---
- branch: MAIN
  date: Thu Dec  9 17:13:49 UTC 2021
  files:
  - new: '1.136'
    old: '1.135'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.136
    type: modified
  - new: '1.18'
    old: '1.17'
    path: pkgsrc/lang/go116/distinfo
    pathrev: pkgsrc/lang/go116/distinfo@1.18
    type: modified
  id: 20211209T171349Z.337b0f11c91905338f7e663c8012bbb18e22ceab
  log: |
    Update go116 to 1.16.12.

    go1.16.12 (released 2021-12-09) includes security fixes to the syscall and
    net/http packages. See the Go 1.16.12 milestone on our issue tracker for
    details.

    When a Go program running on a Unix system is out of file descriptors and calls
    syscall.ForkExec (including indirectly by using the os/exec package),
    syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
    can be provoked) repeatedly, it can result in misdirected I/O such as writing
    network traffic intended for one connection to a different connection, or
    content intended for one file to a different one.

    This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

    An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
    requests.

    This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1639070029'
  user: bsiegert