Fixes the following CVEs:
CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm
CVE-2023-45290: net/http: memory exhaustion in Request.ParseMultipartForm
CVE-2023-45289: net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
CVE-2024-24785: html/template: errors returned from MarshalJSON methods may break template escaping
CVE-2024-24784: net/mail: comments in display names are incorrectly handled
https://go.dev/doc/devel/release#go1.21.8
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package.
https://go.dev/doc/devel/release#go1.21.7
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages.
https://go.dev/doc/devel/release#go1.21.6
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following CVEs:
CVE-2023-39326: net/http: limit chunked data overhead
CVE-2023-45285: cmd/go: go get may unexpectedly fallback to insecure git
https://go.dev/doc/devel/release#go1.21.5
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go version 1.21.4 includes the following security fixes:
CVE-2023-45283: path/filepath: recognize \??\ as a Root Local Device path prefix.
CVE-2023-45284: path/filepath: recognize device names with trailing spaces and superscripts
https://go.dev/doc/devel/release#go1.21.4
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39325: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.
go1.21.3 (released 2023-10-10) includes a security fix to the net/http
package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
flags to be passed during compilation. This can result in unexpected
execution of arbitrary code when running "go build".
go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go
package, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building for a target architecture that go does not support, the
installation fails with:
$ make host-go
[...]
ln -sf ../lib/go/bin/go /home/nyma7486/dev/work/5GCroCo/O/pouet/per-package/host-go/host/bin/
ln: failed to create symbolic link '/home/nyma7486/dev/work/5GCroCo/O/pouet/per-package/host-go/host/bin/': No such file or directory
Indeed, the HOST_DIR/bin is not guaranteed to exist when we install a
host package, so it needs to be explicitly created before we can create
entries in there.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building go with cgo support needs to build some .c files to generate target
support code, and thus calls the cross C compiler, which is failing when the
toolchain is not built before host-go:
>>> host-go 1.21.1 Building
cd .../build/host-go-1.21.1/src && GO111MODULE=off GOCACHE=.../per-package/host-go/host/share/host-go-cache GOROOT_BOOTSTRAP=.../per-package/host-go/host/lib/go-1.19.11 GOROOT_FINAL=.../per-package/host-go/host/lib/go GOROOT=".../build/host-go-1.21.1" GOBIN=".../build/host-go-1.21.1/bin" GOOS=linux CC=/usr/bin/gcc CXX=/usr/bin/g++ CGO_ENABLED=1 CC_FOR_TARGET=".../per-package/host-go/host/bin/arm-linux-gcc" CXX_FOR_TARGET=".../per-package/host-go/host/bin/arm-linux-g++" GOOS="linux" GOARCH=arm GOARM=6 GO_ASSUME_CROSSCOMPILING=1 ./make.bash
Building Go cmd/dist using .../per-package/host-go/host/lib/go-1.19.11. (go1.19.11 linux/amd64)
go tool dist: cannot invoke C compiler [".../per-package/host-go/host/bin/arm-linux-gcc"]: fork/exec .../per-package/host-go/host/bin/arm-linux-gcc: no such file or directory
Go needs a system C compiler for use with cgo.
To set a C compiler, set CC=the-compiler.
To disable cgo, set CGO_ENABLED=0.
This happens systematically with PPD, and happens without PPD when
host-go is explicitly built (by running: "make host-go").
Since only CGO support needs to compile C files, only add the toolchain
dependency in that case.
When the target is not supported by go, then there is obviously no need
to depend on the toolchain (even if we unconditionally enable cgo
support in only-for-the-host host-go).
Signed-off-by: Christian Stewart <christian@aperture.us>
[yann.morin@orange.com:
- only add the toolchain dependency for target cgo
- reword commit log
]
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Anisse Astier <anisse@astier.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.21.1 (released 2023-09-06) includes four security fixes to the cmd/go,
crypto/tls, and html/template packages, as well as bug fixes to the compiler,
the go command, the linker, the runtime, and the context, crypto/tls,
encoding/gob, encoding/xml, go/types, net/http, os, and path/filepath packages.
Security fixes:
CVE-2023-39320: cmd/go: go.mod toolchain directive allows arbitrary execution
CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
CVE-2023-39319: html/template: improper handling of special tags within script contexts
CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
https://go.dev/doc/devel/release#go1.21.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go 1.21.0 is a major release of Go.
https://go.dev/doc/devel/release#go1.21.0
Set GOTOOLCHAIN=local to disable the new toolchain download feature. This
feature, introduced in Go 1.21.x, will automatically download pre-built compiler
binaries from Google for the toolchain version specified in go.mod. We do not
want this in Buildroot as we build from source instead: set GOTOOLCHAIN=local to
disable the feature and use the locally built toolchain.
https://go.dev/doc/toolchain
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler.
Fixes CVE-2023-29409: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server to
expend significant CPU time verifying signatures. Limit this by restricting the
size of RSA keys transmitted during handshakes to <= 8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only three
certificates in circulation with keys larger than this, and all three appear to
be test certificates that are not actively deployed. It is possible there are
larger keys in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default safety of users of
crypto/tls seems reasonable.
https://go.dev/doc/devel/release#go1.20.7
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Building host-go within docker fails:
error obtaining VCS status: exit status 128
Use -buildvcs=false to disable VCS stamping.
Reproduction of the issue:
mkdir go-issue-61620
cd ./go-issue-61620
wget https://go.dev/dl/go1.19.11.src.tar.gz
mkdir go-bootstrap
tar -xf go1.19.11.src.tar.gz -C ./go-bootstrap --strip-components=1
cd ./go-bootstrap/src/
bash make.bash
cd ../../
wget https://go.dev/dl/go1.20.6.src.tar.gz
mkdir go
tar -xf go1.20.6.src.tar.gz -C ./go/ --strip-components=1
printf "gitdir: ../../does/not/exist/.git" > ./.git
cd ./go/src/
GOROOT_BOOTSTRAP=$(pwd)/../../go-bootstrap/ bash make.bash
The error only occurs when the .git that git detects in the parent directory of
the GOROOT_BOOTSTRAP is invalid or not present causing errors when running `git`
commands within GOROOT_BOOTSTRAP.
Report: https://lists.buildroot.org/pipermail/buildroot/2023-July/671344.html
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/4725186525
Upstream issue: https://github.com/golang/go/issues/61620
Upstream PR: https://github.com/golang/go/pull/61621
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Adjust comments in the Go package to improve clarity:
Config.in.host:
- Add comment mentioning list of supported architectures.
go.mk:
- Reword comment re: copying src/ to host/
- the previously linked issue is not relevant.
- instead: mention that src/ is needed for stdlib.
- Adjust comment re: adjusting file timestamps.
- mention this is needed to avoid rebuilding stdlib
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Go 1.20 requires a minimum version of go 1.17.13 to bootstrap.
https://go.dev/doc/go1.20#bootstrap
As Go 1.4 was the previous version that could be compiled with C, there is now
no way to bootstrap go with a C compiler, unless we use a two-stage bootstrap:
- build host-go-bootstrap-1.4-20170531
- build host-go-bootstrap-1.19.10 with host-go-bootstrap-1.4-20170531
- build host-go-1.20 with host-go-bootstrap-1.19.9
This is implemented in this commit first, before upgrading host-go to 1.20.
Note: the .patch files from package/go version 1.19.x are not necessary for
package/go-bootstrap-stage2 and have not been included there.
Previous discussion of possible alternatives:
https://lore.kernel.org/all/CA+h8R2rtcynkCBsz=_9yANOEguyPCOcQDj8_ns+cv8RS8+8t9A@mail.gmail.com/https://lore.kernel.org/all/20220525234312.643dfc03@windsurf/T/
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.19.11 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to cgo, the cover tool, the go command, the runtime, and
the go/printer package.
CVE-2023-29406 and Go issue https://go.dev/issue/60374
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which
uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using
the go command, i.e. via "go get", are not affected (modules retrieved
using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the
setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was
executed with standard I/O file descriptors closed, opening any files
could result in unexpected content being read/written with elevated
prilieges. Similarly if a setuid/setgid program was terminated, either
via panic or signal, it could leak the contents of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when
running any other command which builds untrusted code. This is can by
triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues
https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.9 (released 2023-05-02) includes three security fixes to the
html/template package, as well as bug fixes to the compiler, the runtime, and
the crypto/subtle, crypto/tls, net/http, and syscall packages.
CVE-2023-24539: html/template: improper sanitization of CSS values
CVE-2023-24540: html/template: improper handling of JavaScript whitespace
CVE-2023-29400: html/template: improper handling of empty HTML attributes
https://go.dev/doc/devel/release#go1.19.9https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.8 (released 2023-04-04) includes security fixes to the go/parser,
html/template, mime/multipart, net/http, and net/textproto packages, as well as
bug fixes to the compiler, the linker, the runtime, and the time package.
Fixes security vulnerabilities:
go/parser: infinite loop in parsing (CVE-2023-24537)
html/template: backticks not treated as string delimiters (CVE-2023-24538)
net/http, net/textproto: denial of service from excessive memory
allocation (CVE-2023-24534)
net/http, net/textproto, mime/multipart: denial of service from excessive
resource consumption (CVE-2023-24536)
https://go.dev/doc/devel/release#go1.19.8https://github.com/golang/go/issues?q=milestone%3AGo1.19.8+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.7 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the linker, the runtime,
and the crypto/x509 and syscall packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls,
mime/multipart, net/http, and path/filepath packages, as well as bug fixes to
the go command, the linker, the runtime, and the crypto/x509, net/http, and time
packages. See the Go 1.19.6 milestone on the Go issue tracker for details.
CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption
CVE-2022-41724: crypto/tls: large handshake records may cause panics
CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding
https://go.dev/doc/devel/release#go1.19.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go mod vendor caches downloaded modules to the Go module cache, which
defaults to $GOPATH/pkg/mod - But can be overridden with the GOMODCACHE
environment variable:
https://go.dev/ref/mod#module-cache
So explicitly set GOMODCACHE= for reproducibility.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The go mod vendor call in support/download/go-post-process accesses the go
cache, so pass GOCACHE= in the environment to ensure our cache directory is
used.
The go cache defaults to ~/.cache/go-build if not set, so this fixes builds
where that location (or GOCACHE if set in the environment) is not writable:
rm -rf ~/.cache/go-build
chmod -w ~/.cache
make docker-compose-source
..
failed to initialize build cache at /home/peko/.cache/go-build: mkdir /home/peko/.cache/go-build: permission denied
make[1]: *** [package/pkg-generic.mk:189: /home/peko/source/buildroot/output/build/docker-compose-2.14.0/.stamp_downloaded] Error 1
We use two different cache directories for target and host builds, but the
download/vendoring should be independent of the architecture, so use the
target variant even for host-only packages for simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
go1.19.1 includes security fixes to the net/http and net/url packages, as well
as bug fixes to the compiler, the go command, the pprof command, the linker, the
runtime, and the crypto/tls and crypto/x509 packages.
https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Go 1.19 is a major release with changes to the implementation of the toolchain,
runtime, and libraries.
Dropped patch 0002-cmd-dist-use-gohostarch... as it was merged upstream.
https://go.dev/doc/go1.19
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On machines supporting Riscv SV57 mode like Qemu, Go programs currently crash
with the following type of error:
runtime: lfstack.push invalid packing: node=0xffffff5908a940 cnt=0x1
packed=0xffff5908a9400001 -> node=0xffff5908a940
The upstream PR fixes this error, but has not yet been merged.
Upstream: https://go-review.googlesource.com/c/go/+/409055/4
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.18.4 includes security fixes to the compress/gzip, encoding/gob,
encoding/xml, go/parser, io/fs, net/http, and path/filepath packages, as well as
bug fixes to the compiler, the go command, the linker, the runtime, and the
runtime/metrics package.
go1.18.5 includes security fixes to the encoding/gob and math/big packages, as
well as bug fixes to the compiler, the go command, the runtime, and the testing
package.
https://go.dev/doc/devel/release#go1.18.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
It's been ages (5 years at the next release) that we've not installed
host packages in $(HOST_DIR)/usr, but we still have a few packages that
reference it or install things in there.
Drop all of those in one fell swoop.
The run-time test still succeeds, and the following defconfig, which
should exercise all touched packages [*], does build:
BR2_x86_i686=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_GAWK=y
BR2_PACKAGE_GETTEXT=y
BR2_PACKAGE_ABOOTIMG=y
BR2_PACKAGE_DBUS_PYTHON=y
BR2_PACKAGE_OLA=y
BR2_PACKAGE_JIMTCL=y
BR2_PACKAGE_LUA=y
# BR2_PACKAGE_LUA_32BITS is not set
BR2_PACKAGE_ARGPARSE=y
BR2_PACKAGE_PERL=y
BR2_PACKAGE_PHP=y
BR2_PACKAGE_PHP_APCU=y
BR2_PACKAGE_PHP_LUA=y
BR2_PACKAGE_PHP_PAM=y
BR2_PACKAGE_PHP_PECL_DBUS=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON_CRYPTOGRAPHY=y
BR2_PACKAGE_PYTHON_PLY=y
BR2_PACKAGE_PYTHON_PYBIND=y
BR2_PACKAGE_LIBVA=y
BR2_PACKAGE_BIND=y
BR2_PACKAGE_BIND_SERVER=y
BR2_PACKAGE_BIND_TOOLS=y
BR2_PACKAGE_APPARMOR=y
BR2_PACKAGE_APPARMOR_BINUTILS=y
BR2_PACKAGE_APPARMOR_UTILS=y
BR2_PACKAGE_APPARMOR_UTILS_EXTRA=y
BR2_PACKAGE_APPARMOR_PROFILES=y
BR2_PACKAGE_REFPOLICY=y
BR2_PACKAGE_URANDOM_SCRIPTS=y
BR2_PACKAGE_BASH=y
# embiggen-disk to exercise go
BR2_PACKAGE_EMBIGGEN_DISK=y
BR2_TARGET_GRUB2=y
BR2_TARGET_GRUB2_I386_PC=y
BR2_TARGET_GRUB2_I386_EFI=y
[*] exceptions:
- zfs was not tested: it needs a kernel to be built;
- compiler-rt was not tsted: it needs llvm to be built, that takes
ages, and other packages already reference the correct location for
llvm-config, so it was assumed that is OK.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Cc: Anisse Astier <anisse@astier.eu>
Cc: Antoine Tenart <atenart@kernel.org>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Asaf Kahlon <asafka7@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Christian Stewart <christian@paral.in>
Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Cc: Francois Perrad <francois.perrad@gadz.org>
Cc: Guillaume William Brs <guillaume.bressaix@gmail.com>
Cc: Hervé Codina <herve.codina@bootlin.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Cc: Julien Boibessot <julien.boibessot@armadeus.com>
Cc: Julien Olivain <ju.o@free.fr>
Cc: Matt Weber <matthew.weber@collins.com>
Cc: Nicolas Carrier <nicolas.carrier@orolia.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Vadim Kochan <vadim4j@gmail.com>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
---
Changes v1 -> v2:
- fix new instance that have crept in (Romain)
go1.18.3 includes security fixes to the crypto/rand, crypto/tls, os/exec,
and path/filepath packages, as well as bug fixes to the compiler, and the
crypto/tls and text/template/parse packages.
https://go.dev/doc/devel/release#go1.18
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes a build error when the host environment has GOOS set to
something other than "linux." For example,
cd ./buildroot
GOOS="js" make
This will cause a build failure. Override GOOS to be either empty for host
packages or set to "linux" for target packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add a patch to fix a build failure due to the target GOARCH being used while
bootstrapping the Go compiler with the go-bootstrap compiler.
Uses the host architecture variable instead.
This commit updates the patch with improvements from the upstream PR.
PR: https://github.com/golang/go/pull/52362
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Enable the supported "riscv64" GOARCH.
Add a patch to fix a build failure due to GOARCH leaking into the calls to the
go-bootstrap compiler. Unsets the GOARCH before calling go-bootstrap.
PR: https://github.com/golang/go/pull/52362
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Includes security fixes to the syscall package, as well as bug fixes to the
compiler, runtime, the go command, and the crypto/x509, go/types,
net/http/httptest, reflect, and sync/atomic packages.
Signed-off-by: Joel Stanley <joel@jms.id.au>
[Peter: mark as security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The latest Go release, version 1.18, is a significant release, including changes
to the language, implementation of the toolchain, runtime, and libraries.
https://go.dev/doc/go1.18
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
go1.17.9 (released 2022-04-12) includes security fixes to the
crypto/elliptic and encoding/pem packages, as well as bug fixes to the
linker and runtime.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.8 includes a security fix to the regexp/syntax package, as well as bug
fixes to the compiler, runtime, the go command, and the crypto/x509, and net
packages.
https://go.dev/doc/devel/release#go1.17.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.7 includes security fixes to the crypto/elliptic, math/big packages and
to the go command, as well as bug fixes to the compiler, linker, runtime, the go
command, and the debug/macho, debug/pe, and net/http/httptest packages.
https://github.com/golang/go/issues?q=milestone%3AGo1.17.7+label%3ACherryPickApproved
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
View the release notes for more information:
https://go.dev/doc/devel/release.html#go1.17.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages.
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages:
- CVE-2021-44716
- CVE-2021-44717
https://go.dev/doc/devel/release#go1.17
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
go command, the misc/wasm directory, and to the net/http and syscall packages.
https://golang.org/doc/devel/release#go1.17.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.2 (released 2021-10-07) includes a security fix to the linker and
misc/wasm directory, as well as bug fixes to the compiler, the runtime, the go
command, and to the time and text/template packages.
https://golang.org/doc/devel/release#go1.17.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the
NewReader and OpenReader functions in archive/zip can still cause a panic or an
unrecoverable fatal error when reading an archive that claims to contain a large
number of files, regardless of its actual size.
This is CVE-2021-39293.
https://golang.org/doc/devel/release.html#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The latest Go release, version 1.17, arrives six months after Go 1.16.
Most of its changes are in the implementation of the toolchain,
runtime, and libraries.
https://golang.org/doc/go1.17
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
These minor releases include a security fix according to the new security policy (#44918).
crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is CVE-2021-34558.
View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
