Path to this page:
Subject: CVS commit: [pkgsrc-2016Q3] pkgsrc/lang/go
From: S.P.Zeidler
Date: 2016-12-12 07:50:03
Message id: 20161212065003.40C31FBA6@cvs.NetBSD.org
Log Message:
Pullup ticket #5170 - requested by bsiegert
lang/go: security update
Revisions pulled up:
- lang/go/Makefile 1.48
- lang/go/PLIST 1.28
- lang/go/distinfo 1.42,1.41
- lang/go/patches/patch-src_net_http_h2__bundle.go deleted
- lang/go/version.mk 1.21,1.18
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Sun Dec 4 16:08:55 UTC 2016
Modified Files:
pkgsrc/lang/go: distinfo version.mk
Log Message:
Update Go to 1.7.4.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.4 and Go 1.7.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.7.4).
The issues addressed by these releases are:
On Darwin, user's trust preferences for root certificates were not honored. If
the user had a root certificate loaded in their Keychain that was explicitly
not trusted, a Go program would still verify a connection using that root
certificate. This is addressed by https://golang.org/cl/33721, tracked in
https://golang.org/issue/18141.
Thanks to Xy Ziemba for identifying and reporting this issue.
The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given \
"maxMemory"
limit. It was possible for an attacker to generate a multipart request crafted
such that the server ran out of file descriptors. This is addressed by
https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.
To generate a diff of this commit:
cvs rdiff -u -r1.41 -r1.42 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/go/version.mk
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu Oct 27 18:58:00 UTC 2016
Modified Files:
pkgsrc/lang/go: Makefile PLIST distinfo version.mk
Removed Files:
pkgsrc/lang/go/patches: patch-src_net_http_h2__bundle.go
Log Message:
Update Go to 1.7.3.
go1.7.2 should not be used. It was tagged but not fully released. The release
was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to
the summary of changes below.
go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the
crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3
milestone on our issue tracker for details.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/go/Makefile
cvs rdiff -u -r1.27 -r1.28 pkgsrc/lang/go/PLIST
cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/distinfo
cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.1 -r0 \
pkgsrc/lang/go/patches/patch-src_net_http_h2__bundle.go
Files: