Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2022-09-07 08:36:33
Message id: 20220907063633.59CD2FA90@cvs.NetBSD.org

Log Message:
go118: update to 1.18.6 (security)

This minor release includes 2 security fixes following the security policy:

net/http: handle server errors after sending GOAWAY

A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.

This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

net/url: JoinPath does not strip relative path components in all circumstances

JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", \ 
"../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.

Thanks to q0jt for reporting this issue.

This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Files:
RevisionActionfile
1.158modifypkgsrc/lang/go/version.mk
1.7modifypkgsrc/lang/go118/PLIST
1.7modifypkgsrc/lang/go118/distinfo