pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2017Q3]: pkgsrc/lang/go Pullup ticket #5565 - requested by sevan



details:   https://anonhg.NetBSD.org/pkgsrc/rev/cc1fc2d3ff38
branches:  pkgsrc-2017Q3
changeset: 408521:cc1fc2d3ff38
user:      spz <spz%pkgsrc.org@localhost>
date:      Mon Oct 09 12:30:42 2017 +0000

description:
Pullup ticket #5565 - requested by sevan
lang/go: security update

Revisions pulled up:
- lang/go/distinfo                                              1.52
- lang/go/version.mk                                            1.29

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Oct  6 18:38:25 UTC 2017

   Modified Files:
           pkgsrc/lang/go: distinfo version.mk

   Log Message:
   Update Go to 1.9.1 (security fix).

   Two security-related issues were recently reported.
   To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

   We recommend that all users update to one of these releases (if you're
   not sure
   which, choose Go 1.9.1).

   The issues addressed by these releases are:

   By nesting a git checkout inside another version control repository, it was
   possible for an attacker to trick the "go get" command into executing
   arbitrary
   code. The go command now refuses to use version control checkouts found
   inside
   other version control systems, with an exception for git submodules (git
   inside
   git).
   The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
   https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
   Thanks to Simon Rawet for the report.

   In the smtp package, PlainAuth is documented as sending credentials only
   over
   authenticated, encrypted TLS connections, but it was changed in Go 1.1
   to also
   send credentials on non-TLS connections when the remote server
   advertises that
   PLAIN authentication is supported. The change was meant to allow use of
   PLAIN
   authentication on localhost, but it has the effect of allowing a
   man-in-the-middle attacker to harvest credentials. PlainAuth now requires
   either TLS or a localhost connection before sending credentials,
   regardless of
   what the remote server claims.
   This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
   https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
   Thanks to Stevie Johnstone for the report.


   To generate a diff of this commit:
   cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/go/version.mk

diffstat:

 lang/go/distinfo   |  10 +++++-----
 lang/go/version.mk |   4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (31 lines):

diff -r d296bcd46ee4 -r cc1fc2d3ff38 lang/go/distinfo
--- a/lang/go/distinfo  Mon Oct 09 12:23:07 2017 +0000
+++ b/lang/go/distinfo  Mon Oct 09 12:30:42 2017 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.51 2017/09/03 07:12:07 bsiegert Exp $
+$NetBSD: distinfo,v 1.51.4.1 2017/10/09 12:30:42 spz Exp $
 
-SHA1 (go1.9.src.tar.gz) = 76f7a3db86defe65510607df2db0b065db003ed6
-RMD160 (go1.9.src.tar.gz) = cdf174a39b339bac08bc04e5d461972ec2d0c337
-SHA512 (go1.9.src.tar.gz) = 70c4b892b6883fb21fc1a547a2b8d174df8c7aca282a3906e3816b4442b16c5da578b69c19443122a4a45e66fc95d170528d826b70932af09f4afd2a46615d74
-Size (go1.9.src.tar.gz) = 16377363 bytes
+SHA1 (go1.9.1.src.tar.gz) = 87cf0af3820834faeb6e63b035a1abae1f5b60b3
+RMD160 (go1.9.1.src.tar.gz) = eaff2b7bdd386e6e36175a0fb5f9fb019c7fd3b8
+SHA512 (go1.9.1.src.tar.gz) = 3c5d11089a54c61acd1a4fad9618ddb2058cc783a54564407ee50e37c864deaadfd5effeab623080c136a599096f448aae091ef41d0afca1abfcdb98adf4a793
+Size (go1.9.1.src.tar.gz) = 16377700 bytes
 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d
diff -r d296bcd46ee4 -r cc1fc2d3ff38 lang/go/version.mk
--- a/lang/go/version.mk        Mon Oct 09 12:23:07 2017 +0000
+++ b/lang/go/version.mk        Mon Oct 09 12:30:42 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: version.mk,v 1.28 2017/09/03 07:12:07 bsiegert Exp $
+# $NetBSD: version.mk,v 1.28.4.1 2017/10/09 12:30:42 spz Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
-GO_VERSION=    1.9
+GO_VERSION=    1.9.1
 GO14_VERSION=  1.4.3
 
 ONLY_FOR_PLATFORM=     *-*-i386 *-*-x86_64 *-*-*arm*



Home | Main Index | Thread Index | Old Index