---
- branch: pkgsrc-2015Q3
  date: Tue Oct  6 16:37:05 UTC 2015
  files:
  - new: 1.8.2.1
    old: '1.8'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.8.2.1
    type: modified
  - new: 1.3.2.1
    old: '1.3'
    path: pkgsrc/lang/go14/Makefile
    pathrev: pkgsrc/lang/go14/Makefile@1.3.2.1
    type: modified
  - new: 1.1.2.1
    old: '1.1'
    path: pkgsrc/lang/go14/PLIST
    pathrev: pkgsrc/lang/go14/PLIST@1.1.2.1
    type: modified
  - new: 1.2.2.1
    old: '1.2'
    path: pkgsrc/lang/go14/distinfo
    pathrev: pkgsrc/lang/go14/distinfo@1.2.2.1
    type: modified
  id: 20151006T163705Z.d785c5f8271ed7baccb51c9f548468a1dd6feab3
  log: |
    Pullup ticket #4819 - requested by bsiegert
    lang/go14: security update

    Revisions pulled up:
    - lang/go/version.mk                                            1.9
    - lang/go14/Makefile                                            1.5
    - lang/go14/PLIST                                               1.2
    - lang/go14/distinfo                                            1.3

    -------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   tnn
       Date:           Sun Sep 27 00:36:02 UTC 2015

       Modified Files:
               pkgsrc/lang/go14: Makefile

       Log Message:
       more REPLACE_BASH

       To generate a diff of this commit:
       cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go14/Makefile

    -------------------------------------------------------------------
       Module Name:    pkgsrc
       Committed By:   bsiegert
       Date:           Sat Sep 26 17:37:01 UTC 2015

       Modified Files:
               pkgsrc/lang/go: version.mk
               pkgsrc/lang/go14: Makefile PLIST distinfo

       Log Message:
       Update go14 to 1.4.3. It fixes four security-related issues.

       The issues were reported in Go's net/http package. They affect programs usi=
       ng
       that package to proxy HTTP requests. We recommend that all users upgrade to=
        Go
       1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we ha=
       ve
       released version 1.4.3, which is based on Go 1.4.2 plus fixes for these iss=
       ues.
       Affected Go programs=E2=80=94those that use the net/http package as a proxy=
        server=E2=80=94must
       be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.

       The CVE issue descriptions and fixes are linked below.

       CVE-2015-5739
       "Content Length" treated as valid header:
       https://go-review.googlesource.com/#/c/11772/

       CVE-2015-5740
       Double content-length headers does not return 400 error:
       https://go-review.googlesource.com/#/c/11810/

       CVE-2015-5741
       Additional hardening, not sending Content-Length w/Transfer-Encoding,
       Closing connections:
       https://go-review.googlesource.com/#/c/11810/
       https://go-review.googlesource.com/#/c/12865/
       https://go-review.googlesource.com/#/c/13148/

       The Go team would like to thank Jed Denlea and R=C3=A9gis Leroy for their
       contributions to this release. They have been awarded 1337 USD under the Go=
       ogle
       Security Bounty program.

       To generate a diff of this commit:
       cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go/version.mk
       cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go14/Makefile
       cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go14/PLIST
       cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go14/distinfo
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2015Q3] pkgsrc/lang'
  unixtime: '1444149425'
  user: spz