./lang/go, Meta package providing the current release of the Go language

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.16.2, Package name: go-1.16.2, Maintainer: pkgsrc-users

This is a meta package providing the latest release of the Go
programming language that is available for the host system.

The actual Go programming language is provided by packages such as
lang/go111, lang/go110, etc. This package merely allows users to
install "go" instead of having to figure out the exact package name.

No package should depend on this package directly.


Required to run:
[lang/go114]

Required to build:
[pkgtools/cwrappers]

Master sites:


Version history: (Expand)


CVS history: (Expand)


   2021-03-20 10:28:34 by Benny Siegert | Files touched by this commit (15)
Log message:
We say goodbye to Go 1.14.

The policy of the Go project is to support the last two stable branches,
so 1.14 is end of life.
   2021-03-20 10:26:11 by Benny Siegert | Files touched by this commit (1)
Log message:
Use Go 1.16 as the default version.

macOS on ARM has had 1.16 as the default already for a while. The next
branch should have it for all OSes. Some build breakage has been fixed
already in separate commits.

ok before freeze wiz@
   2021-03-19 18:22:55 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.10.

go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package. See the Go 1.15.8 milestone on our
issue tracker for details.

go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.

go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command,
and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone
on our issue tracker for details.
   2021-03-14 19:15:16 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go116 to 1.16.2.

go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker,
the go command, and the syscall and time packages. See the Go 1.16.2 milestone
on our issue tracker for details.
   2021-03-10 20:55:17 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
   2021-02-17 09:07:03 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
go116: update to the final 1.16 release

I did not find a detailed changelog from rc1.
   2021-01-29 18:22:30 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go116 to 1.16 RC1.

This RC contains the recent security updates for Go and fixes a number
of bugs.
   2021-01-23 15:07:38 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.7.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.