pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Dec 5 19:28:27 UTC 2023
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go121: PLIST distinfo
Log Message:
go121: update to 1.21.5 (security)
This minor release includes 3 security fixes following the security policy:
- net/http: limit chunked data overhead
A malicious HTTP sender can use chunk extensions to cause a receiver reading
from a request or response body to read many more bytes from the network than
are in the body.
A malicious HTTP client can further exploit this to cause a server to
automatically read a large amount of data (up to about 1GiB) when a handler
fails to read the entire body of a request.
Chunk extensions are a little-used HTTP feature which permit including
additional metadata in a request or response body sent using the chunked
encoding. The net/http chunked encoding reader discards this metadata. A
sender can exploit this by inserting a large metadata segment with each byte
transferred. The chunk reader now produces an error if the ratio of real body
to encoded bytes grows too small.
Thanks to Bartek Nowotarski for reporting this issue.
This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.
- cmd/go: go get may unexpectedly fallback to insecure git
Using go get to fetch a module with the ".git" suffix may unexpectedly
fallback to the insecure "git://" protocol if the module is unavailable via
the secure "https://"; and "git+ssh://" protocols, even if GOINSECURE is not
set for said module. This only affects users who are not using the module
proxy and are fetching modules directly (i.e. GOPROXY=off).
Thanks to David Leadbeater for reporting this issue.
This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.
- path/filepath: retain trailing \ when cleaning paths like \\?\c:\
Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume
name in Windows paths starting with \\?\, resulting in
filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among other
effects). The previous behavior has been restored.
This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.
To generate a diff of this commit:
cvs rdiff -u -r1.196 -r1.197 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.196 pkgsrc/lang/go/version.mk:1.197
--- pkgsrc/lang/go/version.mk:1.196 Tue Dec 5 19:17:57 2023
+++ pkgsrc/lang/go/version.mk Tue Dec 5 19:28:26 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.196 2023/12/05 19:17:57 bsiegert Exp $
+# $NetBSD: version.mk,v 1.197 2023/12/05 19:28:26 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
#
.include "go-vars.mk"
-GO121_VERSION= 1.21.4
+GO121_VERSION= 1.21.5
GO120_VERSION= 1.20.12
GO119_VERSION= 1.19.13
GO118_VERSION= 1.18.10
Index: pkgsrc/lang/go121/PLIST
diff -u pkgsrc/lang/go121/PLIST:1.4 pkgsrc/lang/go121/PLIST:1.5
--- pkgsrc/lang/go121/PLIST:1.4 Fri Nov 10 15:39:34 2023
+++ pkgsrc/lang/go121/PLIST Tue Dec 5 19:28:27 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2023/11/10 15:39:34 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.5 2023/12/05 19:28:27 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go121/CONTRIBUTING.md
@@ -2318,6 +2318,7 @@ go121/src/cmd/go/testdata/script/mod_dom
go121/src/cmd/go/testdata/script/mod_dot.txt
go121/src/cmd/go/testdata/script/mod_download.txt
go121/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
+go121/src/cmd/go/testdata/script/mod_download_exec_toolchain.txt
go121/src/cmd/go/testdata/script/mod_download_git_bareRepository.txt
go121/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
go121/src/cmd/go/testdata/script/mod_download_hash.txt
@@ -2445,6 +2446,7 @@ go121/src/cmd/go/testdata/script/mod_ini
go121/src/cmd/go/testdata/script/mod_init_invalid_major.txt
go121/src/cmd/go/testdata/script/mod_init_path.txt
go121/src/cmd/go/testdata/script/mod_init_tidy.txt
+go121/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
go121/src/cmd/go/testdata/script/mod_install_hint.txt
go121/src/cmd/go/testdata/script/mod_install_pkg_version.txt
go121/src/cmd/go/testdata/script/mod_install_versioned.txt
@@ -11589,6 +11591,8 @@ go121/test/fixedbugs/issue6295.dir/p1.go
go121/test/fixedbugs/issue6295.dir/p2.go
go121/test/fixedbugs/issue6295.go
go121/test/fixedbugs/issue6298.go
+go121/test/fixedbugs/issue63657.go
+go121/test/fixedbugs/issue63955.go
go121/test/fixedbugs/issue6399.go
go121/test/fixedbugs/issue6402.go
go121/test/fixedbugs/issue6403.go
Index: pkgsrc/lang/go121/distinfo
diff -u pkgsrc/lang/go121/distinfo:1.4 pkgsrc/lang/go121/distinfo:1.5
--- pkgsrc/lang/go121/distinfo:1.4 Fri Nov 10 15:39:34 2023
+++ pkgsrc/lang/go121/distinfo Tue Dec 5 19:28:27 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.4 2023/11/10 15:39:34 bsiegert Exp $
+$NetBSD: distinfo,v 1.5 2023/12/05 19:28:27 bsiegert Exp $
-BLAKE2s (go1.21.4.src.tar.gz) = ee8cdd84e28c4106b2eb5181308a6912e24689382553d19b0d365ac4a66b7364
-SHA512 (go1.21.4.src.tar.gz) = a6019d51876d7705f7737cddae748f9df3b4e1b40d678094465d2e81b18a4a99b93c3979d318d6c0c6d314e44554894105d07665b7d81acbbfd80203d3ed95bc
-Size (go1.21.4.src.tar.gz) = 26979154 bytes
+BLAKE2s (go1.21.5.src.tar.gz) = 135b193ba58f49e8e66530da5b7618dbf06a66f66b4436e76faaa9eac5b8d67e
+SHA512 (go1.21.5.src.tar.gz) = c064b7cb3c47d8fb99fc181a3cddf327a4b7a8c6af39a8ac568e9d74cd44903141680903ca48673bb02a7a159cce4f32a94f3b37fc65a9549d3518ad7c731fa3
+Size (go1.21.5.src.tar.gz) = 26986890 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461
Home |
Main Index |
Thread Index |
Old Index