---
- branch: MAIN
  date: Thu Jun  2 18:19:26 UTC 2022
  files:
  - new: '1.150'
    old: '1.149'
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.150
    type: modified
  - new: '1.10'
    old: '1.9'
    path: pkgsrc/lang/go117/PLIST
    pathrev: pkgsrc/lang/go117/PLIST@1.10
    type: modified
  - new: '1.17'
    old: '1.16'
    path: pkgsrc/lang/go117/distinfo
    pathrev: pkgsrc/lang/go117/distinfo@1.17
    type: modified
  id: 20220602T181926Z.bb8e0c63b1a1e2afaf8868bcdb5a7b39ea5d0a8f
  log: |
    Update go117 to 1.17.11

    This minor release includes 4 security fixes following the security policy
    <https://go.dev/security>:

       - crypto/rand: rand.Read hangs with extremely large buffers

       On Windows, rand.Read will hang indefinitely if passed a buffer larger
       than 1 << 32 - 1 bytes.

       Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
       toolset, for reporting this issue.

       This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.

       - crypto/tls: session tickets lack random ticket_age_add

       Session tickets generated by crypto/tls did not contain a randomly
       generated ticket_age_add. This allows an attacker that can observe TLS
       handshakes to correlate successive connections by comparing ticket ages
       during session resumption.

       Thanks to GitHub user @nervuri for reporting this.

       This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.

       - os/exec: empty Cmd.Path can result in running unintended binary on
       Windows

       If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
       are executed when Cmd.Path is unset and, in the working directory, there
       are binaries named either "..com" or "..exe", they will be executed.

       Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
       bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
       for reporting this.

       This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.

       - path/filepath: Clean(`.\c:`) returns `c:` on Windows

       On Windows, the filepath.Clean function could convert an invalid path to
       a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

       Thanks to Unrud for reporting this issue.

       This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/lang'
  unixtime: '1654193966'
  user: bsiegert