---
- branch: MAIN
  date: Sun Dec  4 16:08:55 UTC 2016
  files:
  - new: '1.42'
    old: '1.41'
    path: pkgsrc/lang/go/distinfo
    pathrev: pkgsrc/lang/go/distinfo@1.42
    type: modified
  - new: '1.21'
    old: '1.20'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.21
    type: modified
  id: 20161204T160855Z.509aa2931bb6905c3ae7365721ccab092eb99d3f
  log: |
    Update Go to 1.7.4.

    Two security-related issues were recently reported, and to address these issues
    we have just released Go 1.6.4 and Go 1.7.4.

    We recommend that all users update to one of these releases (if you're not sure
    which, choose Go 1.7.4).

    The issues addressed by these releases are:

    On Darwin, user's trust preferences for root certificates were not honored. If
    the user had a root certificate loaded in their Keychain that was explicitly
    not trusted, a Go program would still verify a connection using that root
    certificate.  This is addressed by https://golang.org/cl/33721, tracked in
    https://golang.org/issue/18141.
    Thanks to Xy Ziemba for identifying and reporting this issue.

    The net/http package's Request.ParseMultipartForm method starts writing to
    temporary files once the request body size surpasses the given "maxMemory"
    limit. It was possible for an attacker to generate a multipart request crafted
    such that the server ran out of file descriptors.  This is addressed by
    https://golang.org/cl/30410, tracked in https://golang.org/issue/17965.
    Thanks to Simon Rawet for the report.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang/go'
  unixtime: '1480867735'
  user: bsiegert