---
- branch: MAIN
  date: Thu Dec  9 17:25:56 UTC 2021
  files:
  - new: '1.137'
    old: '1.136'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.137
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/lang/go117/PLIST
    pathrev: pkgsrc/lang/go117/PLIST@1.4
    type: modified
  - new: '1.11'
    old: '1.10'
    path: pkgsrc/lang/go117/distinfo
    pathrev: pkgsrc/lang/go117/distinfo@1.11
    type: modified
  id: 20211209T172556Z.0fc984e2ce0216b57cf2620c2f016c2b60a75209
  log: |
    Update go117 to 1.17.5.

    go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
    and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on
    our issue tracker for details.

    go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
    net/http packages. See the Go 1.17.5 milestone on our issue tracker for
    details.

    When a Go program running on a Unix system is out of file descriptors and calls
    syscall.ForkExec (including indirectly by using the os/exec package),
    syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or
    can be provoked) repeatedly, it can result in misdirected I/O such as writing
    network traffic intended for one connection to a different connection, or
    content intended for one file to a different one.

    This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12.

    An attacker can cause unbounded memory growth in a Go server accepting HTTP/2
    requests.

    This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1639070756'
  user: bsiegert