CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Fri, 6 Sep 2024 18:42:18 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Sep  6 18:42:18 UTC 2024

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go122: distinfo

Log Message:
go122: update to 1.22.7

This minor release includes 3 security fixes following the security policy:

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is a follow-up to CVE-2022-30635.

Thanks to Md Sakib Anwar of The Ohio State University (anwar.40%osu.edu@localhost) for reporting this issue.

This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

go/build/constraint: stack exhaustion in Parse

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.


To generate a diff of this commit:
cvs rdiff -u -r1.214 -r1.215 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go122/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.214 pkgsrc/lang/go/version.mk:1.215
--- pkgsrc/lang/go/version.mk:1.214     Fri Sep  6 18:38:22 2024
+++ pkgsrc/lang/go/version.mk   Fri Sep  6 18:42:18 2024
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.214 2024/09/06 18:38:22 bsiegert Exp $
+# $NetBSD: version.mk,v 1.215 2024/09/06 18:42:18 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO123_VERSION= 1.23.1
-GO122_VERSION= 1.22.6
+GO122_VERSION= 1.22.7
 GO121_VERSION= 1.21.13
 GO120_VERSION= 1.20.14
 GO119_VERSION= 1.19.13

Index: pkgsrc/lang/go122/distinfo
diff -u pkgsrc/lang/go122/distinfo:1.9 pkgsrc/lang/go122/distinfo:1.10
--- pkgsrc/lang/go122/distinfo:1.9      Sun Aug 11 15:44:26 2024
+++ pkgsrc/lang/go122/distinfo  Fri Sep  6 18:42:18 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.9 2024/08/11 15:44:26 bsiegert Exp $
+$NetBSD: distinfo,v 1.10 2024/09/06 18:42:18 bsiegert Exp $
 
-BLAKE2s (go1.22.6.src.tar.gz) = 48dc497e2ccd4343475cbbc119daf24b031cadbbeced81dfb27f85236155c75a
-SHA512 (go1.22.6.src.tar.gz) = 59f84ba390203271d9fe2d3f04624449d54d3bb73c2b6e54b5f7dc9e9e2dce2192bae07ef56a2afee871cff84d457b90f8a00f4433e072028b97af987f3799e1
-Size (go1.22.6.src.tar.gz) = 27561569 bytes
+BLAKE2s (go1.22.7.src.tar.gz) = 8bec5dc1aa82ae1784195f9f2c7345c161a72167ed7869e57576403509665719
+SHA512 (go1.22.7.src.tar.gz) = 60b37916e31c3482e8395580a29757971df5e1783dc13a9914261007e07aa8b1b9c1a0b874883e297903e16c7831117b8f814aeff0a0d4398948c97c9d73b73a
+Size (go1.22.7.src.tar.gz) = 27562038 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/lang
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index