Commit Graph

23 Commits

Author SHA1 Message Date
Christian Stewart
bdc395db0d package/go: bump to 1.13.5
go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime,
the linker, and the net/http package.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.5

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-12-08 08:33:26 +01:00
Christian Stewart
aa4218f73f package/go: bump to 1.13.4
go1.13.4 (released 2019/10/31) with fixes to the net/http and syscall packages.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-30 22:41:43 +01:00
Peter Korsgaard
2580a12e5a package/go: security bump to version 1.13.3
Fixes the following security issues (1.33.2):

- CVE-2019-17596: Invalid DSA public keys can cause a panic in dsa.Verify.
  In particular, using crypto/x509.Verify on a crafted X.509 certificate
  chain can lead to a panic, even if the certificates don’t chain to a
  trusted root.  The chain can be delivered via a crypto/tls connection to a
  client, or to a server that accepts and verifies client certificates.
  net/http clients can be made to crash by an HTTPS server, while net/http
  servers that accept client certificates will recover the panic and are
  unaffected.

Additionally, 1.13.3 fixes a number of issues. From the release notes:

Fixes to the go command, the toolchain, the runtime, syscall, net, net/http,
and crypto/ecdsa packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-28 08:43:17 +01:00
Christian Stewart
f9d2bd24ca package/go: bump to 1.13.1
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-09 22:51:26 +02:00
Peter Korsgaard
bd574c445c package/go: security bump to version 1.12.10
Fixes the following security vulnerabilities:

- CVE-2019-16276: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP
  Request Smuggling.
  https://github.com/golang/go/issues/34540

>From the release notes:

go1.12.10 (released 2019/09/25) includes security fixes to the net/http and
net/textproto packages

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-10-02 08:07:49 +02:00
Peter Korsgaard
b84261e5ca package/go: bump version to 1.12.9
For post-1.12.8 fixes. From the release notes:

go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 13:22:33 +02:00
Christian Stewart
81b164c537 package/go: bump version to 1.12.8
go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker, the
go command, and the crypto/x509, net/http, and os packages.

go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler, and the
linker.

go1.12.8 (released 2019/08/13) includes security fixes to the net/http and
net/url packages.

https://golang.org/doc/devel/release.html

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-08-15 15:07:16 +02:00
Peter Korsgaard
ce32fa6cc1 package/go: bump version to 1.12.5
Fixes a number of issues discovered since 1.12.4.  From the release notes:

go1.12.5 (released 2019/05/06) includes fixes to the compiler, the linker,
the go command, the runtime, and the os package.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-07 22:30:13 +02:00
Peter Korsgaard
4f5584af06 package/go: bump version to 1.12.4
Fixes a number of issues discovered since 1.12.1.  From the release notes:

go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go
command, the runtime, and the doc, net, net/http/httputil, and os packages.
See the Go 1.12.2 milestone on our issue tracker for details.

go1.12.3 (released 2019/04/08) was accidentally released without its
intended fix.  It is identical to go1.12.2, except for its version number.
The intended fix is in go1.12.4.

go1.12.4 (released 2019/04/11) fixes an issue where using the prebuilt
binary releases on older versions of GNU/Linux led to failures when linking
programs that used cgo.  Only Linux users who hit this issue need to update.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-30 13:17:21 +02:00
Christian Stewart
1af9d9dd25 package/go: bump to version 1.12.1
Go 1.12 was released on 2/25/2019: https://blog.golang.org/go1.12

Go 1.12.1 was released on 3/14/2019:
https://golang.org/doc/devel/release.html#go1.12.minor

Additional notes on how Go modules will evolve in 2019 are here:
https://blog.golang.org/modules2019

In Go 1.12, module support remains the same as in Go 1.11. GOPATH is scheduled
for deprecation in 1.13, however. The Buildroot Go package infrastructure should
therefore aim to migrate to a new, currently undefined, Go module friendly
compilation approach before Go 1.13 is released.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-03-17 11:07:41 +01:00
Christian Stewart
0ab3cb7a97 go: security bump to 1.11.5
Go 1.11.5 addresses a reported security issue, CVE-2019-6486.

Signed-off-by: Christian Stewart <christian@paral.in>
Acked-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-01-24 10:46:22 +01:00
Peter Korsgaard
d810fee306 package/go: security bump to version 1.11.4
go 1.11.3 fixes the following security issues:

cmd/go: remote command execution during "go get -u"
The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.

cmd/go: directory traversal in "go get" via curly braces in import paths
The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.

crypto/x509: CPU denial of service in chain validation
The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
Thanks to Netflix for discovering and reporting this issue.

go 1.11.4 fixes issues, including regressions introduced by 1.11.3:

1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go
command, and the net/http and go/types packages.  It includes a fix to a bug
introduced in Go 1.11.3 that broke go get for import path patterns
containing "...".

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-12-16 12:17:47 +01:00
Christian Stewart
b869212d0c go: bump to v1.11.2
Bumps Golang host-go compiler to 1.11.2 release.

Add hash for LICENSE.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-11-08 21:02:06 +01:00
Christian Stewart
67190f7635 go: bump to v1.11.1
Bumps Golang host-go compiler to 1.11.1 release.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-10-31 10:25:35 +01:00
Christian Stewart
f99efd731c go: bump to v1.11
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Anisse Astier <anisse@astier.eu>
Tested-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-13 20:49:41 +02:00
Anisse Astier
81815b85a2 go: security bump to version 1.10.2
This bump contains many bug fixes, as well as the following security
issue, patched in Go 1.10.1:

CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the
-insecure command-line option is used, does not validate the import path
(get/vcs.go only checks for "://" anywhere in the string), which allows
remote attackers to execute arbitrary OS commands via a crafted web
site.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-05-11 23:10:27 +02:00
Christian Stewart
576437cdb1 go: bump to 1.10
This commit bumps the Go programming language to the 1.10 release.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-19 20:55:27 +01:00
Christian Stewart
b3c2acba9b go: bump version to 1.9
Go 1.9 is required for docker-engine and other Go packages in Buildroot.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-10-22 09:10:32 +02:00
Christian Stewart
0ccc3395ca go: bump version to 1.8.3
Bumping Go to 1.8.3 from 1.7.

Go 1.8 comes with significant performance improvements, particularly
around ARM: "CPU time required by our benchmark programs was reduced by
20-30% on 32-bit ARM systems."

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-05-30 23:18:56 +02:00
Peter Korsgaard
5c9db62171 go: security bump to version 1.7.4
On Darwin, user's trust preferences for root certificates were not honored.
If the user had a root certificate loaded in their Keychain that was
explicitly not trusted, a Go program would still verify a connection using
that root certificate.  This is addressed by https://golang.org/cl/33721,
tracked in https://golang.org/issue/18141.  Thanks to Xy Ziemba for
identifying and reporting this issue.

The net/http package's Request.ParseMultipartForm method starts writing to
temporary files once the request body size surpasses the given "maxMemory"
limit.  It was possible for an attacker to generate a multipart request
crafted such that the server ran out of file descriptors.  This is addressed
by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
Thanks to Simon Rawet for the report.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-01-23 23:01:27 +01:00
Christian Stewart
244ab37fbc go: bump to 1.7.2
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-10-19 11:24:33 +02:00
Christian Stewart
abfaf47e4c package/go: bump version to 1.6.2
Golang has significant improvements to support for multiarch in later
versions. This bump is required to make many go programs functional
under arm64, for example.

Signed-off-by: Christian Stewart <christian@paral.in>
Acked-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-05-07 14:31:04 +02:00
Geoff Levand
ec50eb3e42 go: new host package
Add a new package 'go' which builds the host cross compiler and
libraries for the go programming language.

Signed-off-by: Geoff Levand <geoff@infradead.org>
[Thomas:
 - Put the computation of GO_GOARM inside the ifeq ($(BR2_arm),y)
   condition rather than duplicating this condition.
 - Remove the GO_GOARCH=unknown case, since there is no way to fall in
   this case as only supported architectures can use host-go.
 - Remove the GO_GOARM=unknown case, since we are sure that only
   ARMv5/6/7 will use host-go.
 - Rename HOST_GO_FINAL to HOST_GO_ROOT, since it's really the "root"
   of the Go installation.
 - Remove visible Config.in.host option.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-20 22:29:34 +02:00