Received: by mail.netbsd.org (Postfix, from userid 605)
	id 9BC6F84D3D; Wed,  3 May 2023 19:24:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id CCAAD84D17
	for <pkgsrc-changes@NetBSD.org>; Wed,  3 May 2023 19:24:55 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1])
	by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025)
	with ESMTP id smiKjh4lzpUL for <pkgsrc-changes@netbsd.org>;
	Wed,  3 May 2023 19:24:55 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197])
	by mail.netbsd.org (Postfix) with ESMTP id 0438B84CC9
	for <pkgsrc-changes@NetBSD.org>; Wed,  3 May 2023 19:24:55 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id F219FFA87; Wed,  3 May 2023 19:24:54 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1683141894200510"
MIME-Version: 1.0
Date: Wed, 3 May 2023 19:24:54 +0000
From: "Benny Siegert" <bsiegert@netbsd.org>
Subject: CVS commit: pkgsrc/lang
To: pkgsrc-changes@NetBSD.org
Reply-To: bsiegert@netbsd.org
X-Mailer: log_accum
Message-Id: <20230503192454.F219FFA87@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_1683141894200510
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	bsiegert
Date:		Wed May  3 19:24:54 UTC 2023

Modified Files:
	pkgsrc/lang/go: version.mk
	pkgsrc/lang/go119: PLIST distinfo

Log Message:
go119: update to 1.19.9 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.


To generate a diff of this commit:
cvs rdiff -u -r1.177 -r1.178 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go119/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go119/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1683141894200510
Content-Disposition: inline
Content-Length: 4236
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.177 pkgsrc/lang/go/version.mk:1.178
--- pkgsrc/lang/go/version.mk:1.177	Tue Apr  4 18:33:25 2023
+++ pkgsrc/lang/go/version.mk	Wed May  3 19:24:54 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.177 2023/04/04 18:33:25 bsiegert Exp $
+# $NetBSD: version.mk,v 1.178 2023/05/03 19:24:54 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO120_VERSION=	1.20.3
-GO119_VERSION=	1.19.8
+GO119_VERSION=	1.19.9
 GO118_VERSION=	1.18.10
 GO14_VERSION=	1.4.3
 

Index: pkgsrc/lang/go119/PLIST
diff -u pkgsrc/lang/go119/PLIST:1.8 pkgsrc/lang/go119/PLIST:1.9
--- pkgsrc/lang/go119/PLIST:1.8	Tue Apr  4 18:22:14 2023
+++ pkgsrc/lang/go119/PLIST	Wed May  3 19:24:54 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.8 2023/04/04 18:22:14 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.9 2023/05/03 19:24:54 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go119/CONTRIBUTING.md
@@ -7256,10 +7256,6 @@ go119/src/os/readfrom_stub.go
 go119/src/os/removeall_at.go
 go119/src/os/removeall_noat.go
 go119/src/os/removeall_test.go
-go119/src/os/rlimit.go
-go119/src/os/rlimit_darwin.go
-go119/src/os/rlimit_stub.go
-go119/src/os/rlimit_test.go
 go119/src/os/signal/doc.go
 go119/src/os/signal/example_test.go
 go119/src/os/signal/example_unix_test.go
@@ -8538,6 +8534,7 @@ go119/src/syscall/exec_windows_test.go
 go119/src/syscall/export_darwin_test.go
 go119/src/syscall/export_freebsd_test.go
 go119/src/syscall/export_linux_test.go
+go119/src/syscall/export_rlimit_test.go
 go119/src/syscall/export_unix_test.go
 go119/src/syscall/export_windows_test.go
 go119/src/syscall/flock.go
@@ -8577,6 +8574,10 @@ go119/src/syscall/netlink_linux.go
 go119/src/syscall/ptrace_darwin.go
 go119/src/syscall/ptrace_ios.go
 go119/src/syscall/pwd_plan9.go
+go119/src/syscall/rlimit.go
+go119/src/syscall/rlimit_darwin.go
+go119/src/syscall/rlimit_stub.go
+go119/src/syscall/rlimit_test.go
 go119/src/syscall/route_bsd.go
 go119/src/syscall/route_darwin.go
 go119/src/syscall/route_dragonfly.go
@@ -11234,6 +11235,7 @@ go119/test/fixedbugs/issue5373.go
 go119/test/fixedbugs/issue53982.go
 go119/test/fixedbugs/issue54220.go
 go119/test/fixedbugs/issue54467.go
+go119/test/fixedbugs/issue54632.go
 go119/test/fixedbugs/issue54638.go
 go119/test/fixedbugs/issue5470.dir/a.go
 go119/test/fixedbugs/issue5470.dir/b.go
@@ -11271,10 +11273,13 @@ go119/test/fixedbugs/issue5856.go
 go119/test/fixedbugs/issue5910.dir/a.go
 go119/test/fixedbugs/issue5910.dir/main.go
 go119/test/fixedbugs/issue5910.go
+go119/test/fixedbugs/issue59367.go
 go119/test/fixedbugs/issue5957.dir/a.go
 go119/test/fixedbugs/issue5957.dir/b.go
 go119/test/fixedbugs/issue5957.dir/c.go
 go119/test/fixedbugs/issue5957.go
+go119/test/fixedbugs/issue59572.go
+go119/test/fixedbugs/issue59572.out
 go119/test/fixedbugs/issue5963.go
 go119/test/fixedbugs/issue6004.go
 go119/test/fixedbugs/issue6036.go

Index: pkgsrc/lang/go119/distinfo
diff -u pkgsrc/lang/go119/distinfo:1.10 pkgsrc/lang/go119/distinfo:1.11
--- pkgsrc/lang/go119/distinfo:1.10	Tue Apr  4 18:22:14 2023
+++ pkgsrc/lang/go119/distinfo	Wed May  3 19:24:54 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.10 2023/04/04 18:22:14 bsiegert Exp $
+$NetBSD: distinfo,v 1.11 2023/05/03 19:24:54 bsiegert Exp $
 
-BLAKE2s (go1.19.8.src.tar.gz) = 80e7ca6822b2a04bf8837aca9ece2c1a15587aa2f6d859b4b2dc119b4f815a1c
-SHA512 (go1.19.8.src.tar.gz) = d7ecbae3034211d7c64df4c0fce6894bae3e7e8de20bd2aa9f24b39cc040fa64d8a3bea311582cf4455a981dc3c8f319141f7f357db4eebd27d4451fee05727a
-Size (go1.19.8.src.tar.gz) = 26553006 bytes
+BLAKE2s (go1.19.9.src.tar.gz) = e2e97859cac2288f04d7bc458179fb5037024bd448e1efce408f2d03c3804c61
+SHA512 (go1.19.9.src.tar.gz) = 548525fc33b0d0c6e5e175190b3235a3bfe2046607a87e3b890735bae4f6279f77a15122cfd432c7971c829a631883a1ed2e39399e23c9b8fa96f86502a8c02e
+Size (go1.19.9.src.tar.gz) = 26556330 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35


--_----------=_1683141894200510--