Path to this page:
Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2024-09-06 20:38:23
Message id: 20240906183823.3CD76FC74@cvs.NetBSD.org
Log Message:
go123: update to 1.23.1
This minor release includes 3 security fixes following the security policy:
go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply \
nested literals can cause a panic due to stack exhaustion.
This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.
encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures can \
cause a panic due to stack exhaustion.
This is a follow-up to CVE-2022-30635.
Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for \
reporting this issue.
This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.
go/build/constraint: stack exhaustion in Parse
Calling Parse on a "// +build" build tag line with deeply nested \
expressions can cause a panic due to stack exhaustion.
This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.
Files: