.mk"
.include "../../lang/go/bootstrap.mk"
@@ -93,6 +92,11 @@
PLIST.route= yes
.endif
+PRINT_PLIST_AWK+= /^bin\/go${GOVERSSUFFIX}/ { print "bin/go$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+= /^bin\/gofmt${GOVERSSUFFIX}/ { print "bin/gofmt$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+= /internal\/pty\.a/ { printf "%s", "$${PLIST.pty}"; }
+PRINT_PLIST_AWK+= /x\/net\/route\.a/ { printf "%s", "$${PLIST.route}"; }
+
post-extract:
${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836*
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/PLIST
--- a/lang/go117/PLIST Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/PLIST Wed Jul 13 14:14:18 2022 +0000
@@ -1,6 +1,6 @@
-@comment $NetBSD: PLIST,v 1.10 2022/06/02 18:19:26 bsiegert Exp $
-bin/go117
-bin/gofmt117
+@comment $NetBSD: PLIST,v 1.11 2022/07/13 14:14:18 bsiegert Exp $
+bin/go${GOVERSSUFFIX}
+bin/gofmt${GOVERSSUFFIX}
go117/AUTHORS
go117/CONTRIBUTING.md
go117/CONTRIBUTORS
@@ -2402,6 +2402,7 @@
go117/src/cmd/go/testdata/script/mod_dot.txt
go117/src/cmd/go/testdata/script/mod_download.txt
go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
+go117/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
go117/src/cmd/go/testdata/script/mod_download_hash.txt
go117/src/cmd/go/testdata/script/mod_download_json.txt
go117/src/cmd/go/testdata/script/mod_download_partial.txt
@@ -10065,6 +10066,7 @@
go117/test/fixedbugs/issue5291.dir/pkg1.go
go117/test/fixedbugs/issue5291.dir/prog.go
go117/test/fixedbugs/issue5291.go
+go117/test/fixedbugs/issue53454.go
go117/test/fixedbugs/issue5358.go
go117/test/fixedbugs/issue5373.go
go117/test/fixedbugs/issue5470.dir/a.go
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/distinfo
--- a/lang/go117/distinfo Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/distinfo Wed Jul 13 14:14:18 2022 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.17 2022/06/02 18:19:26 bsiegert Exp $
+$NetBSD: distinfo,v 1.18 2022/07/13 14:14:18 bsiegert Exp $
-BLAKE2s (go1.17.11.src.tar.gz) = 56f12ee3395f5ccec66790391e18f7c4e6462531f75c5ae007637472086fe374
-SHA512 (go1.17.11.src.tar.gz) = cd08062e3357e8e73ad05572ac575b9d8b15599bdb3ea0ca743b04936fa5cca438886e6a06d6453334b8bb5fbe1ab3512657d11651f9199d2254736a6554e71d
-Size (go1.17.11.src.tar.gz) = 22197784 bytes
+BLAKE2s (go1.17.12.src.tar.gz) = 061cbbc13a599a2bba01fccd6c6686c5174f4f4f6cbac8cb515ffd233ef6ad2a
+SHA512 (go1.17.12.src.tar.gz) = d2bcea2a33723af5c2ae871f5c44694c69d37c74c62e81eddeaf4bfedf124feea2752997d3a359990071bf01f88942fc66b21cb092385946ad4ae9410854c8b9
+Size (go1.17.12.src.tar.gz) = 22205674 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e
Home |
Main Index |
Thread Index |
Old Index