---
- branch: pkgsrc-2023Q3
  date: Sat Nov  4 13:00:32 UTC 2023
  files:
  - new: 1.189.2.2
    old: 1.189.2.1
    path: pkgsrc/lang/go/version.mk
    pathrev: pkgsrc/lang/go/version.mk@1.189.2.2
    type: modified
  - new: 1.2.2.1
    old: '1.2'
    path: pkgsrc/lang/go121/PLIST
    pathrev: pkgsrc/lang/go121/PLIST@1.2.2.1
    type: modified
  - new: 1.2.2.1
    old: '1.2'
    path: pkgsrc/lang/go121/distinfo
    pathrev: pkgsrc/lang/go121/distinfo@1.2.2.1
    type: modified
  id: 20231104T130032Z.33653937e8c8b873af38c88276bb7611815213fc
  log: "Pullup ticket #6816 - requested by bsiegert\nlang/go121: security update\nlang/go:
    metadata update\n\nRevisions pulled up:\n- lang/go/version.mk                                            1.191\n-
    lang/go121/PLIST                                              1.3\n- lang/go121/distinfo
    \                                          1.3\n\n-------------------------------------------------------------------\n
    \  Module Name:\tpkgsrc\n   Committed By:\tbsiegert\n   Date:\t\tSun Oct 15 09:26:35
    UTC 2023\n\n   Modified Files:\n   \tpkgsrc/lang/go: version.mk\n   \tpkgsrc/lang/go121:
    PLIST distinfo\n\n   Log Message:\n   go121: update to 1.21.3 (security)\n\n   1.21.3\n\n
    \  net/http: rapid stream resets can cause excessive work\n\n   A malicious HTTP/2
    client which rapidly creates requests and\n   immediately resets them can cause
    excessive server resource consumption.\n   While the total number of requests
    is bounded to the\n   http2.Server.MaxConcurrentStreams setting, resetting an
    in-progress\n   request allows the attacker to create a new request while the
    existing\n   one is still executing.\n\n   HTTP/2 servers now bound the number
    of simultaneously executing\n   handler goroutines to the stream concurrency limit.
    New requests\n   arriving when at the limit (which can only happen after the client\n
    \  has reset an existing, in-flight request) will be queued until a\n   handler
    exits. If the request queue grows too large, the server\n   will terminate the
    connection.\n\n   This issue is also fixed in golang.org/x/net/http2 v0.17.0,\n
    \  for users manually configuring HTTP/2.\n\n   The default stream concurrency
    limit is 250 streams (requests)\n   per HTTP/2 connection. This value may be adjusted
    using the\n   golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams\n
    \  setting and the ConfigureServer function.\n\n   This is CVE-2023-39325 and
    Go issue https://go.dev/issue/63417.\n   This is also tracked by CVE-2023-44487.\n\n
    \  1.21.2\n\n   cmd/go: line directives allows arbitrary execution during build\n\n
    \  \"//line\" directives can be used to bypass the restrictions on \"//go:cgo_\"\n
    \  directives, allowing blocked linker and compiler flags to be passed during\n
    \  compliation. This can result in unexpected execution of arbitrary code when\n
    \  running \"go build\". The line directive requires the absolute path of the
    file in\n   which the directive lives, which makes exploting this issue significantly
    more\n   complex.\n\n   This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.\n\n
    \  To generate a diff of this commit:\n   cvs rdiff -u -r1.190 -r1.191 pkgsrc/lang/go/version.mk\n
    \  cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go121/PLIST pkgsrc/lang/go121/distinfo\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2023Q3] pkgsrc/lang'
  unixtime: '1699102832'
  user: spz