go117: update to 1.17.12 (security update) This minor release includes 9 security fixes following the security policy: net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid. This is CVE-2022-1705 and https://go.dev/issue/53188. When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected. This is https://go.dev/issue/53423 and CVE-2022-32148. Thanks to Christian Mehlmauer for reporting this issue. compress/gzip: stack exhaustion in Reader.Read Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion. This is CVE-2022-30631 and Go issue https://go.dev/issue/53168. encoding/xml: stack exhaustion in Unmarshal Calling Unmarshal on a XML document into a Go struct which has a nested field that uses the any field tag can cause a panic due to stack exhaustion. This is CVE-2022-30633 and Go issue https://go.dev/issue/53611. encoding/xml: stack exhaustion in Decoder.Skip Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion. The Go Security team discovered this issue, and it was independently reported by Juho Nurminen of Mattermost. This is CVE-2022-28131 and Go issue https://go.dev/issue/53614. encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is CVE-2022-30635 and Go issue https://go.dev/issue/53615. path/filepath: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-30632 and Go issue https://go.dev/issue/53416. io/fs: stack exhaustion in Glob Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion. This is CVE-2022-30630 and Go issue https://go.dev/issue/53415. go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.diff -r1.151 -r1.152 pkgsrc/lang/go/version.mk
(bsiegert)
@@ -1,23 +1,23 @@ | @@ -1,23 +1,23 @@ | |||
1 | # $NetBSD: version.mk,v 1.151 2022/06/02 18:50:40 bsiegert Exp $ | 1 | # $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $ | |
2 | 2 | |||
3 | # | 3 | # | |
4 | # If bsd.prefs.mk is included before go-package.mk in a package, then this | 4 | # If bsd.prefs.mk is included before go-package.mk in a package, then this | |
5 | # file must be included directly in the package prior to bsd.prefs.mk. | 5 | # file must be included directly in the package prior to bsd.prefs.mk. | |
6 | # | 6 | # | |
7 | .include "go-vars.mk" | 7 | .include "go-vars.mk" | |
8 | 8 | |||
9 | GO118_VERSION= 1.18.3 | 9 | GO118_VERSION= 1.18.3 | |
10 | GO117_VERSION= 1.17.11 | 10 | GO117_VERSION= 1.17.12 | |
11 | GO116_VERSION= 1.16.15 | 11 | GO116_VERSION= 1.16.15 | |
12 | GO110_VERSION= 1.10.8 | 12 | GO110_VERSION= 1.10.8 | |
13 | GO19_VERSION= 1.9.7 | 13 | GO19_VERSION= 1.9.7 | |
14 | GO14_VERSION= 1.4.3 | 14 | GO14_VERSION= 1.4.3 | |
15 | 15 | |||
16 | .include "../../mk/bsd.prefs.mk" | 16 | .include "../../mk/bsd.prefs.mk" | |
17 | 17 | |||
18 | .if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000 | 18 | .if ${OPSYS} == "NetBSD" && ${OPSYS_VERSION} < 070000 | |
19 | # 1.9 is the last Go version to support NetBSD 6 | 19 | # 1.9 is the last Go version to support NetBSD 6 | |
20 | GO_VERSION_DEFAULT?= 19 | 20 | GO_VERSION_DEFAULT?= 19 | |
21 | .elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000 | 21 | .elif ${OPSYS} == "Darwin" && ${OPSYS_VERSION} < 101000 | |
22 | # go 1.11 removed support for osx 10.8 and 10.9 | 22 | # go 1.11 removed support for osx 10.8 and 10.9 | |
23 | # https://github.com/golang/go/issues/23122 | 23 | # https://github.com/golang/go/issues/23122 |
@@ -1,16 +1,15 @@ | @@ -1,16 +1,15 @@ | |||
1 | # $NetBSD: Makefile,v 1.6 2022/06/28 11:34:12 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.7 2022/07/13 14:14:18 bsiegert Exp $ | |
2 | 2 | |||
3 | PKGREVISION= 1 | |||
4 | .include "../../lang/go/version.mk" | 3 | .include "../../lang/go/version.mk" | |
5 | .include "../../lang/go/bootstrap.mk" | 4 | .include "../../lang/go/bootstrap.mk" | |
6 | 5 | |||
7 | GOVERSSUFFIX= 117 | 6 | GOVERSSUFFIX= 117 | |
8 | 7 | |||
9 | DISTNAME= go${GO${GOVERSSUFFIX}_VERSION}.src | 8 | DISTNAME= go${GO${GOVERSSUFFIX}_VERSION}.src | |
10 | PKGNAME= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION} | 9 | PKGNAME= go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION} | |
11 | CATEGORIES= lang | 10 | CATEGORIES= lang | |
12 | MASTER_SITES= https://storage.googleapis.com/golang/ | 11 | MASTER_SITES= https://storage.googleapis.com/golang/ | |
13 | 12 | |||
14 | MAINTAINER= bsiegert@NetBSD.org | 13 | MAINTAINER= bsiegert@NetBSD.org | |
15 | HOMEPAGE= https://golang.org/ | 14 | HOMEPAGE= https://golang.org/ | |
16 | COMMENT= The Go programming language | 15 | COMMENT= The Go programming language | |
@@ -83,26 +82,31 @@ SUBST_SED.grplist= -e 's,return getgroup | @@ -83,26 +82,31 @@ SUBST_SED.grplist= -e 's,return getgroup | |||
83 | 82 | |||
84 | PLIST_SUBST+= GOVERSSUFFIX=${GOVERSSUFFIX} | 83 | PLIST_SUBST+= GOVERSSUFFIX=${GOVERSSUFFIX} | |
85 | 84 | |||
86 | PLIST_VARS+= pty route | 85 | PLIST_VARS+= pty route | |
87 | 86 | |||
88 | .if ${OPSYS} != "SunOS" | 87 | .if ${OPSYS} != "SunOS" | |
89 | PLIST.pty= yes | 88 | PLIST.pty= yes | |
90 | .endif | 89 | .endif | |
91 | 90 | |||
92 | .if ${OPSYS} != "Linux" && ${OPSYS} != "SunOS" | 91 | .if ${OPSYS} != "Linux" && ${OPSYS} != "SunOS" | |
93 | PLIST.route= yes | 92 | PLIST.route= yes | |
94 | .endif | 93 | .endif | |
95 | 94 | |||
95 | PRINT_PLIST_AWK+= /^bin\/go${GOVERSSUFFIX}/ { print "bin/go$${GOVERSSUFFIX}"; next; } | |||
96 | PRINT_PLIST_AWK+= /^bin\/gofmt${GOVERSSUFFIX}/ { print "bin/gofmt$${GOVERSSUFFIX}"; next; } | |||
97 | PRINT_PLIST_AWK+= /internal\/pty\.a/ { printf "%s", "$${PLIST.pty}"; } | |||
98 | PRINT_PLIST_AWK+= /x\/net\/route\.a/ { printf "%s", "$${PLIST.route}"; } | |||
99 | ||||
96 | post-extract: | 100 | post-extract: | |
97 | ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836* | 101 | ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836* | |
98 | 102 | |||
99 | do-build: | 103 | do-build: | |
100 | cd ${WRKSRC}/src && \ | 104 | cd ${WRKSRC}/src && \ | |
101 | env \ | 105 | env \ | |
102 | GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} \ | 106 | GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} \ | |
103 | GOROOT_FINAL=${GOROOT_FINAL:Q} \ | 107 | GOROOT_FINAL=${GOROOT_FINAL:Q} \ | |
104 | ${GOOPT} \ | 108 | ${GOOPT} \ | |
105 | GOCACHE=${WRKDIR}/.cache/go-build \ | 109 | GOCACHE=${WRKDIR}/.cache/go-build \ | |
106 | ${BASH} ./make.bash | 110 | ${BASH} ./make.bash | |
107 | # for RELRO build: | 111 | # for RELRO build: | |
108 | # cd ${WRKSRC}/src && env GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} GOROOT_FINAL=${GOROOT_FINAL:Q} GO_LDFLAGS="-buildmode=pie" ${GOOPT} ${BASH} ./make.bash | 112 | # cd ${WRKSRC}/src && env GOROOT_BOOTSTRAP=${GOROOT_BOOTSTRAP:Q} GOROOT_FINAL=${GOROOT_FINAL:Q} GO_LDFLAGS="-buildmode=pie" ${GOOPT} ${BASH} ./make.bash |
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | @comment $NetBSD: PLIST,v 1.10 2022/06/02 18:19:26 bsiegert Exp $ | 1 | @comment $NetBSD: PLIST,v 1.11 2022/07/13 14:14:18 bsiegert Exp $ | |
2 | bin/go117 | 2 | bin/go${GOVERSSUFFIX} | |
3 | bin/gofmt117 | 3 | bin/gofmt${GOVERSSUFFIX} | |
4 | go117/AUTHORS | 4 | go117/AUTHORS | |
5 | go117/CONTRIBUTING.md | 5 | go117/CONTRIBUTING.md | |
6 | go117/CONTRIBUTORS | 6 | go117/CONTRIBUTORS | |
7 | go117/LICENSE | 7 | go117/LICENSE | |
8 | go117/PATENTS | 8 | go117/PATENTS | |
9 | go117/README.md | 9 | go117/README.md | |
10 | go117/SECURITY.md | 10 | go117/SECURITY.md | |
11 | go117/VERSION | 11 | go117/VERSION | |
12 | go117/api/README | 12 | go117/api/README | |
13 | go117/api/except.txt | 13 | go117/api/except.txt | |
14 | go117/api/go1.1.txt | 14 | go117/api/go1.1.txt | |
15 | go117/api/go1.10.txt | 15 | go117/api/go1.10.txt | |
16 | go117/api/go1.11.txt | 16 | go117/api/go1.11.txt | |
@@ -2392,26 +2392,27 @@ go117/src/cmd/go/testdata/script/mod_con | @@ -2392,26 +2392,27 @@ go117/src/cmd/go/testdata/script/mod_con | |||
2392 | go117/src/cmd/go/testdata/script/mod_convert_tsv.txt | 2392 | go117/src/cmd/go/testdata/script/mod_convert_tsv.txt | |
2393 | go117/src/cmd/go/testdata/script/mod_convert_tsv_insecure.txt | 2393 | go117/src/cmd/go/testdata/script/mod_convert_tsv_insecure.txt | |
2394 | go117/src/cmd/go/testdata/script/mod_convert_vendor_conf.txt | 2394 | go117/src/cmd/go/testdata/script/mod_convert_vendor_conf.txt | |
2395 | go117/src/cmd/go/testdata/script/mod_convert_vendor_json.txt | 2395 | go117/src/cmd/go/testdata/script/mod_convert_vendor_json.txt | |
2396 | go117/src/cmd/go/testdata/script/mod_convert_vendor_manifest.txt | 2396 | go117/src/cmd/go/testdata/script/mod_convert_vendor_manifest.txt | |
2397 | go117/src/cmd/go/testdata/script/mod_convert_vendor_yml.txt | 2397 | go117/src/cmd/go/testdata/script/mod_convert_vendor_yml.txt | |
2398 | go117/src/cmd/go/testdata/script/mod_deprecate_message.txt | 2398 | go117/src/cmd/go/testdata/script/mod_deprecate_message.txt | |
2399 | go117/src/cmd/go/testdata/script/mod_dir.txt | 2399 | go117/src/cmd/go/testdata/script/mod_dir.txt | |
2400 | go117/src/cmd/go/testdata/script/mod_doc.txt | 2400 | go117/src/cmd/go/testdata/script/mod_doc.txt | |
2401 | go117/src/cmd/go/testdata/script/mod_domain_root.txt | 2401 | go117/src/cmd/go/testdata/script/mod_domain_root.txt | |
2402 | go117/src/cmd/go/testdata/script/mod_dot.txt | 2402 | go117/src/cmd/go/testdata/script/mod_dot.txt | |
2403 | go117/src/cmd/go/testdata/script/mod_download.txt | 2403 | go117/src/cmd/go/testdata/script/mod_download.txt | |
2404 | go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt | 2404 | go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt | |
2405 | go117/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt | |||
2405 | go117/src/cmd/go/testdata/script/mod_download_hash.txt | 2406 | go117/src/cmd/go/testdata/script/mod_download_hash.txt | |
2406 | go117/src/cmd/go/testdata/script/mod_download_json.txt | 2407 | go117/src/cmd/go/testdata/script/mod_download_json.txt | |
2407 | go117/src/cmd/go/testdata/script/mod_download_partial.txt | 2408 | go117/src/cmd/go/testdata/script/mod_download_partial.txt | |
2408 | go117/src/cmd/go/testdata/script/mod_download_replace_file.txt | 2409 | go117/src/cmd/go/testdata/script/mod_download_replace_file.txt | |
2409 | go117/src/cmd/go/testdata/script/mod_e.txt | 2410 | go117/src/cmd/go/testdata/script/mod_e.txt | |
2410 | go117/src/cmd/go/testdata/script/mod_edit.txt | 2411 | go117/src/cmd/go/testdata/script/mod_edit.txt | |
2411 | go117/src/cmd/go/testdata/script/mod_edit_go.txt | 2412 | go117/src/cmd/go/testdata/script/mod_edit_go.txt | |
2412 | go117/src/cmd/go/testdata/script/mod_edit_no_modcache.txt | 2413 | go117/src/cmd/go/testdata/script/mod_edit_no_modcache.txt | |
2413 | go117/src/cmd/go/testdata/script/mod_empty_err.txt | 2414 | go117/src/cmd/go/testdata/script/mod_empty_err.txt | |
2414 | go117/src/cmd/go/testdata/script/mod_enabled.txt | 2415 | go117/src/cmd/go/testdata/script/mod_enabled.txt | |
2415 | go117/src/cmd/go/testdata/script/mod_file_proxy.txt | 2416 | go117/src/cmd/go/testdata/script/mod_file_proxy.txt | |
2416 | go117/src/cmd/go/testdata/script/mod_find.txt | 2417 | go117/src/cmd/go/testdata/script/mod_find.txt | |
2417 | go117/src/cmd/go/testdata/script/mod_fs_patterns.txt | 2418 | go117/src/cmd/go/testdata/script/mod_fs_patterns.txt | |
@@ -10055,26 +10056,27 @@ go117/test/fixedbugs/issue5125.go | @@ -10055,26 +10056,27 @@ go117/test/fixedbugs/issue5125.go | |||
10055 | go117/test/fixedbugs/issue5162.go | 10056 | go117/test/fixedbugs/issue5162.go | |
10056 | go117/test/fixedbugs/issue5172.go | 10057 | go117/test/fixedbugs/issue5172.go | |
10057 | go117/test/fixedbugs/issue5231.go | 10058 | go117/test/fixedbugs/issue5231.go | |
10058 | go117/test/fixedbugs/issue5244.go | 10059 | go117/test/fixedbugs/issue5244.go | |
10059 | go117/test/fixedbugs/issue5259.dir/bug.go | 10060 | go117/test/fixedbugs/issue5259.dir/bug.go | |
10060 | go117/test/fixedbugs/issue5259.dir/main.go | 10061 | go117/test/fixedbugs/issue5259.dir/main.go | |
10061 | go117/test/fixedbugs/issue5259.go | 10062 | go117/test/fixedbugs/issue5259.go | |
10062 | go117/test/fixedbugs/issue5260.dir/a.go | 10063 | go117/test/fixedbugs/issue5260.dir/a.go | |
10063 | go117/test/fixedbugs/issue5260.dir/b.go | 10064 | go117/test/fixedbugs/issue5260.dir/b.go | |
10064 | go117/test/fixedbugs/issue5260.go | 10065 | go117/test/fixedbugs/issue5260.go | |
10065 | go117/test/fixedbugs/issue5291.dir/pkg1.go | 10066 | go117/test/fixedbugs/issue5291.dir/pkg1.go | |
10066 | go117/test/fixedbugs/issue5291.dir/prog.go | 10067 | go117/test/fixedbugs/issue5291.dir/prog.go | |
10067 | go117/test/fixedbugs/issue5291.go | 10068 | go117/test/fixedbugs/issue5291.go | |
10069 | go117/test/fixedbugs/issue53454.go | |||
10068 | go117/test/fixedbugs/issue5358.go | 10070 | go117/test/fixedbugs/issue5358.go | |
10069 | go117/test/fixedbugs/issue5373.go | 10071 | go117/test/fixedbugs/issue5373.go | |
10070 | go117/test/fixedbugs/issue5470.dir/a.go | 10072 | go117/test/fixedbugs/issue5470.dir/a.go | |
10071 | go117/test/fixedbugs/issue5470.dir/b.go | 10073 | go117/test/fixedbugs/issue5470.dir/b.go | |
10072 | go117/test/fixedbugs/issue5470.go | 10074 | go117/test/fixedbugs/issue5470.go | |
10073 | go117/test/fixedbugs/issue5493.go | 10075 | go117/test/fixedbugs/issue5493.go | |
10074 | go117/test/fixedbugs/issue5515.go | 10076 | go117/test/fixedbugs/issue5515.go | |
10075 | go117/test/fixedbugs/issue5581.go | 10077 | go117/test/fixedbugs/issue5581.go | |
10076 | go117/test/fixedbugs/issue5607.go | 10078 | go117/test/fixedbugs/issue5607.go | |
10077 | go117/test/fixedbugs/issue5609.go | 10079 | go117/test/fixedbugs/issue5609.go | |
10078 | go117/test/fixedbugs/issue5614.dir/rethinkgo.go | 10080 | go117/test/fixedbugs/issue5614.dir/rethinkgo.go | |
10079 | go117/test/fixedbugs/issue5614.dir/x.go | 10081 | go117/test/fixedbugs/issue5614.dir/x.go | |
10080 | go117/test/fixedbugs/issue5614.dir/y.go | 10082 | go117/test/fixedbugs/issue5614.dir/y.go |
@@ -1,10 +1,10 @@ | @@ -1,10 +1,10 @@ | |||
1 | $NetBSD: distinfo,v 1.17 2022/06/02 18:19:26 bsiegert Exp $ | 1 | $NetBSD: distinfo,v 1.18 2022/07/13 14:14:18 bsiegert Exp $ | |
2 | 2 | |||
3 | BLAKE2s (go1.17.11.src.tar.gz) = 56f12ee3395f5ccec66790391e18f7c4e6462531f75c5ae007637472086fe374 | 3 | BLAKE2s (go1.17.12.src.tar.gz) = 061cbbc13a599a2bba01fccd6c6686c5174f4f4f6cbac8cb515ffd233ef6ad2a | |
4 | SHA512 (go1.17.11.src.tar.gz) = cd08062e3357e8e73ad05572ac575b9d8b15599bdb3ea0ca743b04936fa5cca438886e6a06d6453334b8bb5fbe1ab3512657d11651f9199d2254736a6554e71d | 4 | SHA512 (go1.17.12.src.tar.gz) = d2bcea2a33723af5c2ae871f5c44694c69d37c74c62e81eddeaf4bfedf124feea2752997d3a359990071bf01f88942fc66b21cb092385946ad4ae9410854c8b9 | |
5 | Size (go1.17.11.src.tar.gz) = 22197784 bytes | 5 | Size (go1.17.12.src.tar.gz) = 22205674 bytes | |
6 | SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe | 6 | SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe | |
7 | SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7 | 7 | SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7 | |
8 | SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e | 8 | SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e | |
9 | SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e | 9 | SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e | |
10 | SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b | 10 | SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b |