---
- branch: MAIN
  date: Fri Jan 22 20:08:32 UTC 2021
  files:
  - new: '1.108'
    old: '1.107'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.108
    type: modified
  - new: '1.8'
    old: '1.7'
    path: pkgsrc/lang/go114/PLIST
    pathrev: pkgsrc/lang/go114/PLIST@1.8
    type: modified
  - new: '1.14'
    old: '1.13'
    path: pkgsrc/lang/go114/distinfo
    pathrev: pkgsrc/lang/go114/distinfo@1.14
    type: modified
  id: 20210122T200832Z.dbefed21793f52b6153a9c9d0bb06daed50b77ec
  log: "Update go114 to 1.14.14.\n\n* cmd/go: packages using cgo can cause arbitrary
    code execution at build time\n\nThe go command may execute arbitrary code at build
    time when cgo is in use on\nWindows. This may occur when running â\x80\x9Cgo getâ\x80\x9D,
    or any other command that builds\ncode. Only users who build untrusted code (and
    donâ\x80\x99t execute it) are affected.\n\nIn addition to Windows users, this
    can also affect Unix users who have â\x80\x9C.â\x80\x9D\nlisted explicitly in
    their PATH and are running â\x80\x9Cgo getâ\x80\x9D or build commands\noutside
    of a module or with module mode disabled.\n\nThanks to RyotaK (https://twitter.com/ryotkak)
    for reporting this issue.\n\nThis issue is CVE-2021-3115 and Go issue golang.org/issue/43783.\n\nFor
    more background on the cmd/go change and help deciding whether your own\nprograms
    might have similar issues, see our blog post at\nhttps://blog.golang.org/path-security.\n\n*
    crypto/elliptic: incorrect operations on the P-224 curve\n\nThe P224() Curve implementation
    can in rare circumstances generate incorrect\noutputs, including returning invalid
    points from ScalarMult.\n\nThe crypto/x509 and golang.org/x/crypto/ocsp (but not
    crypto/tls) packages\nsupport P-224 ECDSA keys, but they are not supported by
    publicly trusted\ncertificate authorities. No other standard library or golang.org/x/crypto\npackage
    supports or uses the P-224 curve.\n\nThe incorrect output was found by the elliptic-curve-differential-fuzzer\nproject
    running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).\n\nThis issue
    is CVE-2021-3114 and Go issue golang.org/issue/43786.\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1611346112'
  user: bsiegert