./lang/go, Meta package providing the current release of the Go language

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.15.7, Package name: go-1.15.7, Maintainer: pkgsrc-users

This is a meta package providing the latest release of the Go
programming language that is available for the host system.

The actual Go programming language is provided by packages such as
lang/go111, lang/go110, etc. This package merely allows users to
install "go" instead of having to figure out the exact package name.

No package should depend on this package directly.


Required to run:
[lang/go114]

Required to build:
[pkgtools/cwrappers]

Master sites:

Version history: (Expand)

CVS history: (Expand)


   2021-03-10 20:55:17 by Benny Siegert | Files touched by this commit (2) | Package updated
Log message:
Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
   2021-02-17 09:07:03 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
go116: update to the final 1.16 release

I did not find a detailed changelog from rc1.
   2021-01-29 18:22:30 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go116 to 1.16 RC1.

This RC contains the recent security updates for Go and fixes a number
of bugs.
   2021-01-23 15:07:38 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.7.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
   2021-01-22 21:08:32 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go114 to 1.14.14.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
   2020-12-19 19:03:52 by Benny Siegert | Files touched by this commit (1) 
Log message:
Default to go116 on Darwin-*-aarch64
   2020-12-19 18:58:07 by Benny Siegert | Files touched by this commit (1) 
Log message:
Add a package for go116-1.16.beta1.

Normally, we would not package beta versions, except maybe in pkgsrc-wip.
This is different though, since 1.16.beta1 is the first Go version supporting
macOS on Apple Silicon.

Discussion about this was on tech-pkg@.
   2020-12-12 12:08:26 by Maya Rashish | Files touched by this commit (1) 
Log message:
go: clarify that go14 had no aarch64 support on all OSes, so we need go-bin
there.

Hopefully clarifies the acceptable solution for people running into this
problem for darwin/arm64.