./lang/go115, The Go programming language

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.15.10, Package name: go115-1.15.10, Maintainer: bsiegert

The Go programming language is an open source project to make
programmers more productive.

Go is expressive, concise, clean, and efficient. Its concurrency
mechanisms make it easy to write programs that get the most out of
multicore and networked machines, while its novel type system enables
flexible and modular program construction. Go compiles quickly to
machine code yet has the convenience of garbage collection and the power
of run-time reflection. It's a fast, statically typed, compiled language
that feels like a dynamically typed, interpreted language.


Master sites:

SHA1: 4c9ecfbe1e1aace59de5d8a5e9945a3c6e6b4bc1
RMD160: 55bb5bdfdd80f075ca2777fccc3288ed40269b8f
Filesize: 22482.415 KB

Version history: (Expand)


CVS history: (Expand)


   2021-03-30 16:53:35 by Jonathan Perkin | Files touched by this commit (3)
Log message:
go115: Find pkgsrc SSL certificates on SunOS.
   2021-03-19 18:22:55 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.10.

go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package. See the Go 1.15.8 milestone on our
issue tracker for details.

go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.

go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command,
and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone
on our issue tracker for details.
   2021-02-18 12:05:42 by Thomas Klausner | Files touched by this commit (3)
Log message:
go11*: switch from gtar to using bsdtar

Tested on NetBSD current.

Ok bsiegert
   2021-01-23 15:07:38 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.7.

* cmd/go: packages using cgo can cause arbitrary code execution at build time

The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.

In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.

Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.

* crypto/elliptic: incorrect operations on the P-224 curve

The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.

The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.

The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
   2020-11-13 19:45:50 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.5 (security fix).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int <https://pkg.go.dev/math/big#Int> methods (Div,
Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)
can panic when provided crafted large inputs. For the panic to happen, the
divisor or modulo argument must be larger than 3168 bits (on 32-bit
architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat
<https://pkg.go.dev/math/big#Rat> methods are similarly affected.

crypto/rsa.VerifyPSS <https://pkg.go.dev/crypto/rsa#VerifyPSS>,
crypto/rsa.VerifyPKCS1v15 <https://pkg.go.dev/crypto/rsa#VerifyPKCS1v15>,
and crypto/dsa.Verify <https://pkg.go.dev/crypto/dsa#Verify> may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
<https://pkg.go.dev/crypto/elliptic#CurveParams> with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.

   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.

This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.

These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.
   2020-11-08 21:38:10 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.4

go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker,
runtime, and the compress/flate, net/http, reflect, and time packages. See the
Go 1.15.4 milestone on our issue tracker for details.
   2020-10-15 14:43:34 by Benny Siegert | Files touched by this commit (3) | Package updated
Log message:
Update go115 to 1.15.3.

go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime,
documentation, the go command, and the net/mail, os, sync, and testing
packages. See the Go 1.15.2 milestone on our issue tracker for details.

go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime,
the go command, and the bytes, plugin, and testing packages. See the Go 1.15.3
milestone on our issue tracker for details.
   2020-09-07 10:15:42 by Amitai Schleier | Files touched by this commit (1)
Log message:
go115/pkg/${GO_PLATFORM}/crypto/x509/internal/macos.a gets built and
installed on macOS, so put it in PLIST.Darwin. bsiegert@ ok