pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang/go
Module Name: pkgsrc
Committed By: bsiegert
Date: Wed Apr 13 07:12:00 UTC 2016
Modified Files:
pkgsrc/lang/go: Makefile PLIST distinfo version.mk
Removed Files:
pkgsrc/lang/go/patches: patch-src_crypto_dsa_dsa.go
Log Message:
Update Go to 1.6.1.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.1 and Go 1.5.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.6.1).
The issues addressed by these releases are:
On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable
to DLL preloading attacks. For instance, if a user runs a Go executable from a
Downloads folder, malicious DLL files also downloaded to that folder could be
loaded into that executable.
This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428
Thanks to Taru Karttunen for identifying this issue.
Go's crypto libraries passed certain parameters unchecked to the underlying big
integer library, possibly leading to extremely long-running computations, which
in turn makes Go programs vulnerable to remote denial of service attacks.
Programs using HTTPS client certificates or the Go SSH server libraries are
both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533
Thanks to David Wong for identifying this issue.
To generate a diff of this commit:
cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/Makefile
cvs rdiff -u -r1.22 -r1.23 pkgsrc/lang/go/PLIST
cvs rdiff -u -r1.34 -r1.35 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.1 -r0 pkgsrc/lang/go/patches/patch-src_crypto_dsa_dsa.go
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index