Wed Apr 13 07:12:00 2016 UTC ()
Update Go to 1.6.1.
Two security-related issues were recently reported, and to address these issues
we have just released Go 1.6.1 and Go 1.5.4.
We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.6.1).
The issues addressed by these releases are:
On Windows, Go loads system DLLs by name with LoadLibrary, making it vulnerable
to DLL preloading attacks. For instance, if a user runs a Go executable from a
Downloads folder, malicious DLL files also downloaded to that folder could be
loaded into that executable.
This is CVE-2016-3958 and was addressed by this change: https://golang.org/cl/21428
Thanks to Taru Karttunen for identifying this issue.
Go's crypto libraries passed certain parameters unchecked to the underlying big
integer library, possibly leading to extremely long-running computations, which
in turn makes Go programs vulnerable to remote denial of service attacks.
Programs using HTTPS client certificates or the Go SSH server libraries are
both exposed to this vulnerability.
This is CVE-2016-3959 and was addressed by this change: https://golang.org/cl/21533
Thanks to David Wong for identifying this issue.
(bsiegert)
diff -r1.40 -r1.41 pkgsrc/lang/go/Makefile
diff -r1.22 -r1.23 pkgsrc/lang/go/PLIST
diff -r1.34 -r1.35 pkgsrc/lang/go/distinfo
diff -r1.12 -r1.13 pkgsrc/lang/go/version.mk
diff -r1.1 -r0 pkgsrc/lang/go/patches/patch-src_crypto_dsa_dsa.go
--- pkgsrc/lang/go/Makefile 2016/04/08 20:00:02 1.40
+++ pkgsrc/lang/go/Makefile 2016/04/13 07:12:00 1.41
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.40 2016/04/08 20:00:02 bsiegert Exp $
+# $NetBSD: Makefile,v 1.41 2016/04/13 07:12:00 bsiegert Exp $
.include "version.mk"
DISTNAME= go${GO_VERSION}.src
PKGNAME= go-${GO_VERSION}
-PKGREVISION= 1
CATEGORIES= lang
MASTER_SITES= https://storage.googleapis.com/golang/
--- pkgsrc/lang/go/Attic/PLIST 2016/02/23 20:12:25 1.22
+++ pkgsrc/lang/go/Attic/PLIST 2016/04/13 07:12:00 1.23
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.22 2016/02/23 20:12:25 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.23 2016/04/13 07:12:00 bsiegert Exp $
bin/go
bin/gofmt
go/AUTHORS
@@ -815,6 +815,7 @@
go/pkg/${GO_PLATFORM}/internal/golang.org/x/net/http2/hpack.a
go/pkg/${GO_PLATFORM}/internal/race.a
go/pkg/${GO_PLATFORM}/internal/singleflight.a
+go/pkg/${GO_PLATFORM}/internal/syscall/windows/sysdll.a
go/pkg/${GO_PLATFORM}/internal/testenv.a
go/pkg/${GO_PLATFORM}/internal/trace.a
go/pkg/${GO_PLATFORM}/io.a
@@ -2515,6 +2516,7 @@
go/src/internal/syscall/windows/registry/value.go
go/src/internal/syscall/windows/registry/zsyscall_windows.go
go/src/internal/syscall/windows/syscall_windows.go
+go/src/internal/syscall/windows/sysdll/sysdll.go
go/src/internal/syscall/windows/zsyscall_windows.go
go/src/internal/testenv/testenv.go
go/src/internal/trace/goroutines.go
--- pkgsrc/lang/go/Attic/distinfo 2016/04/08 20:00:02 1.34
+++ pkgsrc/lang/go/Attic/distinfo 2016/04/13 07:12:00 1.35
@@ -1,12 +1,11 @@
-$NetBSD: distinfo,v 1.34 2016/04/08 20:00:02 bsiegert Exp $
+$NetBSD: distinfo,v 1.35 2016/04/13 07:12:00 bsiegert Exp $
-SHA1 (go1.6.src.tar.gz) = 3282b6cb1e491662f7067544605d8cbf6f016553
-RMD160 (go1.6.src.tar.gz) = 9ed6feb79610d4ef0b9c2113dfddce72ff26ae7a
-SHA512 (go1.6.src.tar.gz) = 59e9d72a80558fd5e3f176e068897a45333b36e35f6c00393647941a70e741168e65941b6059397378020c3b78ec3471a48809682f7efd97cf33eec6325fc3e8
-Size (go1.6.src.tar.gz) = 12613308 bytes
+SHA1 (go1.6.1.src.tar.gz) = aa8f912f2534c8faa5c5b6d278e7cb3a4f4d238c
+RMD160 (go1.6.1.src.tar.gz) = cf261ac91523982d0d6980a297bccb3fdbcd718c
+SHA512 (go1.6.1.src.tar.gz) = 31ea2504f8ab0fd709005275d0c2129b6cdb4e5d34d6e2b435b23480674b135d1bff8de863b1e01201e757523f4dc28b6ebefeb87d7e855f2509a6837e436fab
+Size (go1.6.1.src.tar.gz) = 12615799 bytes
SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1
SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a
-SHA1 (patch-src_crypto_dsa_dsa.go) = ed2bdfeab0205f8fdddd7a765f150b0ce832d7a7
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0eca1eafa967268ae9b224be4aeda347ebc91901
SHA1 (patch-src_syscall_syscall__solaris.go) = 436371947897dcba574a6dfecc6bbcd04f6e25b2
--- pkgsrc/lang/go/version.mk 2016/02/23 20:12:25 1.12
+++ pkgsrc/lang/go/version.mk 2016/04/13 07:12:00 1.13
@@ -1,8 +1,8 @@
-# $NetBSD: version.mk,v 1.12 2016/02/23 20:12:25 bsiegert Exp $
+# $NetBSD: version.mk,v 1.13 2016/04/13 07:12:00 bsiegert Exp $
.include "../../mk/bsd.prefs.mk"
-GO_VERSION= 1.6
+GO_VERSION= 1.6.1
GO14_VERSION= 1.4.3
ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-evbarm