Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 43C9D7A3DA for ; Wed, 13 Apr 2016 07:12:02 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id E9FD485EFE; Wed, 13 Apr 2016 07:12:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7631685EFB for ; Wed, 13 Apr 2016 07:12:01 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id isZ8smiko025 for ; Wed, 13 Apr 2016 07:12:01 +0000 (UTC) Received: from cvs.NetBSD.org (unknown [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id D443285E7E for ; Wed, 13 Apr 2016 07:12:00 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id CA72DFBBA; Wed, 13 Apr 2016 07:12:00 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 13 Apr 2016 07:12:00 +0000 From: "Benny Siegert" Subject: CVS commit: pkgsrc/lang/go To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20160413071200.CA72DFBBA@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: bsiegert Date: Wed Apr 13 07:12:00 UTC 2016 Modified Files: pkgsrc/lang/go: Makefile PLIST distinfo version.mk Removed Files: pkgsrc/lang/go/patches: patch-src_crypto_dsa_dsa.go Log Message: Update Go to 1.6.1. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.1 and Go 1.5.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.6.1). The issues addressed by these releases are: On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable to DLL preloading attacks. For instance, if a user runs a Go executable from a Downloads folder, malicious DLL files also downloaded to that folder could be loaded into that executable. This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428 Thanks to Taru Karttunen for identifying this issue. Go's crypto libraries passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability. This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533 Thanks to David Wong for identifying this issue. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.22 -r1.23 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.34 -r1.35 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.1 -r0 pkgsrc/lang/go/patches/patch-src_crypto_dsa_dsa.go Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.