Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2022-04-13 09:46:56
Message id: 20220413074656.9D0E3FB24@cvs.NetBSD.org

Log Message:
go118: update to 1.18.1

This minor release includes three security fixes following the security policy:

- encoding/pem: fix stack overflow in Decode

  A large (more than 5 MB) PEM input can cause a stack overflow in Decode,
  leading the program to crash.

  Thanks to Juho Nurminen of Mattermost who reported the error.

  This is CVE-2022-24675 and https://go.dev/issue/51853.

- crypto/elliptic: tolerate all oversized scalars in generic P-256

  A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or
  P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
  crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

  This was discovered thanks to a Project Wycheproof test vector.

  This is CVE-2022-28327 and https://go.dev/issue/52075.

- crypto/x509: non-compliant certificates can cause a panic in Verify on macOS \ 
in Go 1.18

  Verifying certificate chains containing certificates which are not compliant
  with RFC 5280 causes Certificate.Verify to panic on macOS.

  These chains can be delivered through TLS and can cause a crypto/tls or
  net/http client to crash.

  Thanks to Tailscale for doing weird things and finding this.

  This is CVE-2022-27536 and https://go.dev/issue/51759.

Files:
RevisionActionfile
1.146modifypkgsrc/lang/go/version.mk
1.2modifypkgsrc/lang/go118/PLIST
1.2modifypkgsrc/lang/go118/distinfo