Log Message:
Pullup ticket #5064 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.43
- lang/go/distinfo                                              1.37
- lang/go/version.mk                                            1.15

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Mon Jul 18 20:37:40 UTC 2016

   Modified Files:
           pkgsrc/lang/go: Makefile distinfo version.mk

   Log Message:
   Update Go to 1.6.3.

   A security-related issue was recently reported in Go's net/http/cgi =
   package and
   net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 =
   contain
   a fix for this issue.

   Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation =
   flaw in
   the CGI components resulting in the HTTP_PROXY environment variable =
   being set
   by the incoming Proxy header. This environment variable was also used to =
   set
   the outgoing proxy, enabling an attacker to insert a proxy into outgoing
   requests of a CGI program.

   This is CVE-2016-5386 and was addressed by this change:
   https://golang.org/cl/25010, tracked in this issue:
   https://golang.org/issue/16405

   The Go team would like to thank Dominic Scheirlinck for coordinating =
   disclosure
   of this issue across multiple languages and CGI environments. Read more =
   about
   "httpoxy" here: https://httpoxy.org/

   Go 1.6.3 also adds support for macOS Sierra. See =
   https://golang.org/issue/16354
   for details.

   To generate a diff of this commit:
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/go/version.mk