Fri May 5 18:33:15 2023 UTC ()
go120: update to 1.20.4 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.


(bsiegert)
diff -r1.178 -r1.179 pkgsrc/lang/go/version.mk
diff -r1.4 -r1.5 pkgsrc/lang/go120/PLIST
diff -r1.4 -r1.5 pkgsrc/lang/go120/distinfo
cvs diff -r1.178 -r1.179 pkgsrc/lang/go/version.mk (expand / switch to unified diff)

--- pkgsrc/lang/go/version.mk 2023/05/03 19:24:54 1.178
+++ pkgsrc/lang/go/version.mk 2023/05/05 18:33:15 1.179
@@ -1,22 +1,22 @@ @@ -1,22 +1,22 @@
1# $NetBSD: version.mk,v 1.178 2023/05/03 19:24:54 bsiegert Exp $ 1# $NetBSD: version.mk,v 1.179 2023/05/05 18:33:15 bsiegert Exp $
2 2
3# 3#
4# If bsd.prefs.mk is included before go-package.mk in a package, then this 4# If bsd.prefs.mk is included before go-package.mk in a package, then this
5# file must be included directly in the package prior to bsd.prefs.mk. 5# file must be included directly in the package prior to bsd.prefs.mk.
6# 6#
7.include "go-vars.mk" 7.include "go-vars.mk"
8 8
9GO120_VERSION= 1.20.3 9GO120_VERSION= 1.20.4
10GO119_VERSION= 1.19.9 10GO119_VERSION= 1.19.9
11GO118_VERSION= 1.18.10 11GO118_VERSION= 1.18.10
12GO14_VERSION= 1.4.3 12GO14_VERSION= 1.4.3
13 13
14.include "../../mk/bsd.prefs.mk" 14.include "../../mk/bsd.prefs.mk"
15 15
16GO_VERSION_DEFAULT?= 120 16GO_VERSION_DEFAULT?= 120
17 17
18.if !empty(GO_VERSION_DEFAULT) 18.if !empty(GO_VERSION_DEFAULT)
19GOVERSSUFFIX= ${GO_VERSION_DEFAULT} 19GOVERSSUFFIX= ${GO_VERSION_DEFAULT}
20.endif 20.endif
21 21
22# How to find the Go tool 22# How to find the Go tool
cvs diff -r1.4 -r1.5 pkgsrc/lang/go120/PLIST (expand / switch to unified diff)

--- pkgsrc/lang/go120/PLIST 2023/04/04 18:33:25 1.4
+++ pkgsrc/lang/go120/PLIST 2023/05/05 18:33:15 1.5
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.4 2023/04/04 18:33:25 bsiegert Exp $ 1@comment $NetBSD: PLIST,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
2bin/go${GOVERSSUFFIX} 2bin/go${GOVERSSUFFIX}
3bin/gofmt${GOVERSSUFFIX} 3bin/gofmt${GOVERSSUFFIX}
4go120/CONTRIBUTING.md 4go120/CONTRIBUTING.md
5go120/LICENSE 5go120/LICENSE
6go120/PATENTS 6go120/PATENTS
7go120/README.md 7go120/README.md
8go120/SECURITY.md 8go120/SECURITY.md
9go120/VERSION 9go120/VERSION
10go120/api/README 10go120/api/README
11go120/api/except.txt 11go120/api/except.txt
12go120/api/go1.1.txt 12go120/api/go1.1.txt
13go120/api/go1.10.txt 13go120/api/go1.10.txt
14go120/api/go1.11.txt 14go120/api/go1.11.txt
@@ -1894,26 +1894,27 @@ go120/src/cmd/go/testdata/script/build_c @@ -1894,26 +1894,27 @@ go120/src/cmd/go/testdata/script/build_c
1894go120/src/cmd/go/testdata/script/build_darwin_cc_arch.txt 1894go120/src/cmd/go/testdata/script/build_darwin_cc_arch.txt
1895go120/src/cmd/go/testdata/script/build_dash_n_cgo.txt 1895go120/src/cmd/go/testdata/script/build_dash_n_cgo.txt
1896go120/src/cmd/go/testdata/script/build_dash_o_dev_null.txt 1896go120/src/cmd/go/testdata/script/build_dash_o_dev_null.txt
1897go120/src/cmd/go/testdata/script/build_dash_x.txt 1897go120/src/cmd/go/testdata/script/build_dash_x.txt
1898go120/src/cmd/go/testdata/script/build_exe.txt 1898go120/src/cmd/go/testdata/script/build_exe.txt
1899go120/src/cmd/go/testdata/script/build_gcflags.txt 1899go120/src/cmd/go/testdata/script/build_gcflags.txt
1900go120/src/cmd/go/testdata/script/build_gcflags_order.txt 1900go120/src/cmd/go/testdata/script/build_gcflags_order.txt
1901go120/src/cmd/go/testdata/script/build_gopath_order.txt 1901go120/src/cmd/go/testdata/script/build_gopath_order.txt
1902go120/src/cmd/go/testdata/script/build_ignore_leading_bom.txt 1902go120/src/cmd/go/testdata/script/build_ignore_leading_bom.txt
1903go120/src/cmd/go/testdata/script/build_import_comment.txt 1903go120/src/cmd/go/testdata/script/build_import_comment.txt
1904go120/src/cmd/go/testdata/script/build_import_cycle.txt 1904go120/src/cmd/go/testdata/script/build_import_cycle.txt
1905go120/src/cmd/go/testdata/script/build_internal.txt 1905go120/src/cmd/go/testdata/script/build_internal.txt
1906go120/src/cmd/go/testdata/script/build_issue48319.txt 1906go120/src/cmd/go/testdata/script/build_issue48319.txt
 1907go120/src/cmd/go/testdata/script/build_issue59571.txt
1907go120/src/cmd/go/testdata/script/build_issue6480.txt 1908go120/src/cmd/go/testdata/script/build_issue6480.txt
1908go120/src/cmd/go/testdata/script/build_link_x_import_path_escape.txt 1909go120/src/cmd/go/testdata/script/build_link_x_import_path_escape.txt
1909go120/src/cmd/go/testdata/script/build_multi_main.txt 1910go120/src/cmd/go/testdata/script/build_multi_main.txt
1910go120/src/cmd/go/testdata/script/build_n_cgo.txt 1911go120/src/cmd/go/testdata/script/build_n_cgo.txt
1911go120/src/cmd/go/testdata/script/build_negative_p.txt 1912go120/src/cmd/go/testdata/script/build_negative_p.txt
1912go120/src/cmd/go/testdata/script/build_no_go.txt 1913go120/src/cmd/go/testdata/script/build_no_go.txt
1913go120/src/cmd/go/testdata/script/build_nocache.txt 1914go120/src/cmd/go/testdata/script/build_nocache.txt
1914go120/src/cmd/go/testdata/script/build_output.txt 1915go120/src/cmd/go/testdata/script/build_output.txt
1915go120/src/cmd/go/testdata/script/build_overlay.txt 1916go120/src/cmd/go/testdata/script/build_overlay.txt
1916go120/src/cmd/go/testdata/script/build_patterns_outside_gopath.txt 1917go120/src/cmd/go/testdata/script/build_patterns_outside_gopath.txt
1917go120/src/cmd/go/testdata/script/build_pgo.txt 1918go120/src/cmd/go/testdata/script/build_pgo.txt
1918go120/src/cmd/go/testdata/script/build_pgo_auto.txt 1919go120/src/cmd/go/testdata/script/build_pgo_auto.txt
1919go120/src/cmd/go/testdata/script/build_plugin_non_main.txt 1920go120/src/cmd/go/testdata/script/build_plugin_non_main.txt
@@ -6865,30 +6866,26 @@ go120/src/os/path_windows_test.go @@ -6865,30 +6866,26 @@ go120/src/os/path_windows_test.go
6865go120/src/os/pipe2_unix.go 6866go120/src/os/pipe2_unix.go
6866go120/src/os/pipe_test.go 6867go120/src/os/pipe_test.go
6867go120/src/os/pipe_unix.go 6868go120/src/os/pipe_unix.go
6868go120/src/os/proc.go 6869go120/src/os/proc.go
6869go120/src/os/rawconn.go 6870go120/src/os/rawconn.go
6870go120/src/os/rawconn_test.go 6871go120/src/os/rawconn_test.go
6871go120/src/os/read_test.go 6872go120/src/os/read_test.go
6872go120/src/os/readfrom_linux.go 6873go120/src/os/readfrom_linux.go
6873go120/src/os/readfrom_linux_test.go 6874go120/src/os/readfrom_linux_test.go
6874go120/src/os/readfrom_stub.go 6875go120/src/os/readfrom_stub.go
6875go120/src/os/removeall_at.go 6876go120/src/os/removeall_at.go
6876go120/src/os/removeall_noat.go 6877go120/src/os/removeall_noat.go
6877go120/src/os/removeall_test.go 6878go120/src/os/removeall_test.go
6878go120/src/os/rlimit.go 
6879go120/src/os/rlimit_darwin.go 
6880go120/src/os/rlimit_stub.go 
6881go120/src/os/rlimit_test.go 
6882go120/src/os/signal/doc.go 6879go120/src/os/signal/doc.go
6883go120/src/os/signal/example_test.go 6880go120/src/os/signal/example_test.go
6884go120/src/os/signal/example_unix_test.go 6881go120/src/os/signal/example_unix_test.go
6885go120/src/os/signal/sig.s 6882go120/src/os/signal/sig.s
6886go120/src/os/signal/signal.go 6883go120/src/os/signal/signal.go
6887go120/src/os/signal/signal_cgo_test.go 6884go120/src/os/signal/signal_cgo_test.go
6888go120/src/os/signal/signal_linux_test.go 6885go120/src/os/signal/signal_linux_test.go
6889go120/src/os/signal/signal_plan9.go 6886go120/src/os/signal/signal_plan9.go
6890go120/src/os/signal/signal_plan9_test.go 6887go120/src/os/signal/signal_plan9_test.go
6891go120/src/os/signal/signal_test.go 6888go120/src/os/signal/signal_test.go
6892go120/src/os/signal/signal_unix.go 6889go120/src/os/signal/signal_unix.go
6893go120/src/os/signal/signal_windows_test.go 6890go120/src/os/signal/signal_windows_test.go
6894go120/src/os/stat.go 6891go120/src/os/stat.go
@@ -8225,26 +8222,27 @@ go120/src/syscall/exec_freebsd.go @@ -8225,26 +8222,27 @@ go120/src/syscall/exec_freebsd.go
8225go120/src/syscall/exec_libc.go 8222go120/src/syscall/exec_libc.go
8226go120/src/syscall/exec_libc2.go 8223go120/src/syscall/exec_libc2.go
8227go120/src/syscall/exec_linux.go 8224go120/src/syscall/exec_linux.go
8228go120/src/syscall/exec_linux_test.go 8225go120/src/syscall/exec_linux_test.go
8229go120/src/syscall/exec_pdeathsig_test.go 8226go120/src/syscall/exec_pdeathsig_test.go
8230go120/src/syscall/exec_plan9.go 8227go120/src/syscall/exec_plan9.go
8231go120/src/syscall/exec_solaris_test.go 8228go120/src/syscall/exec_solaris_test.go
8232go120/src/syscall/exec_unix.go 8229go120/src/syscall/exec_unix.go
8233go120/src/syscall/exec_unix_test.go 8230go120/src/syscall/exec_unix_test.go
8234go120/src/syscall/exec_windows.go 8231go120/src/syscall/exec_windows.go
8235go120/src/syscall/exec_windows_test.go 8232go120/src/syscall/exec_windows_test.go
8236go120/src/syscall/export_darwin_test.go 8233go120/src/syscall/export_darwin_test.go
8237go120/src/syscall/export_linux_test.go 8234go120/src/syscall/export_linux_test.go
 8235go120/src/syscall/export_rlimit_test.go
8238go120/src/syscall/export_unix_test.go 8236go120/src/syscall/export_unix_test.go
8239go120/src/syscall/export_windows_test.go 8237go120/src/syscall/export_windows_test.go
8240go120/src/syscall/flock.go 8238go120/src/syscall/flock.go
8241go120/src/syscall/flock_aix.go 8239go120/src/syscall/flock_aix.go
8242go120/src/syscall/flock_darwin.go 8240go120/src/syscall/flock_darwin.go
8243go120/src/syscall/flock_linux_32bit.go 8241go120/src/syscall/flock_linux_32bit.go
8244go120/src/syscall/forkpipe.go 8242go120/src/syscall/forkpipe.go
8245go120/src/syscall/forkpipe2.go 8243go120/src/syscall/forkpipe2.go
8246go120/src/syscall/fs_js.go 8244go120/src/syscall/fs_js.go
8247go120/src/syscall/getdirentries_test.go 8245go120/src/syscall/getdirentries_test.go
8248go120/src/syscall/js/export_test.go 8246go120/src/syscall/js/export_test.go
8249go120/src/syscall/js/func.go 8247go120/src/syscall/js/func.go
8250go120/src/syscall/js/js.go 8248go120/src/syscall/js/js.go
@@ -8264,26 +8262,30 @@ go120/src/syscall/mksysnum_freebsd.pl @@ -8264,26 +8262,30 @@ go120/src/syscall/mksysnum_freebsd.pl
8264go120/src/syscall/mksysnum_linux.pl 8262go120/src/syscall/mksysnum_linux.pl
8265go120/src/syscall/mksysnum_netbsd.pl 8263go120/src/syscall/mksysnum_netbsd.pl
8266go120/src/syscall/mksysnum_openbsd.pl 8264go120/src/syscall/mksysnum_openbsd.pl
8267go120/src/syscall/mksysnum_plan9.sh 8265go120/src/syscall/mksysnum_plan9.sh
8268go120/src/syscall/mmap_unix_test.go 8266go120/src/syscall/mmap_unix_test.go
8269go120/src/syscall/msan.go 8267go120/src/syscall/msan.go
8270go120/src/syscall/msan0.go 8268go120/src/syscall/msan0.go
8271go120/src/syscall/net.go 8269go120/src/syscall/net.go
8272go120/src/syscall/net_js.go 8270go120/src/syscall/net_js.go
8273go120/src/syscall/netlink_linux.go 8271go120/src/syscall/netlink_linux.go
8274go120/src/syscall/ptrace_darwin.go 8272go120/src/syscall/ptrace_darwin.go
8275go120/src/syscall/ptrace_ios.go 8273go120/src/syscall/ptrace_ios.go
8276go120/src/syscall/pwd_plan9.go 8274go120/src/syscall/pwd_plan9.go
 8275go120/src/syscall/rlimit.go
 8276go120/src/syscall/rlimit_darwin.go
 8277go120/src/syscall/rlimit_stub.go
 8278go120/src/syscall/rlimit_test.go
8277go120/src/syscall/route_bsd.go 8279go120/src/syscall/route_bsd.go
8278go120/src/syscall/route_darwin.go 8280go120/src/syscall/route_darwin.go
8279go120/src/syscall/route_dragonfly.go 8281go120/src/syscall/route_dragonfly.go
8280go120/src/syscall/route_freebsd.go 8282go120/src/syscall/route_freebsd.go
8281go120/src/syscall/route_freebsd_32bit.go 8283go120/src/syscall/route_freebsd_32bit.go
8282go120/src/syscall/route_freebsd_64bit.go 8284go120/src/syscall/route_freebsd_64bit.go
8283go120/src/syscall/route_netbsd.go 8285go120/src/syscall/route_netbsd.go
8284go120/src/syscall/route_openbsd.go 8286go120/src/syscall/route_openbsd.go
8285go120/src/syscall/security_windows.go 8287go120/src/syscall/security_windows.go
8286go120/src/syscall/setuidgid_32_linux.go 8288go120/src/syscall/setuidgid_32_linux.go
8287go120/src/syscall/setuidgid_linux.go 8289go120/src/syscall/setuidgid_linux.go
8288go120/src/syscall/sockcmsg_dragonfly.go 8290go120/src/syscall/sockcmsg_dragonfly.go
8289go120/src/syscall/sockcmsg_linux.go 8291go120/src/syscall/sockcmsg_linux.go
@@ -11003,30 +11005,35 @@ go120/test/fixedbugs/issue5809.go @@ -11003,30 +11005,35 @@ go120/test/fixedbugs/issue5809.go
11003go120/test/fixedbugs/issue5820.go 11005go120/test/fixedbugs/issue5820.go
11004go120/test/fixedbugs/issue58293.go 11006go120/test/fixedbugs/issue58293.go
11005go120/test/fixedbugs/issue58325.go 11007go120/test/fixedbugs/issue58325.go
11006go120/test/fixedbugs/issue58341.go 11008go120/test/fixedbugs/issue58341.go
11007go120/test/fixedbugs/issue5841.go 11009go120/test/fixedbugs/issue5841.go
11008go120/test/fixedbugs/issue5856.go 11010go120/test/fixedbugs/issue5856.go
11009go120/test/fixedbugs/issue58563.dir/a.go 11011go120/test/fixedbugs/issue58563.dir/a.go
11010go120/test/fixedbugs/issue58563.dir/main.go 11012go120/test/fixedbugs/issue58563.dir/main.go
11011go120/test/fixedbugs/issue58563.go 11013go120/test/fixedbugs/issue58563.go
11012go120/test/fixedbugs/issue5910.dir/a.go 11014go120/test/fixedbugs/issue5910.dir/a.go
11013go120/test/fixedbugs/issue5910.dir/main.go 11015go120/test/fixedbugs/issue5910.dir/main.go
11014go120/test/fixedbugs/issue5910.go 11016go120/test/fixedbugs/issue5910.go
11015go120/test/fixedbugs/issue59293.go 11017go120/test/fixedbugs/issue59293.go
 11018go120/test/fixedbugs/issue59334.go
 11019go120/test/fixedbugs/issue59367.go
 11020go120/test/fixedbugs/issue59378.go
11016go120/test/fixedbugs/issue5957.dir/a.go 11021go120/test/fixedbugs/issue5957.dir/a.go
11017go120/test/fixedbugs/issue5957.dir/b.go 11022go120/test/fixedbugs/issue5957.dir/b.go
11018go120/test/fixedbugs/issue5957.dir/c.go 11023go120/test/fixedbugs/issue5957.dir/c.go
11019go120/test/fixedbugs/issue5957.go 11024go120/test/fixedbugs/issue5957.go
 11025go120/test/fixedbugs/issue59572.go
 11026go120/test/fixedbugs/issue59572.out
11020go120/test/fixedbugs/issue5963.go 11027go120/test/fixedbugs/issue5963.go
11021go120/test/fixedbugs/issue6004.go 11028go120/test/fixedbugs/issue6004.go
11022go120/test/fixedbugs/issue6036.go 11029go120/test/fixedbugs/issue6036.go
11023go120/test/fixedbugs/issue6055.go 11030go120/test/fixedbugs/issue6055.go
11024go120/test/fixedbugs/issue6131.go 11031go120/test/fixedbugs/issue6131.go
11025go120/test/fixedbugs/issue6140.go 11032go120/test/fixedbugs/issue6140.go
11026go120/test/fixedbugs/issue6247.go 11033go120/test/fixedbugs/issue6247.go
11027go120/test/fixedbugs/issue6269.go 11034go120/test/fixedbugs/issue6269.go
11028go120/test/fixedbugs/issue6295.dir/p0.go 11035go120/test/fixedbugs/issue6295.dir/p0.go
11029go120/test/fixedbugs/issue6295.dir/p1.go 11036go120/test/fixedbugs/issue6295.dir/p1.go
11030go120/test/fixedbugs/issue6295.dir/p2.go 11037go120/test/fixedbugs/issue6295.dir/p2.go
11031go120/test/fixedbugs/issue6295.go 11038go120/test/fixedbugs/issue6295.go
11032go120/test/fixedbugs/issue6298.go 11039go120/test/fixedbugs/issue6298.go
cvs diff -r1.4 -r1.5 pkgsrc/lang/go120/distinfo (expand / switch to unified diff)

--- pkgsrc/lang/go120/distinfo 2023/04/04 18:33:25 1.4
+++ pkgsrc/lang/go120/distinfo 2023/05/05 18:33:15 1.5
@@ -1,10 +1,10 @@ @@ -1,10 +1,10 @@
1$NetBSD: distinfo,v 1.4 2023/04/04 18:33:25 bsiegert Exp $ 1$NetBSD: distinfo,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
2 2
3BLAKE2s (go1.20.3.src.tar.gz) = 412257ea01e9308b6afcde71094d222c14fb06297a502b0892a4ceac00e5d812 3BLAKE2s (go1.20.4.src.tar.gz) = fe3bbdd7cce52b89e3ce260e926ae7b79388b55d026c8f2c8e6039fff92133d3
4SHA512 (go1.20.3.src.tar.gz) = 47ebb3925956a3facef9e5e6f4efec3058e55632020ea247844c55b160d23e2be3880ea24dec2f73382a7c7858259896cbb7de1bb764c481c176bed479676029 4SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
5Size (go1.20.3.src.tar.gz) = 26184364 bytes 5Size (go1.20.4.src.tar.gz) = 26185429 bytes
6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe 6SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7 7SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
8SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35 8SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
9SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461 9SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461
10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b 10SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b