head 1.22; access; symbols pkgsrc-2022Q3:1.21.0.6 pkgsrc-2022Q3-base:1.21 pkgsrc-2022Q2:1.21.0.4 pkgsrc-2022Q2-base:1.21 pkgsrc-2022Q1:1.21.0.2 pkgsrc-2022Q1-base:1.21 pkgsrc-2021Q4:1.18.0.2 pkgsrc-2021Q4-base:1.18 pkgsrc-2021Q3:1.11.0.2 pkgsrc-2021Q3-base:1.11 pkgsrc-2021Q2:1.8.0.2 pkgsrc-2021Q2-base:1.8 pkgsrc-2021Q1:1.5.0.2 pkgsrc-2021Q1-base:1.5 pkgsrc-2020Q4:1.1.0.2 pkgsrc-2020Q4-base:1.1; locks; strict; comment @# @; 1.22 date 2022.10.01.11.25.52; author bsiegert; state dead; branches; next 1.21; commitid ooi4cH67J60wv0WD; 1.21 date 2022.03.06.09.53.43; author bsiegert; state Exp; branches; next 1.20; commitid 0xb90xD8i0aRI8vD; 1.20 date 2022.02.12.19.52.40; author bsiegert; state Exp; branches; next 1.19; commitid VMGBjd93TA99KmsD; 1.19 date 2022.01.09.19.18.52; author bsiegert; state Exp; branches; next 1.18; commitid V0MPoTtbRcnkEZnD; 1.18 date 2021.12.09.17.13.49; author bsiegert; state Exp; branches; next 1.17; commitid Nh6jOfCFAK8SWZjD; 1.17 date 2021.12.03.17.08.35; author bsiegert; state Exp; branches; next 1.16; commitid Ftyj0EMrLRGp7ejD; 1.16 date 2021.11.04.19.18.59; author bsiegert; state Exp; branches; next 1.15; commitid rIz33bW4rXUNKvfD; 1.15 date 2021.10.26.10.51.37; author nia; state Exp; branches; next 1.14; commitid obtJ15s6fwznfjeD; 1.14 date 2021.10.09.09.43.38; author rillig; state Exp; branches; next 1.13; commitid nrp4ZyVQOEtjq7cD; 1.13 date 2021.10.08.14.21.44; author bsiegert; state Exp; branches; next 1.12; commitid In4ko4WRGPqOZ0cD; 1.12 date 2021.10.07.14.20.55; author nia; state Exp; branches; next 1.11; commitid QJiB3Fx8Lkrv1TbD; 1.11 date 2021.09.17.12.56.18; author bsiegert; state Exp; branches; next 1.10; commitid ABB73yBwA0Accj9D; 1.10 date 2021.08.11.19.00.24; author bsiegert; state Exp; branches; next 1.9; commitid eBdNrW8KPFXnoA4D; 1.9 date 2021.07.13.10.12.00; author bsiegert; state Exp; branches; next 1.8; commitid rcT6VD7Qr17spO0D; 1.8 date 2021.06.05.12.40.07; author bsiegert; state Exp; branches; next 1.7; commitid YCBL9zhHWp57sWVC; 1.7 date 2021.05.07.18.29.14; author bsiegert; state Exp; branches; next 1.6; commitid ycMG3pHMq0W3ifSC; 1.6 date 2021.03.30.15.08.57; author jperkin; state Exp; branches; next 1.5; commitid RUn34DHglNQFqlNC; 1.5 date 2021.03.14.18.15.16; author bsiegert; state Exp; branches; next 1.4; commitid xFhWBl1cHdBgYiLC; 1.4 date 2021.03.10.19.55.17; author bsiegert; state Exp; branches; next 1.3; commitid JZwowIS6uNisENKC; 1.3 date 2021.02.17.08.07.03; author bsiegert; state Exp; branches; next 1.2; commitid gWBBCMkMlLMup2IC; 1.2 date 2021.01.29.17.22.30; author bsiegert; state Exp; branches; next 1.1; commitid racjKxevgNdV5EFC; 1.1 date 2020.12.19.17.58.07; author bsiegert; state Exp; branches; next ; commitid VNbVcf2uregrBnAC; desc @@ 1.22 log @go19, go110, go116, go117: remove Go 1.9 and 1.10 are no longer useful because they do not support module-based builds, which is most other packages now. Go 1.16 and 1.17 are end of life. ok to remove from gdt@@ on tech-pkg@@. @ text @$NetBSD: distinfo,v 1.21 2022/03/06 09:53:43 bsiegert Exp $ BLAKE2s (go1.16.15.src.tar.gz) = 78b23f96c75e8b159b3f49ff49c7f1930890d88815865bfb2906a70634cf6290 SHA512 (go1.16.15.src.tar.gz) = 5b7fd234e6eb3db173ec536ac599a8c640eb4b0e8abeb16f7728efb6d7c927c41a7e8631505ba6983f565f0470a37458e60d8df33089f7ab773c250b44413e66 Size (go1.16.15.src.tar.gz) = 20936353 bytes SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe SHA1 (patch-src_cmd_dist_util.go) = 24e6f1b6ded842a8ce322a40e8766f7d344bc47e SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e SHA1 (patch-src_crypto_x509_root__solaris.go) = cce8d78a5a3712a0e7a620ead232a779e4a4b21e SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.21 log @Update go116 to 1.16.15. This minor release includes a security fix following the security policy: regexp: stack exhaustion compiling deeply nested expressions On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB. Thanks to Juho Nurminen of Mattermost for reporting this. This is CVE-2022-24921 and https://go.dev/issue/51112. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2022/02/12 19:52:40 bsiegert Exp $ @ 1.20 log @Update go116 to 1.16.14 (security update). crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values. Thanks to Guido Vranken for reporting this. This is CVE-2022-23806 and https://go.dev/issue/50974. math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@@odeke_et) for reporting it. This is CVE-2022-23772 and Go issue https://go.dev/issue/50699. cmd/go: prevent branches from materializing into versions A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches. This is CVE-2022-23773 and Go issue https://go.dev/issue/35671. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2022/01/09 19:18:52 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.16.14.src.tar.gz) = 4cea58059f72e37c0d72513211f901f2fbe3c9956fb361d2bf82eae389556c7d SHA512 (go1.16.14.src.tar.gz) = cd613d94d3c476a61bf9c3a7bb4f6f6c55a2b5c2732837e31bff4ca1f96941e42b2daa39ce3a8fced1a3808206c9711fc1c6cfe8c950b93b18179116478eef4e Size (go1.16.14.src.tar.gz) = 20932846 bytes @ 1.19 log @Update go116 to 1.16.13. go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the net/http package. See the Go 1.16.13 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2021/12/09 17:13:49 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.16.13.src.tar.gz) = f36014c1832d5e67db746db97a1b57546d62998095c1bb59fbb476c213d44997 SHA512 (go1.16.13.src.tar.gz) = e168583a6264db5e28af0bc6a5de1e7586e0f4c248b8c387c8dd4a817c4a2bb303532e1f32067db3c565de9c1b39248f59573365c61c2f1116ba73f4af59b6bc Size (go1.16.13.src.tar.gz) = 20927103 bytes @ 1.18 log @Update go116 to 1.16.12. go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.16.12 milestone on our issue tracker for details. When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is CVE-2021-44717 and is fixed in Go 1.17.5 and Go 1.16.12. An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests. This is CVE-2021-44716 and is fixed in Go 1.17.5 and Go 1.16.12. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2021/12/03 17:08:35 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.16.12.src.tar.gz) = 6e3f7dff5441b01bdded03b666843a6fe25100df58b0173e83f0334374d92198 SHA512 (go1.16.12.src.tar.gz) = 01a641b1c52890ff375f62761db4d87f7207297c7971951ba9305aa99313b5ba3014cb7555096a8fd04c97c208d2432d71d94aa9134d1617f8bedb203aa91b58 Size (go1.16.12.src.tar.gz) = 20918701 bytes @ 1.17 log @Update go116 to 1.16.11. go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2021/11/04 19:18:59 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.16.11.src.tar.gz) = 5ca8645341b6e233738513c70953f25f8c3ccdeb59877b6a9e012a274f2db9e7 SHA512 (go1.16.11.src.tar.gz) = bf3ed7d95945f3afa92478e737e1782078419165f2d9f76b21b8f144c2ba529cf7a3665da1f46c7633721fe5eb67bdf848dd5b30440b6f86a12f5acd2766abbd Size (go1.16.11.src.tar.gz) = 20918537 bytes @ 1.16 log @Update go116 to 1.16.10. go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the misc/wasm directory, and to the net/http package. See the Go 1.16.10 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2021/10/26 10:51:37 nia Exp $ d3 3 a5 3 BLAKE2s (go1.16.10.src.tar.gz) = 5682bb501f97df0dfb65f78f3ae55c9f5208716709705b6e2be1daa573f71c9a SHA512 (go1.16.10.src.tar.gz) = d12753bd7973beb7ab047a189bd0d7132b5ab8c35e943b12388289d59f9becaefb858d37cfcb808c1e12f3e06c883ef170d98ed99449e9beda636cab9bfff2b6 Size (go1.16.10.src.tar.gz) = 20918003 bytes @ 1.15 log @lang: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes The following distfiles could not be fetched (possibly fetched conditionally?): ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-linux-gnu.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-linux-musl.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-aarch64-unknown-netbsd.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-armv7-unknown-netbsd-eabihf.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-i686-unknown-linux-gnu.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-powerpc-unknown-netbsd90.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-sparc64-unknown-netbsd.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-apple-darwin.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-freebsd.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-linux-gnu.tar.gz ./lang/rust-bin/distinfo rust-bin-1.54.0/rust-1.54.0-x86_64-unknown-linux-musl.tar.gz ./lang/smlnj/distinfo smlnj-110.73/boot.ppc-unix.tgz ./lang/smlnj/distinfo smlnj-110.73/boot.sparc-unix.tgz ./lang/oracle-jre8/distinfo jce_policy-8.zip ./lang/oracle-jre8/distinfo jre-8u202-linux-i586.tar.gz ./lang/oracle-jre8/distinfo jre-8u202-linux-x64.tar.gz ./lang/oracle-jre8/distinfo jre-8u202-macosx-x64.tar.gz ./lang/oracle-jre8/distinfo jre-8u202-solaris-x64.tar.gz ./lang/oracle-jdk8/distinfo jdk-8u202-linux-i586.tar.gz ./lang/oracle-jdk8/distinfo jdk-8u202-linux-x64.tar.gz ./lang/oracle-jdk8/distinfo jdk-8u202-solaris-x64.tar.gz ./lang/ghc80/distinfo ghc-7.10.3-boot-x86_64-unknown-solaris2.tar.xz ./lang/ghc80/distinfo ghc-8.0.2-boot-i386-unknown-freebsd.tar.xz ./lang/ghc80/distinfo ghc-8.0.2-boot-x86_64-unknown-freebsd.tar.xz ./lang/gcc5-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2 ./lang/gcc5-aux/distinfo ada-bootstrap.i386.freebsd.84.tar.bz2 ./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.dragonfly.41.tar.bz2 ./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2 ./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2 ./lang/gcc5-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2 ./lang/rust/distinfo rust-1.53.0-aarch64-apple-darwin.tar.gz ./lang/rust/distinfo rust-1.53.0-aarch64-unknown-linux-gnu.tar.gz ./lang/rust/distinfo rust-1.53.0-aarch64-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-1.53.0-aarch64_be-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-1.53.0-arm-unknown-linux-gnueabihf.tar.gz ./lang/rust/distinfo rust-1.53.0-armv7-unknown-linux-gnueabihf.tar.gz ./lang/rust/distinfo rust-1.53.0-i686-unknown-linux-gnu.tar.gz ./lang/rust/distinfo rust-1.53.0-powerpc-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-1.53.0-powerpc-unknown-netbsd90.tar.gz ./lang/rust/distinfo rust-1.53.0-sparc64-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-1.53.0-x86_64-apple-darwin.tar.gz ./lang/rust/distinfo rust-1.53.0-x86_64-unknown-freebsd.tar.gz ./lang/rust/distinfo rust-1.53.0-x86_64-unknown-illumos.tar.gz ./lang/rust/distinfo rust-1.53.0-x86_64-unknown-linux-gnu.tar.gz ./lang/rust/distinfo rust-std-1.53.0-aarch64-apple-darwin.tar.gz ./lang/rust/distinfo rust-std-1.53.0-aarch64-unknown-linux-gnu.tar.gz ./lang/rust/distinfo rust-std-1.53.0-aarch64-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-std-1.53.0-aarch64_be-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-std-1.53.0-arm-unknown-linux-gnueabihf.tar.gz ./lang/rust/distinfo rust-std-1.53.0-armv7-unknown-linux-gnueabihf.tar.gz ./lang/rust/distinfo rust-std-1.53.0-i686-unknown-linux-gnu.tar.gz ./lang/rust/distinfo rust-std-1.53.0-powerpc-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-std-1.53.0-powerpc-unknown-netbsd90.tar.gz ./lang/rust/distinfo rust-std-1.53.0-sparc64-unknown-netbsd.tar.gz ./lang/rust/distinfo rust-std-1.53.0-x86_64-apple-darwin.tar.gz ./lang/rust/distinfo rust-std-1.53.0-x86_64-unknown-freebsd.tar.gz ./lang/rust/distinfo rust-std-1.53.0-x86_64-unknown-linux-gnu.tar.gz ./lang/smlnj11072/distinfo smlnj-110.72/boot.ppc-unix.tgz ./lang/smlnj11072/distinfo smlnj-110.72/boot.sparc-unix.tgz ./lang/ghc84/distinfo ghc-8.0.2-boot-x86_64-unknown-solaris2.tar.xz ./lang/ghc84/distinfo ghc-8.4.4-boot-i386-unknown-freebsd.tar.xz ./lang/ghc84/distinfo ghc-8.4.4-boot-x86_64-apple-darwin.tar.xz ./lang/ghc84/distinfo ghc-8.4.4-boot-x86_64-unknown-freebsd.tar.xz ./lang/ghc7/distinfo ghc-7.10.3-boot-i386-unknown-freebsd.tar.xz ./lang/ghc7/distinfo ghc-7.6.3-boot-i386-unknown-solaris2.tar.xz ./lang/ghc7/distinfo ghc-7.6.3-boot-powerpc-apple-darwin.tar.xz ./lang/ghc7/distinfo ghc-7.6.3-boot-x86_64-unknown-solaris2.tar.xz ./lang/ghc90/distinfo ghc-8.10.4-boot-x86_64-unknown-solaris2.tar.xz ./lang/ghc90/distinfo ghc-9.0.1-boot-aarch64-unknown-netbsd.tar.xz ./lang/ghc90/distinfo ghc-9.0.1-boot-i386-unknown-freebsd.tar.xz ./lang/ghc90/distinfo ghc-9.0.1-boot-x86_64-apple-darwin.tar.xz ./lang/ghc90/distinfo ghc-9.0.1-boot-x86_64-unknown-freebsd.tar.xz ./lang/openjdk8/distinfo openjdk7/bootstrap-jdk-1.7.76-freebsd-10-amd64-20150301.tar.xz ./lang/openjdk8/distinfo openjdk7/bootstrap-jdk-1.7.76-netbsd-7-sparc64-20150301.tar.xz ./lang/openjdk8/distinfo openjdk7/bootstrap-jdk-1.8.181-netbsd-8-aarch64-20180917.tar.xz ./lang/openjdk8/distinfo openjdk7/bootstrap-jdk7u60-bin-dragonfly-3.6-amd64-20140719.tar.bz2 ./lang/openjdk8/distinfo openjdk7/bootstrap-jdk7u60-bin-dragonfly-3.8-amd64-20140719.tar.bz2 ./lang/go-bin/distinfo go1.14.2.darwin-amd64.tar.gz ./lang/go-bin/distinfo go1.14.2.linux-386.tar.gz ./lang/go-bin/distinfo go1.14.2.linux-amd64.tar.gz ./lang/go-bin/distinfo go1.14.2.linux-arm64.tar.gz ./lang/go-bin/distinfo go1.14.2.linux-armv6l.tar.gz ./lang/go-bin/distinfo go1.14.2.netbsd-arm64.tar.gz ./lang/go-bin/distinfo go1.16beta1.darwin-arm64.tar.gz ./lang/gcc6-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2 ./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.dragonfly.41.tar.bz2 ./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2 ./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2 ./lang/gcc6-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2 ./lang/ghc810/distinfo ghc-8.8.4-boot-x86_64-unknown-solaris2.tar.xz ./lang/sun-jre7/distinfo UnlimitedJCEPolicyJDK7.zip ./lang/sun-jre7/distinfo jre-7u80-linux-x64.tar.gz ./lang/sun-jre7/distinfo jre-7u80-solaris-i586.tar.gz ./lang/sun-jre7/distinfo jre-7u80-solaris-x64.tar.gz ./lang/ghc88/distinfo ghc-8.4.4-boot-i386-unknown-freebsd.tar.xz ./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-apple-darwin.tar.xz ./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-unknown-freebsd.tar.xz ./lang/ghc88/distinfo ghc-8.4.4-boot-x86_64-unknown-solaris2.tar.xz ./lang/gcc-aux/distinfo ada-bootstrap.i386.dragonfly.36A.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.i386.freebsd.100B.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.i386.freebsd.84.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.x86_64.dragonfly.36A.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.x86_64.freebsd.100B.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.x86_64.freebsd.84.tar.bz2 ./lang/gcc-aux/distinfo ada-bootstrap.x86_64.solaris.511.tar.bz2 ./lang/gcc6/distinfo ecj-4.5.jar ./lang/openjdk11/distinfo bootstrap-jdk-1.11.0.7.10-netbsd-9-aarch64-20200509.tar.xz ./lang/sun-jdk7/distinfo jdk-7u80-linux-x64.tar.gz ./lang/sun-jdk7/distinfo jdk-7u80-solaris-i586.tar.gz ./lang/sun-jdk7/distinfo jdk-7u80-solaris-x64.tar.gz @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2021/10/09 09:43:38 rillig Exp $ d3 3 a5 3 BLAKE2s (go1.16.9.src.tar.gz) = bb4c35ccb19acd58aeb617b6fe4c14dbd4e77516ca152a514098552828333d7a SHA512 (go1.16.9.src.tar.gz) = e1c02ac64fcc13b94bb160c9129d5fcfa4a486df069e4f5a42b5d5827e0c82105a957a92926a1e4802e37fd5a148ffcc015e244a31367fd68cfe30c90d2de385 Size (go1.16.9.src.tar.gz) = 20921003 bytes @ 1.14 log @postgresql, patch, go: remove SHA1 hash from distfiles Found by pkglint 21.3.1. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2021/10/08 14:21:44 bsiegert Exp $ d3 1 a3 1 RMD160 (go1.16.9.src.tar.gz) = 26d7fee33a77331e78c2d0563dff25823d88754f @ 1.13 log @Update go116 to 1.16.9. This minor release includes a security fix according to the new security policy. When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules. This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this issue. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2021/10/07 14:20:55 nia Exp $ a2 1 SHA1 (go1.16.9.src.tar.gz) = 624e15c01eb2219a4663e5cf7badad8b2e5a500d @ 1.12 log @lang: Remove SHA1 hashes for distfiles @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2021/09/17 12:56:18 bsiegert Exp $ d3 4 a6 3 RMD160 (go1.16.8.src.tar.gz) = e476b83c7ac83b65f4224e4914d7af0114b16ab2 SHA512 (go1.16.8.src.tar.gz) = 49b3b341ee3dbf2964f8e938a6d797a48e4b46e19c6c6f240038cd48c8668b76982f0c9c61e38bfdc42eb03db72d125457905cba76589d1d7d2f825bc67587e3 Size (go1.16.8.src.tar.gz) = 20922236 bytes @ 1.11 log @Update go116 to 1.16.8 (security). go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template, net/http, and runtime/pprof packages. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2021/08/11 19:00:24 bsiegert Exp $ a2 1 SHA1 (go1.16.8.src.tar.gz) = 5d72485dfaee6d7153f38b649a007f8c10a0336f @ 1.10 log @go116: update to 1.16.7. This minor release includes a security fix according to the new security policy. A net/http/httputil ReverseProxy can panic due to a race condition if its Handler aborts with ErrAbortHandler, for example due to an error in copying the response body. An attacker might be able to force the conditions leading to the race condition. This is issue https://golang.org/issue/46866 and CVE-2021-36221. Thanks to Andrew Crump (VMware) for reporting this issue. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2021/07/13 10:12:00 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.7.src.tar.gz) = 94e3f19866c40bb73700d93625489998604d1b15 RMD160 (go1.16.7.src.tar.gz) = b1f1b8458dfc659cfca33b61a3041408dc9fbbf7 SHA512 (go1.16.7.src.tar.gz) = 1aab6f3dcbae71ebfa29a1d9a46613a3aa48de01cee82b48842d92abbb4ee57db019a4d47a3f12af9553c8e2a982e90114a06ee187f908f7c29245d9786b9186 Size (go1.16.7.src.tar.gz) = 20922206 bytes @ 1.9 log @Update go116 to 1.16.6. This minor release includes a security fix according to the new security policy. crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this issue. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2021/06/05 12:40:07 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.6.src.tar.gz) = 047772552a78bb6d20682425e38d43dc4d94ad3f RMD160 (go1.16.6.src.tar.gz) = 9e8e85819c17977d8b4ffbe6afe8fa00d2946269 SHA512 (go1.16.6.src.tar.gz) = 82634763dce636c9e9cba1bbf74a669e8b88e6df095e80672f295edb82cc1fc4b8ffde91a1f56c3470f2c4d9ee0404f65146d7478b645890623f6c463513a61f Size (go1.16.6.src.tar.gz) = 20923044 bytes @ 1.8 log @Update go116 to 1.16.5. go1.16.5 (released 2021-06-03) includes security fixes to the archive/zip, math /big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the net/http package. See the Go 1.16.5 milestone on our issue tracker for details. The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents. This is issue and CVE-2021-33198. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director. This is issue and CVE-2021-33197. Thanks to Mattias Grenfeldt (https://grenfeldt.dev) and Asta Olofsson for reporting this issue. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net , and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use. This is issue and CVE-2021-33195. Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for reporting this issue. The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is issue and CVE-2021-33196. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2021/05/07 18:29:14 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.5.src.tar.gz) = b3d00525ea5af180149fafca8da730c6f988f29f RMD160 (go1.16.5.src.tar.gz) = dfbe9538c56f60215d699b611aac1db182751e5c SHA512 (go1.16.5.src.tar.gz) = ba90ce1f3faa39519eb5437009c4b710b493e42764a14b0821292a8a17b714fe5985ef20e6e3c340f71cb521ff63d45a23570d38fd752526a1262448c641d544 Size (go1.16.5.src.tar.gz) = 20921372 bytes @ 1.7 log @Update go116 to 1.16.4. go1.16.3 (released 2021/04/01) includes fixes to the compiler, linker, runtime, the go command, and the testing and time packages. See the Go 1.16.3 milestone on our issue tracker for details. go1.16.4 (released 2021/05/06) includes a security fix to the net/http package, as well as bug fixes to the runtime, the compiler, and the archive/zip, time, and syscall packages. See the Go 1.16.4 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2021/03/30 15:08:57 jperkin Exp $ d3 4 a6 4 SHA1 (go1.16.4.src.tar.gz) = b1d5f9a63f0cda6580f6a31419af78dc0723536a RMD160 (go1.16.4.src.tar.gz) = ae3a07321fea0f4ee8442d02f285e68b9f361e5c SHA512 (go1.16.4.src.tar.gz) = e1b64610e22e657d9c65094e679cec50f59ff338c0ef102e54debcced1bc032390122456451fffb2d26d45c6db2f55bb9ef7f56ce479f6f1c2c2e6cc49442d86 Size (go1.16.4.src.tar.gz) = 20917203 bytes @ 1.6 log @go116: Find pkgsrc SSL certificates on SunOS. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2021/03/14 18:15:16 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.2.src.tar.gz) = 78812c9ee656d3f54b8c9b4f3f78e00e81ba81ad RMD160 (go1.16.2.src.tar.gz) = 0f667e1fd0691890eb282d921ac46c442df62c69 SHA512 (go1.16.2.src.tar.gz) = d14858a75cc7411975aaca705e66145287dc96b4fac1b1b06b95377dc5e5d2762f060973744114f42c780b34ea4baef7038c94616649c2dcc5c97e261cefc6bd Size (go1.16.2.src.tar.gz) = 20905135 bytes @ 1.5 log @Update go116 to 1.16.2. go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker, the go command, and the syscall and time packages. See the Go 1.16.2 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2021/03/10 19:55:17 bsiegert Exp $ d10 1 @ 1.4 log @Update go116 to 1.16.1, fixing two security issues: - encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. Thanks to Sam Whited for reporting this issue. This issue is CVE-2021-27918 and Go issue golang.org/issue/44913. - archive/zip: panic when calling Reader.Open The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with "../". This issue is CVE-2021-27919 and Go issue golang.org/issue/44916. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2021/02/17 08:07:03 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.1.src.tar.gz) = ab7746ed5ec54110f5fbf4f8615a640530990111 RMD160 (go1.16.1.src.tar.gz) = cab008285e02e97ab3523239684f9ad0b102da6b SHA512 (go1.16.1.src.tar.gz) = c7674be1a4a03c031d13a52e03a5e134bd2f499fe1bde3083885e363528252fce43b119974b804c8c46ec59e85337bb94e96b7a7183bdb78301898e222b3bba1 Size (go1.16.1.src.tar.gz) = 20897580 bytes @ 1.3 log @go116: update to the final 1.16 release I did not find a detailed changelog from rc1. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2021/01/29 17:22:30 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16.src.tar.gz) = 1d2b65415c9061eeb800c888a936511d6af0d6d5 RMD160 (go1.16.src.tar.gz) = 1009890b7d4bbf6d8888a6f7adae8b0e42edb7ae SHA512 (go1.16.src.tar.gz) = 9c43e0ebb2d35c694b652cae8d4040ce3f3c8c014abd9496c92c78cc015ecea5b5331e7c2acf098d0c24dec222454ea09d834df4b6bc90d46e9feeac0ac578bf Size (go1.16.src.tar.gz) = 20895394 bytes @ 1.2 log @Update go116 to 1.16 RC1. This RC contains the recent security updates for Go and fixes a number of bugs. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2020/12/19 17:58:07 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16rc1.src.tar.gz) = ac79fef24307f1715ba51793565326e4d4b2d926 RMD160 (go1.16rc1.src.tar.gz) = 9668aaf3aa5a09cb55f20b76aff5684cf198ae2d SHA512 (go1.16rc1.src.tar.gz) = 83b739c515dadd13fa6b8eaebc3a0783a5d74275c8c95221a70329cc638ded20228be114961c81d3f90150d625af12ecf2b7ec793fbc0d5c0c8a9c799b9626fe Size (go1.16rc1.src.tar.gz) = 23393226 bytes @ 1.1 log @Add a package for go116-1.16.beta1. Normally, we would not package beta versions, except maybe in pkgsrc-wip. This is different though, since 1.16.beta1 is the first Go version supporting macOS on Apple Silicon. Discussion about this was on tech-pkg@@. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2020/11/13 18:45:50 bsiegert Exp $ d3 4 a6 4 SHA1 (go1.16beta1.src.tar.gz) = 1d263d640f2927a1e4ee6ea9c8de6b632baecc00 RMD160 (go1.16beta1.src.tar.gz) = bb4f61cce7c59f18b987ce5d348ccb4bab4138a9 SHA512 (go1.16beta1.src.tar.gz) = 8a9c2abbaeedb8bb17aa0de20a20fb520430b19bbc4034a5763dfd54468df70715f129c0b8a05542be4bf012b73eb2967c27d33508104fb4e01716011c687cfe Size (go1.16beta1.src.tar.gz) = 23380831 bytes @