Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2019-09-26 20:36:46
Message id:

Log Message:
Update go112 to 1.12.10.

Commit ok'd by wiz@ for PMC.

Go 1.12.10:

net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If
a Go server is used behind an uncommon reverse proxy that accepts and
forwards but doesn't normalize such invalid headers, the reverse proxy and
the server can interpret the headers differently. This can lead to filter
bypasses or request smuggling, the latter if requests from separate clients
are multiplexed onto the same upstream connection by the proxy. Such invalid
headers are now rejected by Go servers, and passed without normalization to
Go client applications.

The issue is CVE-2019-16276 and Go issue

Go 1.12.9:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages. See the Go 1.12.9 milestone on our issue tracker for