[pkgsrc/trunk]: pkgsrc/lang go118: update to 1.18.4 (security update)

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/lang go118: update to 1.18.4 (security update)
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Wed, 13 Jul 2022 16:22:21 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/c55b38f89bdf
branches:  trunk
changeset: 381797:c55b38f89bdf
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Wed Jul 13 15:02:02 2022 +0000

description:
go118: update to 1.18.4 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

diffstat:

 lang/go/version.mk  |   4 ++--
 lang/go118/Makefile |   3 +--
 lang/go118/PLIST    |  11 ++++++++++-
 lang/go118/distinfo |   8 ++++----
 4 files changed, 17 insertions(+), 9 deletions(-)

diffs (85 lines):

diff -r dc49490c1c3b -r c55b38f89bdf lang/go/version.mk
--- a/lang/go/version.mk        Wed Jul 13 14:50:03 2022 +0000
+++ b/lang/go/version.mk        Wed Jul 13 15:02:02 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $
+# $NetBSD: version.mk,v 1.153 2022/07/13 15:02:02 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
 #
 .include "go-vars.mk"
 
-GO118_VERSION= 1.18.3
+GO118_VERSION= 1.18.4
 GO117_VERSION= 1.17.12
 GO116_VERSION= 1.16.15
 GO110_VERSION= 1.10.8
diff -r dc49490c1c3b -r c55b38f89bdf lang/go118/Makefile
--- a/lang/go118/Makefile       Wed Jul 13 14:50:03 2022 +0000
+++ b/lang/go118/Makefile       Wed Jul 13 15:02:02 2022 +0000
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.3 2022/06/28 11:34:13 wiz Exp $
+# $NetBSD: Makefile,v 1.4 2022/07/13 15:02:02 bsiegert Exp $
 
-PKGREVISION= 1
 .include "../../lang/go/version.mk"
 .include "../../lang/go/bootstrap.mk"
 
diff -r dc49490c1c3b -r c55b38f89bdf lang/go118/PLIST
--- a/lang/go118/PLIST  Wed Jul 13 14:50:03 2022 +0000
+++ b/lang/go118/PLIST  Wed Jul 13 15:02:02 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2022/06/02 18:50:40 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.5 2022/07/13 15:02:02 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go118/AUTHORS
@@ -2651,6 +2651,7 @@
 go118/src/cmd/go/testdata/script/mod_dot.txt
 go118/src/cmd/go/testdata/script/mod_download.txt
 go118/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
+go118/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
 go118/src/cmd/go/testdata/script/mod_download_hash.txt
 go118/src/cmd/go/testdata/script/mod_download_insecure_redirect.txt
 go118/src/cmd/go/testdata/script/mod_download_json.txt
@@ -10788,7 +10789,12 @@
 go118/test/fixedbugs/issue5291.dir/pkg1.go
 go118/test/fixedbugs/issue5291.dir/prog.go
 go118/test/fixedbugs/issue5291.go
+go118/test/fixedbugs/issue53137.dir/main.go
+go118/test/fixedbugs/issue53137.go
+go118/test/fixedbugs/issue53454.go
 go118/test/fixedbugs/issue5358.go
+go118/test/fixedbugs/issue53600.go
+go118/test/fixedbugs/issue53600.out
 go118/test/fixedbugs/issue5373.go
 go118/test/fixedbugs/issue5470.dir/a.go
 go118/test/fixedbugs/issue5470.dir/b.go
@@ -11635,6 +11641,9 @@
 go118/test/typeparam/issue52117.go
 go118/test/typeparam/issue52228.go
 go118/test/typeparam/issue52241.go
+go118/test/typeparam/issue53309.go
+go118/test/typeparam/issue53419.go
+go118/test/typeparam/issue53477.go
 go118/test/typeparam/list.go
 go118/test/typeparam/list2.go
 go118/test/typeparam/listimp.dir/a.go
diff -r dc49490c1c3b -r c55b38f89bdf lang/go118/distinfo
--- a/lang/go118/distinfo       Wed Jul 13 14:50:03 2022 +0000
+++ b/lang/go118/distinfo       Wed Jul 13 15:02:02 2022 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.4 2022/06/02 18:50:40 bsiegert Exp $
+$NetBSD: distinfo,v 1.5 2022/07/13 15:02:02 bsiegert Exp $
 
-BLAKE2s (go1.18.3.src.tar.gz) = dd58b076e151844b12c939a8bcc9077b520504553c004622a0631ab04669fd4e
-SHA512 (go1.18.3.src.tar.gz) = bacbc74ab8fa4c8de46847cadbd245124491f960c087d6892e2231a73f689d597b9a992c2948c54c0ab4b6476d86d3a6a9a64e1714cb7b2cdfd0a7bcfcd7b5fe
-Size (go1.18.3.src.tar.gz) = 22838104 bytes
+BLAKE2s (go1.18.4.src.tar.gz) = dd125a9933268dec6298dd40e64ac08906a2bbebdd827bf75a0b8884c3734fa1
+SHA512 (go1.18.4.src.tar.gz) = 4872956e31fa5d681021db12e876bc60a1815cf45203e75db83d6c54e9b7138766ae44bf1659db5333eba0b6097aea1990519795fffd2f124e7a78b78df1339b
+Size (go1.18.4.src.tar.gz) = 22845866 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Prev by Date: [pkgsrc/trunk]: pkgsrc www/ruby-rails61: update to 6.1.6.1
Next by Date: [pkgsrc/trunk]: pkgsrc www/ruby-rails70: update to 7.0.3.1
Previous by Thread: [pkgsrc/trunk]: pkgsrc www/ruby-rails61: update to 6.1.6.1
Next by Thread: [pkgsrc/trunk]: pkgsrc www/ruby-rails70: update to 7.0.3.1
Indexes:
Home | Main Index | Thread Index | Old Index