Navigation:
Browse pkgsrc
(this page)
lang go
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2024-04-05 21:07:55 by Benny Siegert | Files touched by this commit (3) |
Log message: go121: Update to 1.21.9. This minor release includes 1 security fix following the security policy: http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051. |
| 2024-04-05 20:51:52 by Benny Siegert | Files touched by this commit (3) |
Log message: This minor release includes 1 security fix following the security policy: http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051. |
2024-03-05 20:37:52 by Benny Siegert | Files touched by this commit (3) |  |
Log message: go122: update to 1.22.1 (security) This minor release includes 5 security fixes following the security policy: - crypto/x509: Verify panics on certificates with an unknown public key algorithm Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783 and Go issue https://go.dev/issue/65390. - net/http: memory exhaustion in Request.ParseMultipartForm When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. ParseMultipartForm now correctly limits the maximum size of form lines. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-45290 and Go issue https://go.dev/issue/65383. - net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, \ a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289 and Go issue https://go.dev/issue/65065. - html/template: errors returned from MarshalJSON methods may break template escaping If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2024-24785 and Go issue https://go.dev/issue/65697. - net/mail: comments in display names are incorrectly handled The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Thanks to Juho Nurminen of Mattermost and Slonser (https://github.com/Slonser) for reporting this issue. This is CVE-2024-24784 and Go issue https://go.dev/issue/65083. |
| 2024-03-05 20:27:59 by Benny Siegert | Files touched by this commit (3) | |
Log message: go121: update to 1.21.8 (security) This minor release includes 5 security fixes following the security policy: - crypto/x509: Verify panics on certificates with an unknown public key algorithm Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Thanks to John Howard (Google) for reporting this issue. This is CVE-2024-24783 and Go issue https://go.dev/issue/65390. - net/http: memory exhaustion in Request.ParseMultipartForm When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. ParseMultipartForm now correctly limits the maximum size of form lines. Thanks to Bartek Nowotarski for reporting this issue. This is CVE-2023-45290 and Go issue https://go.dev/issue/65383. - net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, \ a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-45289 and Go issue https://go.dev/issue/65065. - html/template: errors returned from MarshalJSON methods may break template escaping If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Thanks to RyotaK (https://ryotak.net) for reporting this issue. This is CVE-2024-24785 and Go issue https://go.dev/issue/65697. - net/mail: comments in display names are incorrectly handled The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Thanks to Juho Nurminen of Mattermost and Slonser (https://github.com/Slonser) for reporting this issue. This is CVE-2024-24784 and Go issue https://go.dev/issue/65083. |
| 2024-02-13 19:06:05 by Thomas Klausner | Files touched by this commit (1) |
Log message: go-module.mk: document print-go-modules |
| 2024-02-13 18:59:42 by Thomas Klausner | Files touched by this commit (1) |
Log message: go: go-modules.mk: add print-go-modules alias for show-go-modules I always get confused between Rust and Go packages because it's print-cargo-depends for the one but show-go-modules for the other. Adding an alias costs very little and makes lives easier. |
| 2024-02-11 20:28:18 by Benny Siegert | Files touched by this commit (2) |
Log message: go-module, go-package: set GOTOOLCHAIN=local From version 1.21 on, Go has built-in support for additional toolchains. If the installed Go version is too old, it can download and use a newer version on the fly during the build. See https://tip.golang.org/doc/toolchain for details. Needless to say, we don't want this to happen during a pkgsrc build. This setting disables the behavior and always uses the bundled toolchain. |
| 2024-02-09 21:34:11 by Benny Siegert | Files touched by this commit (1) |
Log message: Add a new package for go122-1.22.0 The latest Go release, version 1.22, arrives six months after Go 1.21. Most of \ its changes are in the implementation of the toolchain, runtime, and libraries. As always, \ the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to \ continue to compile and run as before. Release notes: https://go.dev/doc/go1.22 |
New packages: