---
- branch: MAIN
  date: Wed Mar 10 19:55:17 UTC 2021
  files:
  - new: '1.112'
    old: '1.111'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.112
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/lang/go116/distinfo
    pathrev: pkgsrc/lang/go116/distinfo@1.4
    type: modified
  id: 20210310T195517Z.8ee83d2818c64911ed81801d38e7a578c2388972
  log: |
    Update go116 to 1.16.1, fixing two security issues:

       - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
       custom TokenReader

    The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
    xml.NewTokenDecoder may enter an infinite loop when operating on a custom
    xml.TokenReader which returns an EOF in the middle of an open XML element.

    Thanks to Sam Whited for reporting this issue.

    This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

       - archive/zip: panic when calling Reader.Open

    The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
    containing files that start with "../".

    This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1615406117'
  user: bsiegert