Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1615406117100800"
MIME-Version: 1.0
Date: Wed, 10 Mar 2021 19:55:17 +0000
From: "Benny Siegert" <bsiegert@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Reply-To: bsiegert@netbsd.org
Message-Id: <20210310195517.761C7FA95@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1615406117100800
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	bsiegert
Date:		Wed Mar 10 19:55:17 UTC 2021

Modified Files:
	pkgsrc/lang/go: version.mk
	pkgsrc/lang/go116: distinfo

Log Message:
Update go116 to 1.16.1, fixing two security issues:

   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.

   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.


To generate a diff of this commit:
cvs rdiff -u -r1.111 -r1.112 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go116/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1615406117100800
Content-Disposition: inline
Content-Length: 1921
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.111 pkgsrc/lang/go/version.mk:1.112
--- pkgsrc/lang/go/version.mk:1.111	Wed Feb 17 08:07:03 2021
+++ pkgsrc/lang/go/version.mk	Wed Mar 10 19:55:17 2021
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.111 2021/02/17 08:07:03 bsiegert Exp $
+# $NetBSD: version.mk,v 1.112 2021/03/10 19:55:17 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
 #
 .include "go-vars.mk"
 
-GO116_VERSION=	1.16
+GO116_VERSION=	1.16.1
 GO115_VERSION=	1.15.7
 GO114_VERSION=	1.14.14
 GO113_VERSION=	1.13.15

Index: pkgsrc/lang/go116/distinfo
diff -u pkgsrc/lang/go116/distinfo:1.3 pkgsrc/lang/go116/distinfo:1.4
--- pkgsrc/lang/go116/distinfo:1.3	Wed Feb 17 08:07:03 2021
+++ pkgsrc/lang/go116/distinfo	Wed Mar 10 19:55:17 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.3 2021/02/17 08:07:03 bsiegert Exp $
+$NetBSD: distinfo,v 1.4 2021/03/10 19:55:17 bsiegert Exp $
 
-SHA1 (go1.16.src.tar.gz) = 1d2b65415c9061eeb800c888a936511d6af0d6d5
-RMD160 (go1.16.src.tar.gz) = 1009890b7d4bbf6d8888a6f7adae8b0e42edb7ae
-SHA512 (go1.16.src.tar.gz) = 9c43e0ebb2d35c694b652cae8d4040ce3f3c8c014abd9496c92c78cc015ecea5b5331e7c2acf098d0c24dec222454ea09d834df4b6bc90d46e9feeac0ac578bf
-Size (go1.16.src.tar.gz) = 20895394 bytes
+SHA1 (go1.16.1.src.tar.gz) = ab7746ed5ec54110f5fbf4f8615a640530990111
+RMD160 (go1.16.1.src.tar.gz) = cab008285e02e97ab3523239684f9ad0b102da6b
+SHA512 (go1.16.1.src.tar.gz) = c7674be1a4a03c031d13a52e03a5e134bd2f499fe1bde3083885e363528252fce43b119974b804c8c46ec59e85337bb94e96b7a7183bdb78301898e222b3bba1
+Size (go1.16.1.src.tar.gz) = 20897580 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e


--_----------=_1615406117100800--