head 1.15; access; symbols pkgsrc-2020Q4:1.13.0.2 pkgsrc-2020Q4-base:1.13 pkgsrc-2020Q3:1.10.0.2 pkgsrc-2020Q3-base:1.10 pkgsrc-2020Q2:1.7.0.2 pkgsrc-2020Q2-base:1.7 pkgsrc-2020Q1:1.2.0.2 pkgsrc-2020Q1-base:1.2; locks; strict; comment @# @; 1.15 date 2021.03.20.09.28.34; author bsiegert; state dead; branches; next 1.14; commitid Gwk17nnBCzsAR1MC; 1.14 date 2021.01.22.20.08.32; author bsiegert; state Exp; branches; next 1.13; commitid SzR5JgcYI6HUeLEC; 1.13 date 2020.11.13.18.27.35; author bsiegert; state Exp; branches; next 1.12; commitid 0UAUSJWCl5wnVKvC; 1.12 date 2020.11.08.20.12.31; author bsiegert; state Exp; branches; next 1.11; commitid R4SudK6L8wiyF7vC; 1.11 date 2020.10.15.12.01.14; author bsiegert; state Exp; branches; next 1.10; commitid UZjSqGQH6PsVIZrC; 1.10 date 2020.09.03.07.03.27; author bsiegert; state Exp; branches; next 1.9; commitid mPmzPnnNoDVsqzmC; 1.9 date 2020.08.14.18.45.56; author bsiegert; state Exp; branches; next 1.8; commitid OYyIaUeIngXnX3kC; 1.8 date 2020.07.17.17.20.05; author bsiegert; state Exp; branches; next 1.7; commitid 7eYQmXwk5f9HnsgC; 1.7 date 2020.06.17.09.37.25; author bsiegert; state Exp; branches 1.7.2.1; next 1.6; commitid YZPBuAhxP30BMycC; 1.6 date 2020.05.01.15.58.00; author tnn; state Exp; branches; next 1.5; commitid kJuwkIjPE0Y5py6C; 1.5 date 2020.04.27.18.42.12; author tnn; state Exp; branches; next 1.4; commitid wqapkB5PqPmqr36C; 1.4 date 2020.04.27.03.21.35; author tnn; state Exp; branches; next 1.3; commitid T7tAUyL3jPNrlY5C; 1.3 date 2020.04.09.13.28.38; author bsiegert; state Exp; branches; next 1.2; commitid Bs0cOcDywjbthI3C; 1.2 date 2020.03.20.19.50.48; author bsiegert; state Exp; branches; next 1.1; commitid OjRvTPoHlGlC2b1C; 1.1 date 2020.02.27.14.32.57; author bsiegert; state Exp; branches; next ; commitid 2FzByGcJEHQ2ZjYB; 1.7.2.1 date 2020.07.20.14.59.01; author spz; state Exp; branches; next ; commitid xH6LKQUTPLktvPgC; desc @@ 1.15 log @We say goodbye to Go 1.14. The policy of the Go project is to support the last two stable branches, so 1.14 is end of life. @ text @$NetBSD: distinfo,v 1.14 2021/01/22 20:08:32 bsiegert Exp $ SHA1 (go1.14.14.src.tar.gz) = 5bfb2ce853ede2d63ba75760cc2b455554599152 RMD160 (go1.14.14.src.tar.gz) = 3394b7b351aeb074a1fd926a4003742857df965c SHA512 (go1.14.14.src.tar.gz) = 76213b19eeec66ca6c6b5bdef875bea0b64c3877c70eec64dd65f7869ceb8db016ff19193f01771f8944fd5f0ae3b54c68185e158f2622d1db5552fec1f37976 Size (go1.14.14.src.tar.gz) = 22557733 bytes SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29 SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 990a54e3baf239916e4c7f0c1d54240e2898601a SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d SHA1 (patch-src_runtime_cgo_gcc__netbsd__arm64.c) = d2fc1cebc104ad2e35f488e5edebcecd6f0323be SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577 SHA1 (patch-src_runtime_sys__netbsd__arm64.s) = c8d3dfddd7930794a6ff9b2919c42632aa9358cd SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.14 log @Update go114 to 1.14.14. * cmd/go: packages using cgo can cause arbitrary code execution at build time The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected. In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This issue is CVE-2021-3115 and Go issue golang.org/issue/43783. For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security. * crypto/elliptic: incorrect operations on the P-224 curve The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). This issue is CVE-2021-3114 and Go issue golang.org/issue/43786. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2020/11/13 18:27:35 bsiegert Exp $ @ 1.13 log @Update go114 to 1.14.12 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected. crypto/rsa.VerifyPSS , crypto/rsa.VerifyPKCS1v15 , and crypto/dsa.Verify may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this. Thanks to Rémy Oudompheng and Robert Griesemer for their help developing and validating the fix. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2020/11/08 20:12:31 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.12.src.tar.gz) = b23a42c9085b5bcef74c23f4ffed41f16ee3a33c RMD160 (go1.14.12.src.tar.gz) = 161c44071a0cc8fa992dfcf7d1e42f74d241b3c0 SHA512 (go1.14.12.src.tar.gz) = cba26b97878d5bd57d75bd1541932786779ddb7e9fa0bfb7bf003c7ae9e7bee8318c0d2108ce918453b863892b8f562e481bd0ed6cfc44e43d901522603adff2 Size (go1.14.12.src.tar.gz) = 22553834 bytes @ 1.12 log @Update go114 to 1.14.11 go1.14.11 (released 2020/11/05) includes fixes to the runtime, and the net/http and time packages. See the Go 1.14.11 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2020/10/15 12:01:14 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.11.src.tar.gz) = da0d329f0d76df968c73623ce953752f57a2a70e RMD160 (go1.14.11.src.tar.gz) = 8cff58cae318b50bce2538b8897654b6ec983f49 SHA512 (go1.14.11.src.tar.gz) = 93cac0ee9f499417dfdc196eb12a91f335ec5693be59d08f9fa3fa5202f717789408077b8180ce9122079768cb94a7293875c0fab2ebef2ecf2c83a86ca0a4ec Size (go1.14.11.src.tar.gz) = 22552087 bytes @ 1.11 log @Update go114 to 1.14.10. go1.14.9 (released 2020/09/09) includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages. See the Go 1.14.9 milestone on our issue tracker for details. go1.14.10 (released 2020/10/14) includes fixes to the compiler, runtime, and the plugin and testing packages. See the Go 1.14.10 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2020/09/03 07:03:27 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.10.src.tar.gz) = 1b114b3ce2e9407d5f62f576786eabe09f99aa63 RMD160 (go1.14.10.src.tar.gz) = d45ae5082e567b9a51298c816cd4d39e9e068159 SHA512 (go1.14.10.src.tar.gz) = f33fd3a06088f9b3594632e0429d3543987f0f93bf52a7383a05e0d845f981fd437d5545cebed6c146a500570f3fbdc35765d842c4c08cfc695a2c3b64223626 Size (go1.14.10.src.tar.gz) = 22542956 bytes @ 1.10 log @Update go114 to 1.14.8. go1.14.8 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.14.8 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2020/08/14 18:45:56 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.8.src.tar.gz) = 7b0c9fb5fe4c10c606048509148d37644622de07 RMD160 (go1.14.8.src.tar.gz) = 312b2c4e97ac0bb1b328ee0ed81762ce2f3c9301 SHA512 (go1.14.8.src.tar.gz) = c7f2826d9f674591b183f209e8854875273a6ac846f93ae1da841a0c80943d9b8fa04cdad389a339bbdf583913ab71646dff15afa9b4ad8be47e12041fe71c45 Size (go1.14.8.src.tar.gz) = 22535549 bytes @ 1.9 log @Update go114 to 1.14.7. go1.14.7 (released 2020/08/06) includes security fixes to the encoding/binary package. See the Go 1.14.7 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2020/07/17 17:20:05 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.7.src.tar.gz) = e1dbd9e364dcadae84a8a123f944dcd1575f75be RMD160 (go1.14.7.src.tar.gz) = 06d53c2a6a3a8cf85f10d3e20515dd3d93735ffb SHA512 (go1.14.7.src.tar.gz) = 3f1133c66d7795ceb6c5793db90616613244d7561abaef6b059602992c0b7a53b6b6ebbcf69add4769a58542e9dc55871bcfe3d64d4cd9f3569bd435ade86dee Size (go1.14.7.src.tar.gz) = 22534747 bytes @ 1.8 log @Update go114 to 1.14.6. go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.14.5 milestone on our issue tracker for details. go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler, the linker, vet, and the database/sql, encoding/json, net/http, reflect, and testing packages. See the Go 1.14.6 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2020/06/17 09:37:25 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.6.src.tar.gz) = 7cdd6edb158e41d7be2c93c2fc3bd89f73bc3bf2 RMD160 (go1.14.6.src.tar.gz) = 0441aabf6b098a4b1a318e24c22e678f82b7966e SHA512 (go1.14.6.src.tar.gz) = 5c865c8272fb0dc8eab1514732b0200dbc867276512714dd30afc658a0d2afac6bd758e00c6f576d8d254e411418a52a564c895399b56cfe06c2b1785271a8fd Size (go1.14.6.src.tar.gz) = 22534714 bytes @ 1.7 log @Update go114 to 1.14.4. go1.14.3 (released 2020/05/14) includes fixes to cgo, the compiler, the runtime, and the go/doc and math/big packages. See the Go 1.14.3 milestone on our issue tracker for details. go1.14.4 (released 2020/06/01) includes fixes to the go doc command, the runtime, and the encoding/json and os packages. See the Go 1.14.4 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2020/05/01 15:58:00 tnn Exp $ d3 4 a6 4 SHA1 (go1.14.4.src.tar.gz) = 0f49857387f181a0aa5fd0d16ae93afce11445d1 RMD160 (go1.14.4.src.tar.gz) = 1fe71fc573c57031c446f1624fc5d309cb1508d8 SHA512 (go1.14.4.src.tar.gz) = b0d657ea33331062db5a4da0aff14798f292ca967a53665af1a93e04eba7a03e49a3dbc4768c4f099ec5ff25a31885750f7658f819057057093e2d7bfb085575 Size (go1.14.4.src.tar.gz) = 22535243 bytes @ 1.7.2.1 log @Pullup ticket #6279 - requested by bsiegert lang/go114: security update Revisions pulled up: - lang/go/version.mk 1.94 - lang/go114/PLIST 1.5 - lang/go114/distinfo 1.8 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jul 17 17:20:06 UTC 2020 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go114: PLIST distinfo Log Message: Update go114 to 1.14.6. go1.14.5 (released 2020/07/14) includes security fixes to the crypto/x509 and net/http packages. See the Go 1.14.5 milestone on our issue tracker for details. go1.14.6 (released 2020/07/16) includes fixes to the go command, the compiler, the linker, vet, and the database/sql, encoding/json, net/http, reflect, and testing packages. See the Go 1.14.6 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.93 -r1.94 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go114/PLIST cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go114/distinfo @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (go1.14.6.src.tar.gz) = 7cdd6edb158e41d7be2c93c2fc3bd89f73bc3bf2 RMD160 (go1.14.6.src.tar.gz) = 0441aabf6b098a4b1a318e24c22e678f82b7966e SHA512 (go1.14.6.src.tar.gz) = 5c865c8272fb0dc8eab1514732b0200dbc867276512714dd30afc658a0d2afac6bd758e00c6f576d8d254e411418a52a564c895399b56cfe06c2b1785271a8fd Size (go1.14.6.src.tar.gz) = 22534714 bytes @ 1.6 log @go114: netbsd/arm64: provide declaration of crosscall1 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2020/04/27 18:42:12 tnn Exp $ d3 4 a6 4 SHA1 (go1.14.2.src.tar.gz) = bdc78d3a84b9d95766574b4bf33fc179542c2adf RMD160 (go1.14.2.src.tar.gz) = 8b6d9bdb7e8d1eb9fba36d110cfcf59c6d9adc1e SHA512 (go1.14.2.src.tar.gz) = 3f6804e1a60df6a7c55c294fe4147b2d6f028c619ad4ae5b1ae8793c6be637a1e6a62721cc7ce0b28918ab3441a89fa9acda72cb5450bf5af8d7872411d28015 Size (go1.14.2.src.tar.gz) = 22454649 bytes @ 1.5 log @go114: fix stack alignment for runtime.pipe2 return value on NetBSD/aarch64 from maya@@ @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2020/04/27 03:21:35 tnn Exp $ d11 1 @ 1.4 log @go114: work around aarch64 signal handler issue @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2020/04/09 13:28:38 bsiegert Exp $ d12 1 a12 1 SHA1 (patch-src_runtime_sys__netbsd__arm64.s) = b37973c0841e24991c227a7f5cc4b46c2d89f372 @ 1.3 log @Update go114 to 1.14.2. go1.14.2 (released 2020/04/08) includes fixes to cgo, the go command, the runtime, os/exec, and testing packages. See the Go 1.14.2 milestone on our issue tracker for details. From what I know from work, 1.14.1 had a nasty runtime bug that is now fixed. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2020/03/20 19:50:48 bsiegert Exp $ d12 1 @ 1.2 log @Update go114 to 1.14.1. This release include fixes to the go command, tools, the runtime, the toolchain, and to the crypto/cypher package. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.14.minor @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2020/02/27 14:32:57 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.1.src.tar.gz) = 32bd3b164f4ceb0933368de673d3a3ebe954db00 RMD160 (go1.14.1.src.tar.gz) = e18e389dc5eaab941ff2268c5189b58cdf3e1c81 SHA512 (go1.14.1.src.tar.gz) = f0112fbf984e2764cd90d42b2f844b986b421adf8bf68551cccefeb320db7f3490ab1532f770f20c943c68c7185ce139c8248991adb0529527358ffdc8047ad9 Size (go1.14.1.src.tar.gz) = 22451159 bytes @ 1.1 log @Add a package for Go 1.14. The default will remain at 1.13 for the next branch. The latest Go release, version 1.14, arrives six months after Go 1.13. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. See the release notes at https://golang.org/doc/go1.14. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2019/12/07 21:34:17 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.14.src.tar.gz) = b46ef8d3ede13a8e890cfab8a9f269190a0a8618 RMD160 (go1.14.src.tar.gz) = aab04262b0664a78ad77e06583c42a071c7fb331 SHA512 (go1.14.src.tar.gz) = b04f2a90b9693f2c7a0b5c7048f186318937f3dd3831162c4130d88e2b185a5047db15e284041c70f1f42da512f42e5e85c13256018982cf2739244a31874328 Size (go1.14.src.tar.gz) = 22377333 bytes @