Navigation:
Browse pkgsrc
(this page)
lang go119
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] 2025-04-01 19:47:20 by Benny Siegert | Files touched by this commit (26) |  |
Log message: go119, go121: remove go124 is the current version. go123 is still supported. To build go124 from source, the chain is go14 - go118 - go120 - go122 - go124 Thus, nothing needs go119 and go121. agreed by maya@ on tech-pkg |
| 2023-09-25 01:45:39 by Thomas Klausner | Files touched by this commit (1) |
Log message: go119: add missing file to PLIST |
2023-09-08 21:02:04 by Benny Siegert | Files touched by this commit (2) |  |
Log message: go119: update to 1.19.13 go1.19.13 (released 2023-09-06) includes fixes to the go command, and the crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue tracker for details. |
| 2023-08-12 15:02:54 by Benny Siegert | Files touched by this commit (3) |
Log message: Update go119 to 1.19.12 (security). crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. |
| 2023-07-15 12:53:10 by Benny Siegert | Files touched by this commit (151) | |
Log message: Revbump all Go packages after go120 update |
| 2023-07-15 12:35:14 by Benny Siegert | Files touched by this commit (3) | |
Log message: go119: update to 1.19.11 (security) This minor release includes 1 security fix following the security policy: net/http: insufficient sanitization of Host header The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Thanks to Bartek Nowotarski for reporting this issue. Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374 |
| 2023-06-06 20:49:04 by Benny Siegert | Files touched by this commit (3) | |
Log message: go119: update to 1.19.10 (security) This minor release includes 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when \ running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. |
| 2023-05-03 21:24:54 by Benny Siegert | Files touched by this commit (3) | |
Log message:
go119: update to 1.19.9 (security)
This minor release includes 3 security fixes following the security policy:
* html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous characters when inserted
into CSS contexts. Templates containing multiple actions separated by a '/'
character could result in unexpectedly closing the CSS context and allowing
for injection of unexpected HMTL, if executed with untrusted input.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
* html/template: improper handling of JavaScript whitespace
Not all valid JavaScript whitespace characters were considered to be
whitespace. Templates containing whitespace characters outside of the
character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts \
that also
contain actions may not be properly sanitized during execution.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
* html/template: improper handling of empty HTML attributes
Templates containing actions in unquoted HTML attributes (e.g. \
"attr={{.}}")
executed with empty input could result in output that would have unexpected
results when parsed due to HTML normalization rules. This may allow injection
of arbitrary attributes into tags.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
|
New packages: