Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2021-12-09 18:13:49
Message id:

Log Message:
Update go116 to 1.16.12.

go1.16.12 (released 2021-12-09) includes security fixes to the syscall and
net/http packages. See the Go 1.16.12 milestone on our issue tracker for

When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.

This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.