Navigation:
Browse pkgsrc
(this page) 2023-10-07 20:09:35 by Benny Siegert | Files touched by this commit (3) |  |
Log message: go120: update to 1.20.9 (security). cmd/go: line directives allows arbitrary execution during build "//line" directives can be used to bypass the restrictions on \ "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compliation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of \ the file in which the directive lives, which makes exploting this issue significantly more complex. This is CVE-2023-39323 and Go issue https://go.dev/issue/63211. View the release notes for more information: https://go.dev/doc/devel/release#go1.20.9 |
| 2023-09-08 21:02:04 by Benny Siegert | Files touched by this commit (2) | |
Log message: go119: update to 1.19.13 go1.19.13 (released 2023-09-06) includes fixes to the go command, and the crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue tracker for details. |
| 2023-09-08 20:49:46 by Benny Siegert | Files touched by this commit (3) | |
Log message: go120: update to 1.20.8 (security) This minor releases includes 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as \ modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like \ "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> \ contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39318 and Go issue https://go.dev/issue/62196. - html/template: improper handling of special tags within script contexts The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and \ "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197. - crypto/tls: panic when processing post-handshake message on QUIC connections Processing an incomplete post-handshake message for a QUIC connection caused a panic. Thanks to Marten Seemann for reporting this issue. This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266. |
| 2023-09-08 15:06:29 by Benny Siegert | Files touched by this commit (3) | |
Log message: go121: update to 1.21.1 (security) This minor releases includes 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as \ modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like \ "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> \ contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39318 and Go issue https://go.dev/issue/62196. - html/template: improper handling of special tags within script contexts The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and \ "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197. - crypto/tls: panic when processing post-handshake message on QUIC connections Processing an incomplete post-handshake message for a QUIC connection caused a panic. Thanks to Marten Seemann for reporting this issue. This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266. View the release notes for more information: https://go.dev/doc/devel/release#go1.21.1 |
| 2023-08-26 18:35:30 by Benny Siegert | Files touched by this commit (1) |
Log message: New package, go121-1.21.0. This will not be the default Go version in the next branch, since the freeze date is close. |
| 2023-08-25 20:29:24 by Benny Siegert | Files touched by this commit (3) | |
Log message: go120: update to 1.20.7 (security) go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls package, as well as bug fixes to the assembler and the compiler. See the Go 1.20.7 milestone on our issue tracker for details. |
| 2023-08-12 15:02:54 by Benny Siegert | Files touched by this commit (3) |
Log message: Update go119 to 1.19.12 (security). crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. |
| 2023-07-15 12:40:37 by Benny Siegert | Files touched by this commit (3) | |
Log message: go120: update to 1.20.6 (security) This minor release includes 1 security fix following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374 |
| 2023-07-15 12:35:14 by Benny Siegert | Files touched by this commit (3) | |
Log message: go119: update to 1.19.11 (security) This minor release includes 1 security fix following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374 |
| 2023-06-10 13:41:31 by Benny Siegert | Files touched by this commit (3) | |
Log message: go120: update to 1.20.5 (security) This minor release includes 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when \ running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. |
New packages: