summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorspz <spz@pkgsrc.org>2016-12-12 06:50:02 +0000
committerspz <spz@pkgsrc.org>2016-12-12 06:50:02 +0000
commit8cd28a8c5193de6ec768e6771e2d0a07bf7b52cb (patch)
tree806f5b338adf5af500ea00b8a664cb2ab0129a49
parent9475468305959a7017c43b12dde502787b98ac11 (diff)
downloadpkgsrc-8cd28a8c5193de6ec768e6771e2d0a07bf7b52cb.tar.gz
Pullup ticket #5170 - requested by bsiegert
lang/go: security update Revisions pulled up: - lang/go/Makefile 1.48 - lang/go/PLIST 1.28 - lang/go/distinfo 1.42,1.41 - lang/go/patches/patch-src_net_http_h2__bundle.go deleted - lang/go/version.mk 1.21,1.18 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Sun Dec 4 16:08:55 UTC 2016 Modified Files: pkgsrc/lang/go: distinfo version.mk Log Message: Update Go to 1.7.4. Two security-related issues were recently reported, and to address these issues we have just released Go 1.6.4 and Go 1.7.4. We recommend that all users update to one of these releases (if you're not sure which, choose Go 1.7.4). The issues addressed by these releases are: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. This is addressed by https://golang.org/cl/33721, tracked in https://golang.org/issue/18141. Thanks to Xy Ziemba for identifying and reporting this issue. The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. This is addressed by https://golang.org/cl/30410, tracked in https://golang.org/issue/17965. Thanks to Simon Rawet for the report. To generate a diff of this commit: cvs rdiff -u -r1.41 -r1.42 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.20 -r1.21 pkgsrc/lang/go/version.mk ------------------------------------------------------------------- Module Name: pkgsrc Committed By: bsiegert Date: Thu Oct 27 18:58:00 UTC 2016 Modified Files: pkgsrc/lang/go: Makefile PLIST distinfo version.mk Removed Files: pkgsrc/lang/go/patches: patch-src_net_http_h2__bundle.go Log Message: Update Go to 1.7.3. go1.7.2 should not be used. It was tagged but not fully released. The release was deferred due to a last minute bug report. Use go1.7.3 instead, and refer to the summary of changes below. go1.7.3 (released 2016/10/19) includes fixes to the compiler, runtime, and the crypto/cipher, crypto/tls, net/http, and strings packages. See the Go 1.7.3 milestone on our issue tracker for details. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 pkgsrc/lang/go/Makefile cvs rdiff -u -r1.27 -r1.28 pkgsrc/lang/go/PLIST cvs rdiff -u -r1.40 -r1.41 pkgsrc/lang/go/distinfo cvs rdiff -u -r1.17 -r1.18 pkgsrc/lang/go/version.mk cvs rdiff -u -r1.1 -r0 \ pkgsrc/lang/go/patches/patch-src_net_http_h2__bundle.go
-rw-r--r--lang/go/Makefile3
-rw-r--r--lang/go/PLIST3
-rw-r--r--lang/go/distinfo10
-rw-r--r--lang/go/patches/patch-src_net_http_h2__bundle.go37
-rw-r--r--lang/go/version.mk4
5 files changed, 10 insertions, 47 deletions
diff --git a/lang/go/Makefile b/lang/go/Makefile
index e460558420f..5196ca11f69 100644
--- a/lang/go/Makefile
+++ b/lang/go/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.47 2016/09/17 15:56:58 bsiegert Exp $
+# $NetBSD: Makefile,v 1.47.2.1 2016/12/12 06:50:02 spz Exp $
.include "version.mk"
DISTNAME= go${GO_VERSION}.src
PKGNAME= go-${GO_VERSION}
-PKGREVISION= 1
CATEGORIES= lang
MASTER_SITES= https://storage.googleapis.com/golang/
diff --git a/lang/go/PLIST b/lang/go/PLIST
index 7a4f8e5ab87..b67138d8a41 100644
--- a/lang/go/PLIST
+++ b/lang/go/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.27 2016/09/10 09:09:23 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.27.2.1 2016/12/12 06:50:02 spz Exp $
bin/go
bin/gofmt
go/AUTHORS
@@ -5694,6 +5694,7 @@ go/test/fixedbugs/issue16133.go
go/test/fixedbugs/issue16193.go
go/test/fixedbugs/issue16249.go
go/test/fixedbugs/issue16515.go
+go/test/fixedbugs/issue17318.go
go/test/fixedbugs/issue2615.go
go/test/fixedbugs/issue3552.dir/one.go
go/test/fixedbugs/issue3552.dir/two.go
diff --git a/lang/go/distinfo b/lang/go/distinfo
index 75751d58102..f457f1b30bf 100644
--- a/lang/go/distinfo
+++ b/lang/go/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.40 2016/09/17 15:56:58 bsiegert Exp $
+$NetBSD: distinfo,v 1.40.2.1 2016/12/12 06:50:02 spz Exp $
-SHA1 (go1.7.1.src.tar.gz) = 6df2097fd11014086f6b6015cd4777f3acf37b91
-RMD160 (go1.7.1.src.tar.gz) = 378d3fd9d3d8b7e331b7ce4531a704afcbd32a75
-SHA512 (go1.7.1.src.tar.gz) = eab2b44f44d05c62645756e05078c2a8b7e3c4d2413617a20a6659df22e4612bb2059cf4906ab81134421eb371903034c1b197bb5595c9af9901819b2b3330a3
-Size (go1.7.1.src.tar.gz) = 14098889 bytes
+SHA1 (go1.7.4.src.tar.gz) = 0fb305c827c8794cfda7e437befa6101a2d06b2e
+RMD160 (go1.7.4.src.tar.gz) = 8de5ff1fd50a6f0b6bc16e0de0f1e13185f291f0
+SHA512 (go1.7.4.src.tar.gz) = dc9950c3ea7100e536ad58fd93505d584276b7c50d4b8fe2ba7f20fd043dcf0d315b735c48945302055e91517594cc2b0061ccec9478a8ab48f1f2836c20afb3
+Size (go1.7.4.src.tar.gz) = 14198817 bytes
SHA1 (patch-lib_time_update.bash) = 17d28ba574dd08735b58cf73487104a5df3b7684
SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0eca1eafa967268ae9b224be4aeda347ebc91901
diff --git a/lang/go/patches/patch-src_net_http_h2__bundle.go b/lang/go/patches/patch-src_net_http_h2__bundle.go
deleted file mode 100644
index 5ef3dceb5ea..00000000000
--- a/lang/go/patches/patch-src_net_http_h2__bundle.go
+++ /dev/null
@@ -1,37 +0,0 @@
-$NetBSD: patch-src_net_http_h2__bundle.go,v 1.1 2016/09/17 15:56:58 bsiegert Exp $
-
-From: Brad Fitzpatrick <bradfitz@golang.org>
-Date: Mon, 12 Sep 2016 14:44:02 +0000
-Subject: [PATCH] http2: don't sniff first Request.Body byte in Transport until we have a conn
-
-bodyAndLength mutates Request.Body if Request.ContentLength == 0,
-reading the first byte to determine whether it's actually empty or
-just undeclared. But we did that before we checked whether our
-connection was overloaded, which meant the caller could retry the
-request on an new or lesser-loaded connection, but then lose the first
-byte of the request.
-
-Updates golang/go#17071 (needs bundle into std before fixed)
-
---- src/net/http/h2_bundle.go.orig 2016-09-07 19:34:35.000000000 +0000
-+++ src/net/http/h2_bundle.go
-@@ -5486,9 +5486,6 @@ func (cc *http2ClientConn) RoundTrip(req
- }
- hasTrailers := trailers != ""
-
-- body, contentLen := http2bodyAndLength(req)
-- hasBody := body != nil
--
- cc.mu.Lock()
- cc.lastActive = time.Now()
- if cc.closed || !cc.canTakeNewRequestLocked() {
-@@ -5496,6 +5493,9 @@ func (cc *http2ClientConn) RoundTrip(req
- return nil, http2errClientConnUnusable
- }
-
-+ body, contentLen := http2bodyAndLength(req)
-+ hasBody := body != nil
-+
- // TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere?
- var requestedGzip bool
- if !cc.t.disableCompression() &&
diff --git a/lang/go/version.mk b/lang/go/version.mk
index bad731e5a16..f3d89429fa7 100644
--- a/lang/go/version.mk
+++ b/lang/go/version.mk
@@ -1,8 +1,8 @@
-# $NetBSD: version.mk,v 1.17 2016/09/10 09:09:23 bsiegert Exp $
+# $NetBSD: version.mk,v 1.17.2.1 2016/12/12 06:50:02 spz Exp $
.include "../../mk/bsd.prefs.mk"
-GO_VERSION= 1.7.1
+GO_VERSION= 1.7.4
GO14_VERSION= 1.4.3
ONLY_FOR_PLATFORM= *-*-i386 *-*-x86_64 *-*-evbarm