head 1.13; access; symbols pkgsrc-2021Q2:1.10.0.2 pkgsrc-2021Q2-base:1.10 pkgsrc-2021Q1:1.7.0.2 pkgsrc-2021Q1-base:1.7 pkgsrc-2020Q4:1.5.0.2 pkgsrc-2020Q4-base:1.5 pkgsrc-2020Q3:1.2.0.2 pkgsrc-2020Q3-base:1.2; locks; strict; comment @# @; 1.13 date 2021.08.22.14.18.51; author bsiegert; state dead; branches; next 1.12; commitid ALlGj25ZWp9luY5D; 1.12 date 2021.08.11.16.46.48; author bsiegert; state Exp; branches; next 1.11; commitid sXkWezPFDOb1Fz4D; 1.11 date 2021.07.13.10.05.08; author bsiegert; state Exp; branches; next 1.10; commitid dFnnmMjnIjLBmO0D; 1.10 date 2021.06.04.16.43.21; author bsiegert; state Exp; branches; next 1.9; commitid Fftl26buCtErPPVC; 1.9 date 2021.05.07.16.30.41; author bsiegert; state Exp; branches; next 1.8; commitid YAH4uxghM6LREeSC; 1.8 date 2021.03.30.14.53.35; author jperkin; state Exp; branches; next 1.7; commitid sIR20EZU3477llNC; 1.7 date 2021.03.19.17.22.55; author bsiegert; state Exp; branches; next 1.6; commitid vs3JiFmsFwlgwWLC; 1.6 date 2021.01.23.14.07.38; author bsiegert; state Exp; branches; next 1.5; commitid cxokSqLR0OK3dREC; 1.5 date 2020.11.13.18.45.50; author bsiegert; state Exp; branches; next 1.4; commitid LbdgVq1sEc5U1LvC; 1.4 date 2020.11.08.20.38.10; author bsiegert; state Exp; branches; next 1.3; commitid AHoE9bVzWRSpO7vC; 1.3 date 2020.10.15.12.43.33; author bsiegert; state Exp; branches; next 1.2; commitid Z1PqAxfFQ0TtXZrC; 1.2 date 2020.09.03.06.47.21; author bsiegert; state Exp; branches; next 1.1; commitid WZAkPMWdXsuZkzmC; 1.1 date 2020.08.21.19.50.22; author bsiegert; state Exp; branches; next ; commitid LLV5cVgGTB785YkC; desc @@ 1.13 log @We say goodbye to go115. go115 became EOL upstream as soon as 1.17 was released. @ text @$NetBSD: distinfo,v 1.12 2021/08/11 16:46:48 bsiegert Exp $ SHA1 (go1.15.15.src.tar.gz) = a59b4ccad37e88cbf5395be50e4f01a14fb2955b RMD160 (go1.15.15.src.tar.gz) = ff7ecfcd6163efb2177bf37a7b287366e1ae1ed8 SHA512 (go1.15.15.src.tar.gz) = bf8a6f669d024ce77271fbc8dc1d7a727c4da85c70cad00d0baaef157e7c5d7879ea9ae71cdb04e55f9c07f5ae76655264ca8a159c971eab1cf8a8861b74e69b Size (go1.15.15.src.tar.gz) = 23042945 bytes SHA1 (patch-misc_io_clangwrap.sh) = df5911c430ff6251abab12e5cc233e32fc3cd953 SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e SHA1 (patch-src_cmd_link_internal_ld_elf.go) = 3dfcb5c824d4201fadda0cfb6b48e5938899baf0 SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d SHA1 (patch-src_crypto_x509_root__solaris.go) = ee75e00992d04967c690d716be89b9ecbc356866 SHA1 (patch-src_runtime_cgo_gcc__netbsd__arm64.c) = d2fc1cebc104ad2e35f488e5edebcecd6f0323be SHA1 (patch-src_runtime_os__netbsd.go) = 9b80de94667e3f8d8d1ae3648ab1fe43dd55d577 SHA1 (patch-src_runtime_sys__netbsd__arm64.s) = c8d3dfddd7930794a6ff9b2919c42632aa9358cd SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.12 log @go115: update to 1.15.15. This minor release includes a security fix according to the new security policy. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition. This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to Andrew Crump (VMware) for reporting this issue. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2021/07/13 10:05:08 bsiegert Exp $ @ 1.11 log @Update go115 to 1.15.14. This minor release includes a security fix according to the new security policy. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2021/06/04 16:43:21 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.14.src.tar.gz) = d7f349ac6af29f2790016d2c287772aca72d356c RMD160 (go1.15.14.src.tar.gz) = 47216fbc855df6ac4c0ab32eea928cfdf50f079c SHA512 (go1.15.14.src.tar.gz) = 2bf18efcb3a5f9e54de0a0e7ee27a689c2dc895d9403bc6f66e500358e70d1d664d7f17102126c98bd26fa2a3346ead358684e45b1a354cde8764c715064dd92 Size (go1.15.14.src.tar.gz) = 23041432 bytes @ 1.10 log @Update go115 to 1.15.13. go1.15.13 (released 2021-06-03) includes security fixes to the archive/zip, math/big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the math/big and net/http packages. See the Go 1.15.13 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net , and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2021/05/07 16:30:41 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.13.src.tar.gz) = 4408218eeefe1367ca8b03a5cc3eb3d3dc164f2d RMD160 (go1.15.13.src.tar.gz) = 27a5186dfca92ff95c55ec3652e4af03a6204232 SHA512 (go1.15.13.src.tar.gz) = 3f77716c9721afacb27daa175e236bb25cfc93602f1531df18938fad94bf4f59e81b81f53fa977c2ebc9a912942275a1106043133fec166965e72766b1638ba1 Size (go1.15.13.src.tar.gz) = 23039791 bytes @ 1.9 log @Update go115 to 1.15.12. go1.15.11 (released 2021/04/01) includes fixes to cgo, the compiler, linker, runtime, the go command, and the database/sql and net/http packages. See the Go 1.15.11 milestone on our issue tracker for details. go1.15.12 (released 2021/05/06) includes a security fix to the net/http package, as well as bug fixes to the runtime and the time package. See the Go 1.15.12 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2021/03/30 14:53:35 jperkin Exp $ d3 4 a6 4 SHA1 (go1.15.12.src.tar.gz) = a91d50e0a67572b83c76c11ab9f250d217bd488e RMD160 (go1.15.12.src.tar.gz) = 74404f5b7779261c73c920c991df9d60c3cc56b9 SHA512 (go1.15.12.src.tar.gz) = 9fdb0e74c0b4e8e5d8d45cbdb6f1d4be4d40549ef10629350856c3e045a82567a0418e949dfc229df7eea091ababec6b3e4e12b1bd424e14d7b10ef989e5c232 Size (go1.15.12.src.tar.gz) = 23035406 bytes @ 1.8 log @go115: Find pkgsrc SSL certificates on SunOS. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2021/03/19 17:22:55 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.10.src.tar.gz) = 4c9ecfbe1e1aace59de5d8a5e9945a3c6e6b4bc1 RMD160 (go1.15.10.src.tar.gz) = 55bb5bdfdd80f075ca2777fccc3288ed40269b8f SHA512 (go1.15.10.src.tar.gz) = 4f0ceff8dc035ec50cd0d136678573f4d624bca6a19293d5ffd75868d94d264291e44519bc450e40e8de486ee44d720555550eecf86cbae1f0d64dee00f90764 Size (go1.15.10.src.tar.gz) = 23021993 bytes @ 1.7 log @Update go115 to 1.15.10. go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime, the go command, and the net/http package. See the Go 1.15.8 milestone on our issue tracker for details. go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml package. See the Go 1.15.9 milestone on our issue tracker for details. go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command, and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2021/01/23 14:07:38 bsiegert Exp $ d11 1 @ 1.6 log @Update go115 to 1.15.7. * cmd/go: packages using cgo can cause arbitrary code execution at build time The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected. In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This issue is CVE-2021-3115 and Go issue golang.org/issue/43783. For more background on the cmd/go change and help deciding whether your own programs might have similar issues, see our blog post at https://blog.golang.org/path-security. * crypto/elliptic: incorrect operations on the P-224 curve The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). This issue is CVE-2021-3114 and Go issue golang.org/issue/43786. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2020/11/13 18:45:50 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.7.src.tar.gz) = 74c101243bc542b4343320837d2eafb8cd3c9992 RMD160 (go1.15.7.src.tar.gz) = b685bfaa4f92cce54b55f85a216fc7662111c29c SHA512 (go1.15.7.src.tar.gz) = 7b3e8bcd2fc95baad41f8b5f0456c009e01896d160e65c2670d51c23d8cfcf7a6801e831e6f9a8877fe58c8f54ac8f75bf6e7935b38ba7aaa51dc8e46cf76ddb Size (go1.15.7.src.tar.gz) = 23017978 bytes @ 1.5 log @Update go115 to 1.15.5 (security fix). - math/big: panic during recursive division of very large numbers A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted large inputs. For the panic to happen, the divisor or modulo argument must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat methods are similarly affected. crypto/rsa.VerifyPSS , crypto/rsa.VerifyPKCS1v15 , and crypto/dsa.Verify may panic when provided crafted public keys and signatures. crypto/ecdsa and crypto/elliptic operations may only be affected if custom CurveParams with unusually large field sizes (several times larger than the largest supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don’t chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request or during a golang.org/x/crypto/otr conversation. Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. This issue is CVE-2020-28362 and Go issue golang.org/issue/42552. - cmd/go: arbitrary code execution at build time through cgo The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a #cgo directive, or by a malicious symbol name in a linked object file. These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues golang.org/issue/42556 and golang.org/issue/42559 respectively. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2020/11/08 20:38:10 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.5.src.tar.gz) = 696fee3f3efa184c5d9ad28b048bbd36d7c84ef3 RMD160 (go1.15.5.src.tar.gz) = c5c60ae185efd5b399d222e2430380da7d3bf5e0 SHA512 (go1.15.5.src.tar.gz) = 8e1d71f628d364b949b1e124af8950a563bbe9d9ae73b94c66af6ce029f67c26e2654556c0c118d0bc8566af52a7e9ed736b4667bbef7ccdab2bd338c43e6eb4 Size (go1.15.5.src.tar.gz) = 23019303 bytes @ 1.4 log @Update go115 to 1.15.4 go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker, runtime, and the compress/flate, net/http, reflect, and time packages. See the Go 1.15.4 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2020/10/15 12:43:33 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.4.src.tar.gz) = c8ab1f9921cfcd4f9b6f444edaac750de042fc01 RMD160 (go1.15.4.src.tar.gz) = 5edf9a8f8b2a4894dd07081a49629870e4d9e23c SHA512 (go1.15.4.src.tar.gz) = 84fc687806d7904be0afcdfb4f45a74b4b45820c5c79b21b0c82cd51d07f3f8ae37e7f80730a411b96bdcf7f635b473ab0233c1bce977d2cf307d9a63aeb3df5 Size (go1.15.4.src.tar.gz) = 23017785 bytes @ 1.3 log @Update go115 to 1.15.3. go1.15.2 (released 2020/09/09) includes fixes to the compiler, runtime, documentation, the go command, and the net/mail, os, sync, and testing packages. See the Go 1.15.2 milestone on our issue tracker for details. go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the go command, and the bytes, plugin, and testing packages. See the Go 1.15.3 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2020/09/03 06:47:21 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.3.src.tar.gz) = 748a571c88fce520ef2046e39697a9d561b4dcbd RMD160 (go1.15.3.src.tar.gz) = f53c1ba66a7323ca8fe23fb34672dcf4dc5b9acf SHA512 (go1.15.3.src.tar.gz) = 883fb327ce8aec77381aaa01e95acd0826c74d56a769d2077449b964411e30a5844117fdd941737015983c451a3e8d419bd40954842b199a09c26704577b5bca Size (go1.15.3.src.tar.gz) = 23015071 bytes @ 1.2 log @Update go115 to 1.15.1. go1.15.1 (released 2020/09/01) includes security fixes to the net/http/cgi and net/http/fcgi packages. See the Go 1.15.1 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2020/08/21 19:50:22 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.1.src.tar.gz) = c1777c68f358539e216848ee19e58efeb80532a1 RMD160 (go1.15.1.src.tar.gz) = 5e258cdbf8ae266669f16aadfc040ddabb903d4c SHA512 (go1.15.1.src.tar.gz) = 08728dd7c64467482b1b17d1bd852ae6ca329062da95e10e91535e096b6ddd32d0e34a5e1f7b736175863c5543b6623406fc89b057273afc3f434ea97b343cfe Size (go1.15.1.src.tar.gz) = 23009031 bytes @ 1.1 log @Add a package for Go 1.15. The latest Go release, version 1.15, arrives six months after Go 1.14. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Go 1.15 includes substantial improvements to the linker, improves allocation for small objects at high core counts, and deprecates X.509 CommonName. GOPROXY now supports skipping proxies that return errors and a new embedded tzdata package has been added. There are no changes to the language. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2020/06/17 09:37:25 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.15.src.tar.gz) = a08d95390ed83cc24da48c2672124e4deb864b3f RMD160 (go1.15.src.tar.gz) = c3854e2d4912723cf761d648e1380290c4ba8b60 SHA512 (go1.15.src.tar.gz) = 7d85382bcc6a0625dfa3d07196ab364860846367ed67697a7b1516b0af551a72bc4873882141fc3c7a60d39f2e27b33f6693e8b18b608de76fc9a55b5eac55ea Size (go1.15.src.tar.gz) = 23002901 bytes @