Log message:
go119: add missing file to PLIST

Log message:
go119: update to 1.19.13

go1.19.13 (released 2023-09-06) includes fixes to the go command, and the
crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue
tracker for details.

Log message:
Update go119 to 1.19.12 (security).

crypto/tls: restrict RSA keys in certificates to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

Thanks to Mateusz Poliwczak for reporting this issue.

Log message:
Revbump all Go packages after go120 update

Log message:
go119: update to 1.19.11 (security)

This minor release includes 1 security fix following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A
maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an invalid
Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for CVE-2023-29406 and Go issue
https://go.dev/issue/60374

Log message:
go119: update to 1.19.10 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when \ 
running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.

Log message:
go119: update to 1.19.9 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts \ 
that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. \ 
"attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Log message:
go119: update to 1.19.8 (security)

This minor release includes 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains //line
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are used,
  since ES6, for JS template literals. If a template contained a Go template
  action within a Javascript template literal, the contents of the action could
  be used to terminate the literal, injecting arbitrary Javascript code into
  the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from
  being used inside of them (e.g. "var a = {{.}}"), since there is no \ 
obviously
  safe way to allow this behavior. This takes the same approach as
  github.com/google/safehtml.  Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this
  issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even
  when parsing small inputs.

  Certain unusual patterns of input data could cause the common function used
  to parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small
  request, potentially leading to memory exhaustion and a denial of service.

  Header parsing now correctly allocates only the memory required to hold
  parsed headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive \ 
resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems
  from several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart
  form can consume. ReadForm could undercount the amount of memory consumed,
  leading it to accept larger inputs than intended.  Limiting total memory does
  not account for increased pressure on the garbage collector from large
  numbers of small allocations in forms with many parts.  ReadForm could
  allocate a large number of short-lived buffers, further increasing pressure
  on the garbage collector.  The combination of these factors can permit an
  attacker to cause an program that parses multipart forms to consume large
  amounts of CPU and memory, potentially resulting in a denial of service. This
  affects programs that use mime/multipart.Reader.ReadForm, as well as form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit
  may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  Form parts parsed with NextPart and NextRawPart may contain no more than
  10,000 header fields. In addition, forms parsed with ReadForm may contain no
  more than 10,000 header fields across all parts. This limit may be adjusted
  with the environment variable GODEBUG=multipartmaxheaders=.  Thanks to Jakob
  Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.