Path to this page:
./
lang/go,
The Go programming language
Branch: pkgsrc-2017Q3,
Version: 1.9.1,
Package name: go-1.9.1,
Maintainer: bsiegertThe Go programming language is an open source project to make
programmers more productive.
Go is expressive, concise, clean, and efficient. Its concurrency
mechanisms make it easy to write programs that get the most out of
multicore and networked machines, while its novel type system enables
flexible and modular program construction. Go compiles quickly to
machine code yet has the convenience of garbage collection and the power
of run-time reflection. It's a fast, statically typed, compiled language
that feels like a dynamically typed, interpreted language.
Required to run:[
lang/perl5] [
shells/bash]
Required to build:[
lang/go14] [
pkgtools/cwrappers]
Master sites:
SHA1: 87cf0af3820834faeb6e63b035a1abae1f5b60b3
RMD160: eaff2b7bdd386e6e36175a0fb5f9fb019c7fd3b8
Filesize: 15993.848 KB
Version history: (Expand)
- (2017-10-09) Updated to version: go-1.9.1
- (2017-09-29) Package added to pkgsrc.se, version go-1.9 (created)
CVS history: (Expand)
2017-10-09 14:30:42 by S.P.Zeidler | Files touched by this commit (2) | |
Log message:
Pullup ticket #5565 - requested by sevan
lang/go: security update
Revisions pulled up:
- lang/go/distinfo 1.52
- lang/go/version.mk 1.29
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Fri Oct 6 18:38:25 UTC 2017
Modified Files:
pkgsrc/lang/go: distinfo version.mk
Log message:
Update Go to 1.9.1 (security fix).
Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.
We recommend that all users update to one of these releases (if you're
not sure
which, choose Go 1.9.1).
The issues addressed by these releases are:
By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the "go get" command into executing
arbitrary
code. The go command now refuses to use version control checkouts found
inside
other version control systems, with an exception for git submodules (git
inside
git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.
In the smtp package, PlainAuth is documented as sending credentials only
over
authenticated, encrypted TLS connections, but it was changed in Go 1.1
to also
send credentials on non-TLS connections when the remote server
advertises that
PLAIN authentication is supported. The change was meant to allow use of
PLAIN
authentication on localhost, but it has the effect of allowing a
man-in-the-middle attacker to harvest credentials. PlainAuth now requires
either TLS or a localhost connection before sending credentials,
regardless of
what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.28 -r1.29 pkgsrc/lang/go/version.mk
|