Wed Apr 13 07:12:00 2016 UTC ()
Update Go to 1.6.1.

Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.1 and Go 1.5.4.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.6.1).

The issues addressed by these releases are:

On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable
to DLL preloading attacks. For instance, if a user runs a Go executable from a
Downloads folder, malicious DLL files also downloaded to that folder could be
loaded into that executable.
This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428
Thanks to Taru Karttunen for identifying this issue.

Go's crypto libraries passed certain parameters unchecked to the underlying big
integer library, possibly leading to extremely long-running computations, which
in turn makes Go programs vulnerable to remote denial of service attacks.
Programs using HTTPS client certificates or the Go SSH server libraries are
both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533
Thanks to David Wong for identifying this issue.


(bsiegert)
diff -r1.40 -r1.41 pkgsrc/lang/go/Makefile
diff -r1.22 -r1.23 pkgsrc/lang/go/PLIST
diff -r1.34 -r1.35 pkgsrc/lang/go/distinfo
diff -r1.12 -r1.13 pkgsrc/lang/go/version.mk
diff -r1.1 -r0 pkgsrc/lang/go/patches/patch-src_crypto_dsa_dsa.go
cvs diff -r1.40 -r1.41 pkgsrc/lang/go/Makefile (expand / switch to unified diff)

--- pkgsrc/lang/go/Makefile 2016/04/08 20:00:02 1.40
+++ pkgsrc/lang/go/Makefile 2016/04/13 07:12:00 1.41
@@ -1,20 +1,19 @@ @@ -1,20 +1,19 @@
1# $NetBSD: Makefile,v 1.40 2016/04/08 20:00:02 bsiegert Exp $ 1# $NetBSD: Makefile,v 1.41 2016/04/13 07:12:00 bsiegert Exp $
2 2
3.include "version.mk" 3.include "version.mk"
4 4
5DISTNAME= go${GO_VERSION}.src 5DISTNAME= go${GO_VERSION}.src
6PKGNAME= go-${GO_VERSION} 6PKGNAME= go-${GO_VERSION}
7PKGREVISION= 1 
8CATEGORIES= lang 7CATEGORIES= lang
9MASTER_SITES= https://storage.googleapis.com/golang/ 8MASTER_SITES= https://storage.googleapis.com/golang/
10 9
11MAINTAINER= bsiegert@NetBSD.org 10MAINTAINER= bsiegert@NetBSD.org
12HOMEPAGE= http://golang.org/ 11HOMEPAGE= http://golang.org/
13COMMENT= The Go programming language 12COMMENT= The Go programming language
14LICENSE= modified-bsd 13LICENSE= modified-bsd
15 14
16WRKSRC= ${WRKDIR}/go 15WRKSRC= ${WRKDIR}/go
17USE_TOOLS+= bash:run perl:run pax 16USE_TOOLS+= bash:run perl:run pax
18 17
19# uses ulimit -T 18# uses ulimit -T
20# BUILD_DEPENDS+= bash>=4.2nb3:../../shells/bash 19# BUILD_DEPENDS+= bash>=4.2nb3:../../shells/bash
cvs diff -r1.22 -r1.23 pkgsrc/lang/go/Attic/PLIST (expand / switch to unified diff)

--- pkgsrc/lang/go/Attic/PLIST 2016/02/23 20:12:25 1.22
+++ pkgsrc/lang/go/Attic/PLIST 2016/04/13 07:12:00 1.23
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.22 2016/02/23 20:12:25 bsiegert Exp $ 1@comment $NetBSD: PLIST,v 1.23 2016/04/13 07:12:00 bsiegert Exp $
2bin/go 2bin/go
3bin/gofmt 3bin/gofmt
4go/AUTHORS 4go/AUTHORS
5go/CONTRIBUTING.md 5go/CONTRIBUTING.md
6go/CONTRIBUTORS 6go/CONTRIBUTORS
7go/LICENSE 7go/LICENSE
8go/PATENTS 8go/PATENTS
9go/README.md 9go/README.md
10go/VERSION 10go/VERSION
11go/api/README 11go/api/README
12go/api/except.txt 12go/api/except.txt
13go/api/go1.1.txt 13go/api/go1.1.txt
14go/api/go1.2.txt 14go/api/go1.2.txt
@@ -805,26 +805,27 @@ go/pkg/${GO_PLATFORM}/html.a @@ -805,26 +805,27 @@ go/pkg/${GO_PLATFORM}/html.a
805go/pkg/${GO_PLATFORM}/html/template.a 805go/pkg/${GO_PLATFORM}/html/template.a
806go/pkg/${GO_PLATFORM}/image.a 806go/pkg/${GO_PLATFORM}/image.a
807go/pkg/${GO_PLATFORM}/image/color.a 807go/pkg/${GO_PLATFORM}/image/color.a
808go/pkg/${GO_PLATFORM}/image/color/palette.a 808go/pkg/${GO_PLATFORM}/image/color/palette.a
809go/pkg/${GO_PLATFORM}/image/draw.a 809go/pkg/${GO_PLATFORM}/image/draw.a
810go/pkg/${GO_PLATFORM}/image/gif.a 810go/pkg/${GO_PLATFORM}/image/gif.a
811go/pkg/${GO_PLATFORM}/image/internal/imageutil.a 811go/pkg/${GO_PLATFORM}/image/internal/imageutil.a
812go/pkg/${GO_PLATFORM}/image/jpeg.a 812go/pkg/${GO_PLATFORM}/image/jpeg.a
813go/pkg/${GO_PLATFORM}/image/png.a 813go/pkg/${GO_PLATFORM}/image/png.a
814go/pkg/${GO_PLATFORM}/index/suffixarray.a 814go/pkg/${GO_PLATFORM}/index/suffixarray.a
815go/pkg/${GO_PLATFORM}/internal/golang.org/x/net/http2/hpack.a 815go/pkg/${GO_PLATFORM}/internal/golang.org/x/net/http2/hpack.a
816go/pkg/${GO_PLATFORM}/internal/race.a 816go/pkg/${GO_PLATFORM}/internal/race.a
817go/pkg/${GO_PLATFORM}/internal/singleflight.a 817go/pkg/${GO_PLATFORM}/internal/singleflight.a
 818go/pkg/${GO_PLATFORM}/internal/syscall/windows/sysdll.a
818go/pkg/${GO_PLATFORM}/internal/testenv.a 819go/pkg/${GO_PLATFORM}/internal/testenv.a
819go/pkg/${GO_PLATFORM}/internal/trace.a 820go/pkg/${GO_PLATFORM}/internal/trace.a
820go/pkg/${GO_PLATFORM}/io.a 821go/pkg/${GO_PLATFORM}/io.a
821go/pkg/${GO_PLATFORM}/io/ioutil.a 822go/pkg/${GO_PLATFORM}/io/ioutil.a
822go/pkg/${GO_PLATFORM}/log.a 823go/pkg/${GO_PLATFORM}/log.a
823go/pkg/${GO_PLATFORM}/log/syslog.a 824go/pkg/${GO_PLATFORM}/log/syslog.a
824go/pkg/${GO_PLATFORM}/math.a 825go/pkg/${GO_PLATFORM}/math.a
825go/pkg/${GO_PLATFORM}/math/big.a 826go/pkg/${GO_PLATFORM}/math/big.a
826go/pkg/${GO_PLATFORM}/math/cmplx.a 827go/pkg/${GO_PLATFORM}/math/cmplx.a
827go/pkg/${GO_PLATFORM}/math/rand.a 828go/pkg/${GO_PLATFORM}/math/rand.a
828go/pkg/${GO_PLATFORM}/mime.a 829go/pkg/${GO_PLATFORM}/mime.a
829go/pkg/${GO_PLATFORM}/mime/multipart.a 830go/pkg/${GO_PLATFORM}/mime/multipart.a
830go/pkg/${GO_PLATFORM}/mime/quotedprintable.a 831go/pkg/${GO_PLATFORM}/mime/quotedprintable.a
@@ -2505,26 +2506,27 @@ go/src/internal/syscall/unix/getrandom_l @@ -2505,26 +2506,27 @@ go/src/internal/syscall/unix/getrandom_l
2505go/src/internal/syscall/unix/getrandom_linux_386.go 2506go/src/internal/syscall/unix/getrandom_linux_386.go
2506go/src/internal/syscall/unix/getrandom_linux_amd64.go 2507go/src/internal/syscall/unix/getrandom_linux_amd64.go
2507go/src/internal/syscall/unix/getrandom_linux_arm.go 2508go/src/internal/syscall/unix/getrandom_linux_arm.go
2508go/src/internal/syscall/unix/getrandom_linux_generic.go 2509go/src/internal/syscall/unix/getrandom_linux_generic.go
2509go/src/internal/syscall/unix/getrandom_linux_mips64x.go 2510go/src/internal/syscall/unix/getrandom_linux_mips64x.go
2510go/src/internal/syscall/unix/getrandom_linux_ppc64x.go 2511go/src/internal/syscall/unix/getrandom_linux_ppc64x.go
2511go/src/internal/syscall/windows/registry/export_test.go 2512go/src/internal/syscall/windows/registry/export_test.go
2512go/src/internal/syscall/windows/registry/key.go 2513go/src/internal/syscall/windows/registry/key.go
2513go/src/internal/syscall/windows/registry/registry_test.go 2514go/src/internal/syscall/windows/registry/registry_test.go
2514go/src/internal/syscall/windows/registry/syscall.go 2515go/src/internal/syscall/windows/registry/syscall.go
2515go/src/internal/syscall/windows/registry/value.go 2516go/src/internal/syscall/windows/registry/value.go
2516go/src/internal/syscall/windows/registry/zsyscall_windows.go 2517go/src/internal/syscall/windows/registry/zsyscall_windows.go
2517go/src/internal/syscall/windows/syscall_windows.go 2518go/src/internal/syscall/windows/syscall_windows.go
 2519go/src/internal/syscall/windows/sysdll/sysdll.go
2518go/src/internal/syscall/windows/zsyscall_windows.go 2520go/src/internal/syscall/windows/zsyscall_windows.go
2519go/src/internal/testenv/testenv.go 2521go/src/internal/testenv/testenv.go
2520go/src/internal/trace/goroutines.go 2522go/src/internal/trace/goroutines.go
2521go/src/internal/trace/parser.go 2523go/src/internal/trace/parser.go
2522go/src/internal/trace/parser_test.go 2524go/src/internal/trace/parser_test.go
2523go/src/io/example_test.go 2525go/src/io/example_test.go
2524go/src/io/io.go 2526go/src/io/io.go
2525go/src/io/io_test.go 2527go/src/io/io_test.go
2526go/src/io/ioutil/example_test.go 2528go/src/io/ioutil/example_test.go
2527go/src/io/ioutil/ioutil.go 2529go/src/io/ioutil/ioutil.go
2528go/src/io/ioutil/ioutil_test.go 2530go/src/io/ioutil/ioutil_test.go
2529go/src/io/ioutil/tempfile.go 2531go/src/io/ioutil/tempfile.go
2530go/src/io/ioutil/tempfile_test.go 2532go/src/io/ioutil/tempfile_test.go
cvs diff -r1.34 -r1.35 pkgsrc/lang/go/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go/Attic/distinfo 2016/04/08 20:00:02 1.34
+++ pkgsrc/lang/go/Attic/distinfo 2016/04/13 07:12:00 1.35
@@ -1,12 +1,11 @@ @@ -1,12 +1,11 @@
1$NetBSD: distinfo,v 1.34 2016/04/08 20:00:02 bsiegert Exp $ 1$NetBSD: distinfo,v 1.35 2016/04/13 07:12:00 bsiegert Exp $
2 2
3SHA1 (go1.6.src.tar.gz) = 3282b6cb1e491662f7067544605d8cbf6f016553 3SHA1 (go1.6.1.src.tar.gz) = aa8f912f2534c8faa5c5b6d278e7cb3a4f4d238c
4RMD160 (go1.6.src.tar.gz) = 9ed6feb79610d4ef0b9c2113dfddce72ff26ae7a 4RMD160 (go1.6.1.src.tar.gz) = cf261ac91523982d0d6980a297bccb3fdbcd718c
5SHA512 (go1.6.src.tar.gz) = 59e9d72a80558fd5e3f176e068897a45333b36e35f6c00393647941a70e741168e65941b6059397378020c3b78ec3471a48809682f7efd97cf33eec6325fc3e8 5SHA512 (go1.6.1.src.tar.gz) = 31ea2504f8ab0fd709005275d0c2129b6cdb4e5d34d6e2b435b23480674b135d1bff8de863b1e01201e757523f4dc28b6ebefeb87d7e855f2509a6837e436fab
6Size (go1.6.src.tar.gz) = 12613308 bytes 6Size (go1.6.1.src.tar.gz) = 12615799 bytes
7SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1 7SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1
8SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29 8SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
9SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a 9SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a
10SHA1 (patch-src_crypto_dsa_dsa.go) = ed2bdfeab0205f8fdddd7a765f150b0ce832d7a7 
11SHA1 (patch-src_crypto_x509_root__bsd.go) = 0eca1eafa967268ae9b224be4aeda347ebc91901 10SHA1 (patch-src_crypto_x509_root__bsd.go) = 0eca1eafa967268ae9b224be4aeda347ebc91901
12SHA1 (patch-src_syscall_syscall__solaris.go) = 436371947897dcba574a6dfecc6bbcd04f6e25b2 11SHA1 (patch-src_syscall_syscall__solaris.go) = 436371947897dcba574a6dfecc6bbcd04f6e25b2
cvs diff -r1.12 -r1.13 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2016/02/23 20:12:25 1.12
+++ pkgsrc/lang/go/version.mk 2016/04/13 07:12:00 1.13
@@ -1,18 +1,18 @@ @@ -1,18 +1,18 @@
1# $NetBSD: version.mk,v 1.12 2016/02/23 20:12:25 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.13 2016/04/13 07:12:00 bsiegert Exp $
2 2
3.include "../../mk/bsd.prefs.mk" 3.include "../../mk/bsd.prefs.mk"
4 4
5GO_VERSION= 1.6 5GO_VERSION= 1.6.1
6GO14_VERSION= 1.4.3 6GO14_VERSION= 1.4.3
7 7
8ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-evbarm 8ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-evbarm
9NOT_FOR_PLATFORM= SunOS-*-i386 9NOT_FOR_PLATFORM= SunOS-*-i386
10.if ${MACHINE_ARCH} == "i386" 10.if ${MACHINE_ARCH} == "i386"
11GOARCH= 386 11GOARCH= 386
12GOCHAR= 8 12GOCHAR= 8
13.elif ${MACHINE_ARCH} == "x86_64" 13.elif ${MACHINE_ARCH} == "x86_64"
14GOARCH= amd64 14GOARCH= amd64
15GOCHAR= 6 15GOCHAR= 6
16.elif ${MACHINE_ARCH} == "evbarm" 16.elif ${MACHINE_ARCH} == "evbarm"
17GOARCH= arm 17GOARCH= arm
18GOCHAR= 5 18GOCHAR= 5
File Deleted: pkgsrc/lang/go/patches/Attic/patch-src_crypto_dsa_dsa.go