Log message:
go119: add missing file to PLIST

Log message:
go119: update to 1.19.13

go1.19.13 (released 2023-09-06) includes fixes to the go command, and the
crypto/tls and net/http packages. See the Go 1.19.13 milestone on our issue
tracker for details.

Log message:
Update go119 to 1.19.12 (security).

crypto/tls: restrict RSA keys in certificates to <= 8192 bits

Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.

Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.

Thanks to Mateusz Poliwczak for reporting this issue.

Log message:
Revbump all Go packages after go120 update

Log message:
go119: update to 1.19.11 (security)

This minor release includes 1 security fix following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header. A
maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an invalid
Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for CVE-2023-29406 and Go issue
https://go.dev/issue/60374

Log message:
go119: update to 1.19.10 (security)

This minor release includes 3 security fixes following the security policy:

- cmd/go: cgo code injection

  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories
  with newline characters in their names. Modules which are retrieved using the
  go command, i.e. via "go get", are not affected (modules retrieved using
  GOPATH-mode, i.e.  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with
  standard I/O file descriptors closed, opening any files could result in
  unexpected content being read/written with elevated prilieges. Similarly if a
  setuid/setgid program was terminated, either via panic or signal, it could
  leak the contents of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This
  may occur when running "go get" on a malicious module, or when \ 
running any
  other command which builds untrusted code. This is can by triggered by linker
  flags, specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues
  https://go.dev/issue/60305 and https://go.dev/issue/60306.

Log message:
go119: update to 1.19.9 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts \ 
that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. \ 
"attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Log message:
go119: update to 1.19.8 (security)

This minor release includes 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains //line
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are used,
  since ES6, for JS template literals. If a template contained a Go template
  action within a Javascript template literal, the contents of the action could
  be used to terminate the literal, injecting arbitrary Javascript code into
  the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from
  being used inside of them (e.g. "var a = {{.}}"), since there is no \ 
obviously
  safe way to allow this behavior. This takes the same approach as
  github.com/google/safehtml.  Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this
  issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even
  when parsing small inputs.

  Certain unusual patterns of input data could cause the common function used
  to parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small
  request, potentially leading to memory exhaustion and a denial of service.

  Header parsing now correctly allocates only the memory required to hold
  parsed headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive \ 
resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems
  from several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart
  form can consume. ReadForm could undercount the amount of memory consumed,
  leading it to accept larger inputs than intended.  Limiting total memory does
  not account for increased pressure on the garbage collector from large
  numbers of small allocations in forms with many parts.  ReadForm could
  allocate a large number of short-lived buffers, further increasing pressure
  on the garbage collector.  The combination of these factors can permit an
  attacker to cause an program that parses multipart forms to consume large
  amounts of CPU and memory, potentially resulting in a denial of service. This
  affects programs that use mime/multipart.Reader.ReadForm, as well as form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit
  may be adjusted with the environment variable GODEBUG=multipartmaxparts=.
  Form parts parsed with NextPart and NextRawPart may contain no more than
  10,000 header fields. In addition, forms parsed with ReadForm may contain no
  more than 10,000 header fields across all parts. This limit may be adjusted
  with the environment variable GODEBUG=multipartmaxheaders=.  Thanks to Jakob
  Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.

Log message:
go119: update to 1.19.7

This minor release includes 1 security fix following the security policy:

crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
incorrect result if called with some specific unreduced scalars (a scalar larger
than the order of the curve).

This does not impact usages of crypto/ecdsa or crypto/ecdh.

Thanks to Guido Vranken for repoting this issue via the Ethereum Foundation bug
bounty program.

This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

Log message:
go119: update to 1.19.6 (security)

This minor release includes 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal
  attack.  The filepath.Clean function will now transform this path into the
  relative (but still invalid) path .\c:\b.

  Thanks to RyotaK (https://ryotak.net) for reporting this issue.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume
  largely unlimited amounts of memory and disk files. This also affects form
  parsing in the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  entry overhead, part names, and MIME headers, permitting a maliciously
  crafted form to consume well over 10MB. In addition, ReadForm contained no
  limit on the number of disk files created, permitting a relatively small
  request body to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  Thanks to Arpad Ryszka and Jakob Ackermann (@das7pad) for reporting this
  issue.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth >= RequestClientCert).

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in
  the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.