Commit Graph

87 Commits

Author SHA1 Message Date
Christian Stewart
7af6659cb2 package/go: bump version to 1.17.6
View the release notes for more information:

https://go.dev/doc/devel/release.html#go1.17.minor

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-01-07 18:51:44 +01:00
Christian Stewart
eb92bb01b3 package/go: security bump to 1.17.5
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages.

go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages:

 - CVE-2021-44716
 - CVE-2021-44717

https://go.dev/doc/devel/release#go1.17

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-12-12 16:51:58 +01:00
Christian Stewart
700ecefcc5 package/go: security bump to 1.17.3
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
go command, the misc/wasm directory, and to the net/http and syscall packages.

https://golang.org/doc/devel/release#go1.17.minor

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-11-05 14:41:10 +01:00
Christian Stewart via buildroot
3ae98bed0a package/go: security bump to 1.17.2
go1.17.2 (released 2021-10-07) includes a security fix to the linker and
misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go
command, and to the time and text/template packages.

https://golang.org/doc/devel/release#go1.17.minor

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-10-09 09:18:24 +02:00
Christian Stewart
280719ba7f package/go: security bump to 1.17.1
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the
NewReader and OpenReader functions in archive/zip can still cause a panic or an
unrecoverable fatal error when reading an archive that claims to contain a large
number of files, regardless of its actual size.

This is CVE-2021-39293.

https://golang.org/doc/devel/release.html#go1.16.minor

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-09-10 15:17:04 +02:00
Christian Stewart
6b408a4d80 package/go: bump to version 1.17
The latest Go release, version 1.17, arrives six months after Go 1.16.
Most of its changes are in the implementation of the toolchain,
runtime, and libraries.

https://golang.org/doc/go1.17

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-08-19 22:35:15 +02:00
Christian Stewart
806b26950d package/go: security bump version to 1.16.6
These minor releases include a security fix according to the new security policy (#44918).

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is CVE-2021-34558.

View the release notes for more information:

https://golang.org/doc/devel/release.html#go1.16.minor

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-30 23:36:52 +02:00
Peter Korsgaard
0c60007419 package/go: security bump to version 1.16.5
Fixes the following security issues:

- CVE-2021-33195: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and
  LookupAddr functions in net, and their respective methods on the Resolver
  type may return arbitrary values retrieved from DNS which do not follow
  the established RFC 1035 rules for domain names.  If these names are used
  without further sanitization, for instance unsafely included in HTML, they
  may allow for injection of unexpected content.  Note that LookupTXT may
  still return arbitrary values that could require sanitization before
  further use

- CVE-2021-33196: The NewReader and OpenReader functions in archive/zip can
  cause a panic or an unrecoverable fatal error when reading an archive that
  claims to contain a large number of files, regardless of its actual size

- CVE-2021-33197: ReverseProxy in net/http/httputil could be made to forward
  certain hop-by-hop headers, including Connection.  In case the target of
  the ReverseProxy was itself a reverse proxy, this would let an attacker
  drop arbitrary headers, including those set by the ReverseProxy.Director

- CVE-2021-33198: The SetString and UnmarshalText methods of math/big.Rat
  may cause a panic or an unrecoverable fatal error if passed inputs with
  very large exponents

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-06-06 17:14:22 +02:00
Peter Korsgaard
1cfc01a008 package/go: security bump to version 1.16.4
Fixes the following security issues:

- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
  unrecoverable panic when reading a very large header (over 7MB on 64-bit
  architectures, or over 4MB on 32-bit ones).  Transport and Client are
  vulnerable and the program can be made to crash by a malicious server.
  Server is not vulnerable by default, but can be if the default max header
  of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
  in which case the program can be made to crash by a malicious client.

  https://github.com/golang/go/issues/45710

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-08 10:58:40 +02:00
Christian Stewart
16123616d3 package/go: bump version to 1.16.3
go1.16.3 (released 2021/04/01) includes fixes to the compiler, linker, runtime,
the go command, and the testing and time packages.

https://golang.org/doc/go1.16

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-03 09:03:24 +02:00
Thomas Petazzoni
a7143fb316 toolchain: drop old BR2_TOOLCHAIN_HAS_BINUTILS_BUG_* options
The BR2_TOOLCHAIN_HAS_BINUTILS_BUG_19615 and
BR2_TOOLCHAIN_HAS_BINUTILS_BUG_20006 options were last selected by the
BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_AMD64 toolchain, but this
toolchain has been removed as part of commit
d87e114a8f in August 2020.

It's time to get rid of those two options that are never enabled.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-15 20:43:30 +01:00
Christian Stewart
9b36b4aa28 package/go: security bump to 1.16.2
go1.16.1 (released 2021/03/10) includes security fixes to the archive/zip and
encoding/xml packages.

go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker, the
go command, and the syscall and time packages.

https://golang.org/doc/devel/release.html#go1.16

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-12 22:45:19 +01:00
Christian Stewart
9c035502bf package/go: bump version to 1.16
Release notes: https://golang.org/doc/go1.16

The latest Go release, version 1.16, arrives six months after Go 1.15. Most of
its changes are in the implementation of the toolchain, runtime, and libraries.

The linker changes in 1.16 extend the 1.15 improvements to all supported
architecture/OS combinations (the 1.15 performance improvements were primarily
focused on ELF-based OSes and amd64 architectures). For a representative set of
large Go programs, linking is 20-25% faster than 1.15 and requires 5-15% less
memory on average for linux/amd64, with larger improvements for other
architectures and OSes. Most binaries are also smaller as a result of more
aggressive symbol pruning.

According to the release notes, Go 1.16 drops support for x87 mode
compilation (GO386=387).  Support for non-SSE2 processors is now available
using soft float mode.  Buildroot will automatically set GO386=softfloat on
non-SSE2 processors.

Signed-off-by: Christian Stewart <christian@paral.in>

v1 -> v2:

 - added 386=softfloat handling re: Peter's review

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-23 13:48:27 +01:00
Christian Stewart
e92ec59450 package/go: bump to version 1.15.8
go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package.

https://golang.org/doc/go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-23 13:47:04 +01:00
Peter Korsgaard
0e1b5aa572 packago/go: security bump to version 1.15.7
Fixes the following security issues:

- cmd/go: packages using cgo can cause arbitrary code execution at build time

  The go command may execute arbitrary code at build time when cgo is in use
  on Windows.  This may occur when running “go get”, or any other command
  that builds code.  Only users who build untrusted code (and don’t execute
  it) are affected.

  In addition to Windows users, this can also affect Unix users who have “.”
  listed explicitly in their PATH and are running “go get” or build commands
  outside of a module or with module mode disabled.

  Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

  This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

- crypto/elliptic: incorrect operations on the P-224 curve

  The P224() Curve implementation can in rare circumstances generate
  incorrect outputs, including returning invalid points from ScalarMult.

  The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
  support P-224 ECDSA keys, but they are not supported by publicly trusted
  certificate authorities.  No other standard library or golang.org/x/crypto
  package supports or uses the P-224 curve.

  The incorrect output was found by the elliptic-curve-differential-fuzzer
  project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

  This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-01-21 17:02:19 +01:00
Fabrice Fontaine
d4eefdbed0 package/go: add GO_CPE_ID_VENDOR
golang is the correct CPE ID vendor for the go package, see:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agolang%3Ago

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-11 21:38:47 +01:00
Peter Korsgaard
f470ce5f0d package/go: fix s/amrv7/armv7/ typo in comment
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 22:35:03 +01:00
Michael Baudino
c59409afd9 package/go: enable ARMv7 optimizations for 32-bit ARMv8
When building for an ARMv8 in 32-bit, Go does not yet support ARMv8
optimizations (see issue: https://github.com/golang/go/issues/29373)
but can still benefit from ARMv7 optimizations.

Signed-off-by: Michael Baudino <michael@baudi.no>
[yann.morin.1998@free.fr:
  - move the comment to its own line, expand and reword it a bit
  - reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-19 12:17:12 +01:00
Michael Baudino
4e81152078 package/go: fix a typo in CC and CXX env values
This commit fixes a typo in variable names that caused CC and CXX
environment variables to be empty.

Signed-off-by: Michael Baudino <michael@baudi.no>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-19 12:02:52 +01:00
Christian Stewart
267dd8b427 package/go: bump to version 1.15.6
go1.15.6 (released 2020/12/03) includes fixes to the compiler, linker, runtime,
the go command, and the io package.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-16 12:16:59 +01:00
Peter Korsgaard
7269a73102 package/go: security bump to 1.15.5
Fixes the following security issues:

- math/big: panic during recursive division of very large numbers

  A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
  ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
  large inputs.  For the panic to happen, the divisor or modulo argument
  must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
  64-bit architectures).  Multiple math/big.Rat methods are similarly affected.

  crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
  panic when provided crafted public keys and signatures.  crypto/ecdsa and
  crypto/elliptic operations may only be affected if custom CurveParams with
  unusually large field sizes (several times larger than the largest
  supported curve, P-521) are in use.  Using crypto/x509.Verify on a crafted
  X.509 certificate chain can lead to a panic, even if the certificates
  don’t chain to a trusted root.  The chain can be delivered via a
  crypto/tls connection to a client, or to a server that accepts and
  verifies client certificates.  net/http clients can be made to crash by an
  HTTPS server, while net/http servers that accept client certificates will
  recover the panic and are unaffected.

  Moreover, an application might crash invoking
  crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
  request or during a golang.org/x/crypto/otr conversation.  Parsing a
  golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
  Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
  host key, while a server could panic if either PublicKeyCallback accepts a
  malformed public key, or if IsUserAuthority accepts a certificate with a
  malformed public key.

  Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
  this.  Thanks to Rémy Oudompheng and Robert Griesemer for their help
  developing and validating the fix.

  This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.

- cmd/go: arbitrary code execution at build time through cgo

  The go command may execute arbitrary code at build time when cgo is in
  use.  This may occur when running go get on a malicious package, or any
  other command that builds untrusted code.

  This can be caused by malicious gcc flags specified via a #cgo directive,
  or by a malicious symbol name in a linked object file.

  Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
  reporting these issues.

  These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
  golang.org/issue/42556 and golang.org/issue/42559 respectively.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 14:48:20 +01:00
Christian Stewart
6ba64976d3 package/go: bump to 1.15.4
Bugfix release. From the release notes:

go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker,
runtime, and the compress/flate, net/http, reflect, and time packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 21:06:20 +01:00
Christian Stewart
ce0d25ffc7 package/go: bump to version 1.15.3
go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the
go command, and the bytes, plugin, and testing packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-25 10:22:44 +01:00
Alexander Egorenkov
e013029b17 package/go: fix GO_ARCH for s390x arch
Fixes:
- http://autobuild.buildroot.net/results/82c440825290804c2fd6a92d916c93d2934e0a95
- http://autobuild.buildroot.net/results/e8f8e232fb6bf6167f25c82026f4e2321cca9c26
- http://autobuild.buildroot.net/results/7d4137c439ade81ab7bf141ad6504a69746d6dbc

Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:56:01 +02:00
Alexander Egorenkov
9eaab4e2c5 package/go: add support for IBM s390x and Z arch
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-09-24 22:57:57 +02:00
Christian Stewart
ddaba441d4 package/go: bump to 1.15.2
go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime,
documentation, the go command, and the net/mail, os, sync, and testing packages.

https://golang.org/doc/devel/release.html#go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-13 15:48:56 +02:00
Christian Stewart
9400e8a4c3 package/go: bump to go 1.15.1
Go 1.14, 1.15 are major releases of Go.

Read the Release Notes for more information:

 - https://golang.org/doc/go1.14
 - https://golang.org/doc/go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-06 14:31:35 +02:00
Christian Stewart
7afd262da0 package/go: implement go modules integration
The Go compiler needs to know the "import path" to the root of package
source repositories. Previously, this was done by creating a fake
_gopath in the build directory and symlinking the package source into
that path.

Go has deprecated the GOPATH mechanism in favor of a new approach -
Modules - which specifies the root import path (and dependencies) in a
"go.mod" file. This commit moves Buildroot to use the new go.mod
approach, which requires:

 - Passing GO111MODULE=on when building host or target Go packages.

 - Passing GOPROXY=off and -mod=vendor to prevent the Go module system
   from downloading by itself sources from the Internet. We currently
   only support Go packages that have all their dependencies in their
   source tree in "vendor" directories.

 - Specifying a <pkg>_GOMOD variable, which is used both to create a
   minimal go.mod file in the package source tree if it exists, and to
   invoke the right build targets. Indeed, all elements in
   <pkg>_BUILD_TARGETS are now relative to <pkg>_GOMOD.

Reference: https://github.com/golang/go/wiki/Modules

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:49:06 +02:00
Thomas Petazzoni
1a17e4ae99 package/go: re-integrate GO_COMMON_ENV into HOST_GO_COMMON_ENV
There is no point in having some common Go env variables defined in
pkg-golang.mk:GO_COMMON_ENV, and some in
package/go/go.mk:HOST_GO_COMMON_ENV. Let's move all of them to
package/go/go.mk:HOST_GO_COMMON_ENV.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7a89fa07ee package/go: pass CFLAGS/CXXFLAGS/LDFLAGS in HOST_GO_TARGET_ENV
HOST_GO_HOST_ENV is explicitly specifying
HOST_CGO_{CFLAGS,CXXFLAGS,LDFLAGS}, so let's do the same for target
packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
557282a9c0 package/go: introduce HOST_GO_COMMON_ENV
A few variables are common between HOST_GO_TARGET_ENV and
HOST_GO_HOST_ENV, so let's introduce a HOST_GO_COMMON_ENV variable for
those few common ones (which will increase in follow-up commits).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:49 +02:00
Thomas Petazzoni
7c3e3cbcf2 package/go: add a HOST_GO_HOST_ENV variable
package/go/go.mk provides a HOST_GO_TARGET_ENV which provides a useful
set of environment variables needed to build target Go packages.

For host packages, we simply have package/pkg-golang.mk defining
GO_HOST_ENV to specify CFLAGS/LDFLAGS, but that's it: we don't pass an
explicit path to the compiler, we don't pass GO111MODULE, GOCACHE,
GOROOT, etc.

This commit introduces a HOST_GO_HOST_ENV variable that provides the
appropriate set of environment variables to use when building host
golang packages.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 14:35:48 +02:00
Christian Stewart
593254c6f9 package/go: bump version to 1.13.14
go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and
the database/sql, net/http, and reflect packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-18 15:20:46 +02:00
Christian Stewart
e31919878d package/go: bump version to 1.13.13
go1.13.13 (released 2020/07/14) includes security fixes to the
crypto/x509 and net/http packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-16 21:54:34 +02:00
Christian Stewart
7cbb3dd94e package/go: bump version to 1.13.12
go1.13.9 (released 2020/03/19) includes fixes to the go command, tools, the
runtime, the toolchain, and the crypto/cypher package.

go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime,
and the os/exec and time packages.

go1.13.11 (released 2020/05/14) includes fixes to the compiler.

go1.13.12 (released 2020/06/01) includes fixes to the runtime, and the go/types
and math/big packages.

Release notes: https://golang.org/doc/go1.13

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-06-07 11:12:29 +02:00
Peter Korsgaard
9b15ef3505 package/go: bump version to 1.13.8
Includes fixes to the runtime, the crypto/x509, and net/http
packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-15 11:53:19 +01:00
Peter Korsgaard
f40acb4684 package/go: security bump to version 1.13.7
Fixes the following security issue:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates.  net/http clients
can be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.  Thanks to
Project Wycheproof for providing the test cases that led to the discovery of
this issue.  The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-29 20:47:32 +01:00
Christian Stewart
17aea508c7 package/go: bump to 1.13.6
go1.13.6 (released 2020/01/09) includes fixes to the runtime and the net/http
package.

https://github.com/golang/go/issues?q=milestone=Go1.13.6

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-10 09:07:43 +01:00
Christian Stewart
bdc395db0d package/go: bump to 1.13.5
go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime,
the linker, and the net/http package.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.5

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-12-08 08:33:26 +01:00
Christian Stewart
aa4218f73f package/go: bump to 1.13.4
go1.13.4 (released 2019/10/31) with fixes to the net/http and syscall packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-30 22:41:43 +01:00
Peter Korsgaard
2580a12e5a package/go: security bump to version 1.13.3
Fixes the following security issues (1.33.2):

- CVE-2019-17596: Invalid DSA public keys can cause a panic in dsa.Verify.
  In particular, using crypto/x509.Verify on a crafted X.509 certificate
  chain can lead to a panic, even if the certificates don’t chain to a
  trusted root.  The chain can be delivered via a crypto/tls connection to a
  client, or to a server that accepts and verifies client certificates.
  net/http clients can be made to crash by an HTTPS server, while net/http
  servers that accept client certificates will recover the panic and are
  unaffected.

Additionally, 1.13.3 fixes a number of issues. From the release notes:

Fixes to the go command, the toolchain, the runtime, syscall, net, net/http,
and crypto/ecdsa packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 08:43:17 +01:00
Christian Stewart
f9d2bd24ca package/go: bump to 1.13.1
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-09 22:51:26 +02:00
Peter Korsgaard
bd574c445c package/go: security bump to version 1.12.10
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  https://github.com/golang/go/issues/34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 08:07:49 +02:00
Peter Korsgaard
b84261e5ca package/go: bump version to 1.12.9
For post-1.12.8 fixes. From the release notes:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:22:33 +02:00
Christian Stewart
81b164c537 package/go: bump version to 1.12.8
go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker, the
go command, and the crypto/x509, net/http, and os packages.

go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler, and the
linker.

go1.12.8 (released 2019/08/13) includes security fixes to the net/http and
net/url packages.

https://golang.org/doc/devel/release.html

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-15 15:07:16 +02:00
Peter Korsgaard
ce32fa6cc1 package/go: bump version to 1.12.5
Fixes a number of issues discovered since 1.12.4.  From the release notes:

go1.12.5 (released 2019/05/06) includes fixes to the compiler, the linker,
the go command, the runtime, and the os package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-07 22:30:13 +02:00
Peter Korsgaard
4f5584af06 package/go: bump version to 1.12.4
Fixes a number of issues discovered since 1.12.1.  From the release notes:

go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go
command, the runtime, and the doc, net, net/http/httputil, and os packages.
See the Go 1.12.2 milestone on our issue tracker for details.

go1.12.3 (released 2019/04/08) was accidentally released without its
intended fix.  It is identical to go1.12.2, except for its version number.
The intended fix is in go1.12.4.

go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt
binary releases on older versions of GNU/Linux led to failures when linking
programs that used cgo.  Only Linux users who hit this issue need to update.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-30 13:17:21 +02:00
Anisse Astier
ed36d20daa package/go: fix building host go toolchain when target isn't supported
The go toolchain can cross-compile by default. So most of the time,
building a toolchain that supports a target, allows us to also build go
binaries for the host. This is how support for host go packages was
added: we use the same toolchain that was initially built only for
target.

But we might want to build a go binary for the host, when compiling a
target for which go isn't supported. Then, building host-go will fail:
by default, we build go for a specific target, and give the toolchain
bootstrap scripts the cross compiler we'll use.

This change modifies this behaviour: we only assume the go toolchain is
cross-capable if we know the current target is supported. Otherwise this
is a simple host go tool. We don't need to set any of the options needed
for cross-compilation in that case.

Thus, only set all the target-specific go options under a condition that
the target arch is supported. The only option we still set is
HOST_GO_CGO_ENABLED, and we always set it to enabled.

It was also considered to create a separate package to build the
go-for-host compiler which would be used for host-go-packages, but that
would lead to a lot of duplication and is completely unnecessary.

Fixes:
http://autobuild.buildroot.net/results/98b9c7aaff2af4d19adfedac00b768d92530ce94
http://autobuild.buildroot.net/results/bed228995ce3778720f991df9b41345a7c724a46
http://autobuild.buildroot.net/results/3b3ea148165b96513ea511ee0d4adb334a6afac8

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-17 09:00:19 +02:00
Mirza Krak
aba08cd218 package/pkg-golang: add support for building host packages
With this you can add:

    $(eval $(host-golang-package))

to a package .mk file to build for host.

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Acked-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 17:21:10 +01:00
Angelo Compagnucci
8291bc7793 package/go: rename BR2_PACKAGE_HOST_GO_{ARCH_SUPPORTS,CGO_LINKING_SUPPORTS}
The hidden Config.in option BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS name is
not very clear as to whether it says whether Go is available for the
target architecture or the host architecture.

Until now, this was fine since there was support for host Go
packages. But as we are about to introduce support for building host
Go packages, we need to clarify the meaning of
BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS. Since it says whether the target
architecture has support for Go or not, we rename it to
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS.

And since BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS is tightly related,
we rename it to BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[Thomas: entirely rewrite commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 17:20:53 +01:00