Log message:
Update go116 to 1.16.15.

This minor release includes a security fix following the security policy:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause
regexp.Compile to cause goroutine stack exhaustion, forcing the program to
exit. Note this applies to very large expressions, on the order of 2MB.

Thanks to Juho Nurminen of Mattermost for reporting this.

This is CVE-2022-24921 and https://go.dev/issue/51112.

Log message:
Update go117 to 1.17.7 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or \ 
"subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

Log message:
Update go116 to 1.16.14 (security update).

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.

Thanks to Guido Vranken for reporting this.

This is CVE-2022-23806 and https://go.dev/issue/50974.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.

Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke
(@odeke_et) for reporting it.

This is CVE-2022-23772 and Go issue https://go.dev/issue/50699.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or \ 
"subdir/v2.0.0-dev")
can be considered a valid version by the go command. Materializing versions from
branches might be unexpected and bypass ACLs that limit the creation of tags but not
branches.

This is CVE-2022-23773 and Go issue https://go.dev/issue/35671.

Log message:
go-module.mk: allow packages that use this to have post-extract & pre-clean

Log message:
Update go117 to 1.17.6.

go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker,
runtime, and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6
milestone on our issue tracker for details.

Log message:
Update go116 to 1.16.13.

go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker,
runtime, and the net/http package. See the Go 1.16.13 milestone on our issue
tracker for details.

Log message:
Update go117 to 1.17.5.

go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on
our issue tracker for details.

go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages. See the Go 1.17.5 milestone on our issue tracker for
details.

When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.

This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
requests.

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.

Log message:
Update go116 to 1.16.12.

go1.16.12 (released 2021-12-09) includes security fixes to the syscall and
net/http packages. See the Go 1.16.12 milestone on our issue tracker for
details.

When a Go program running on a Unix system is out of file descriptors and calls
syscall.ForkExec (including indirectly by using the os/exec package),
syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
can be provoked) repeatedly, it can result in misdirected I/O such as writing
network traffic intended for one connection to a different connection, or
content intended for one file to a different one.

This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
requests.

This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.

Log message:
Update go116 to 1.16.11.

go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and
the net/http, net/http/httptest, and time packages. See the Go 1.16.11
milestone on our issue tracker for details.

Log message:
go: Use OPSYS_VERSION.