Next | Query returned 307 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2024-03-05 20:37:52 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
go122: update to 1.22.1 (security)

This minor release includes 5 security fixes following the security policy:

- crypto/x509: Verify panics on certificates with an unknown public key
  algorithm

  Verifying a certificate chain which contains a certificate with an unknown
  public key algorithm will cause Certificate.Verify to panic.

  This affects all crypto/tls clients, and servers that set Config.ClientAuth
  to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
  behavior is for TLS servers to not verify client certificates.

  Thanks to John Howard (Google) for reporting this issue.

  This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.

- net/http: memory exhaustion in Request.ParseMultipartForm

  When parsing a multipart form (either explicitly with
  Request.ParseMultipartForm or implicitly with Request.FormValue,
  Request.PostFormValue, or Request.FormFile), limits on the total size of the
  parsed form were not applied to the memory consumed while reading a single
  form line. This permitted a maliciously crafted input containing very long
  lines to cause allocation of arbitrarily large amounts of memory, potentially
  leading to memory exhaustion.

  ParseMultipartForm now correctly limits the maximum size of form lines.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.

- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
  cookies on HTTP redirect

  When following an HTTP redirect to a domain which is not a subdomain match or
  exact match of the initial domain, an http.Client does not forward sensitive
  headers such as "Authorization" or "Cookie". For example, \ 
a redirect from
  foo.com to www.foo.com will forward the Authorization header, but a redirect
  to bar.com will not.

  A maliciously crafted HTTP redirect could cause sensitive headers to be
  unexpectedly forwarded.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.

- html/template: errors returned from MarshalJSON methods may break template
  escaping

  If errors returned from MarshalJSON methods contain user controlled data,
  they may be used to break the contextual auto-escaping behavior of the
  html/template package, allowing for subsequent actions to inject unexpected
  content into templates.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.

- net/mail: comments in display names are incorrectly handled

  The ParseAddressList function incorrectly handles comments (text within
  parentheses) within display names. Since this is a misalignment with
  conforming address parsers, it can result in different trust decisions being
  made by programs using different parsers.

  Thanks to Juho Nurminen of Mattermost and Slonser
  (https://github.com/Slonser) for reporting this issue.

  This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
   2024-03-05 20:27:59 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
go121: update to 1.21.8 (security)

This minor release includes 5 security fixes following the security policy:

- crypto/x509: Verify panics on certificates with an unknown public key
  algorithm

  Verifying a certificate chain which contains a certificate with an unknown
  public key algorithm will cause Certificate.Verify to panic.

  This affects all crypto/tls clients, and servers that set Config.ClientAuth
  to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default
  behavior is for TLS servers to not verify client certificates.

  Thanks to John Howard (Google) for reporting this issue.

  This is CVE-2024-24783 and Go issue https://go.dev/issue/65390.

- net/http: memory exhaustion in Request.ParseMultipartForm

  When parsing a multipart form (either explicitly with
  Request.ParseMultipartForm or implicitly with Request.FormValue,
  Request.PostFormValue, or Request.FormFile), limits on the total size of the
  parsed form were not applied to the memory consumed while reading a single
  form line. This permitted a maliciously crafted input containing very long
  lines to cause allocation of arbitrarily large amounts of memory, potentially
  leading to memory exhaustion.

  ParseMultipartForm now correctly limits the maximum size of form lines.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-45290 and Go issue https://go.dev/issue/65383.

- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and
  cookies on HTTP redirect

  When following an HTTP redirect to a domain which is not a subdomain match or
  exact match of the initial domain, an http.Client does not forward sensitive
  headers such as "Authorization" or "Cookie". For example, \ 
a redirect from
  foo.com to www.foo.com will forward the Authorization header, but a redirect
  to bar.com will not.

  A maliciously crafted HTTP redirect could cause sensitive headers to be
  unexpectedly forwarded.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-45289 and Go issue https://go.dev/issue/65065.

- html/template: errors returned from MarshalJSON methods may break template
  escaping

  If errors returned from MarshalJSON methods contain user controlled data,
  they may be used to break the contextual auto-escaping behavior of the
  html/template package, allowing for subsequent actions to inject unexpected
  content into templates.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2024-24785 and Go issue https://go.dev/issue/65697.

- net/mail: comments in display names are incorrectly handled

  The ParseAddressList function incorrectly handles comments (text within
  parentheses) within display names. Since this is a misalignment with
  conforming address parsers, it can result in different trust decisions being
  made by programs using different parsers.

  Thanks to Juho Nurminen of Mattermost and Slonser
  (https://github.com/Slonser) for reporting this issue.

  This is CVE-2024-24784 and Go issue https://go.dev/issue/65083.
   2024-02-13 19:06:05 by Thomas Klausner | Files touched by this commit (1)
Log message:
go-module.mk: document print-go-modules
   2024-02-13 18:59:42 by Thomas Klausner | Files touched by this commit (1)
Log message:
go: go-modules.mk: add print-go-modules alias for show-go-modules

I always get confused between Rust and Go packages because it's
print-cargo-depends for the one but
show-go-modules for the other.

Adding an alias costs very little and makes lives easier.
   2024-02-11 20:28:18 by Benny Siegert | Files touched by this commit (2)
Log message:
go-module, go-package: set GOTOOLCHAIN=local

From version 1.21 on, Go has built-in support for additional toolchains.
If the installed Go version is too old, it can download and use a newer
version on the fly during the build.

See https://tip.golang.org/doc/toolchain for details.

Needless to say, we don't want this to happen during a pkgsrc build.
This setting disables the behavior and always uses the bundled toolchain.
   2024-02-09 21:34:11 by Benny Siegert | Files touched by this commit (1)
Log message:
Add a new package for go122-1.22.0

The latest Go release, version 1.22, arrives six months after Go 1.21. Most of \ 
its changes
are in the implementation of the toolchain, runtime, and libraries. As always, \ 
the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs to \ 
continue
to compile and run as before.

Release notes: https://go.dev/doc/go1.22
   2024-02-07 15:44:17 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
go121: update 1.21.7

go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on the Go
issue tracker for details.
   2024-02-07 15:37:50 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
go120: update to 1.20.14

go1.20.14 (released 2024-02-06) includes fixes to the crypto/x509 package.
See the Go 1.20.14 milestone on the issue tracker for details.
   2024-01-10 17:49:30 by Benny Siegert | Files touched by this commit (4) | Package updated
Log message:
go121: update to 1.21.6

go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages.

It also includes a fix for a slow memory leak on Linux.
   2024-01-10 17:41:22 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
go120: update to 1.20.13

go1.20.13 (released 2024-01-09) includes fixes to the runtime and the
crypto/tls package.

Next | Query returned 307 messages, browsing 1 to 10 | Previous