CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Fri, 5 Apr 2024 18:51:52 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Apr  5 18:51:52 UTC 2024

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go122: PLIST distinfo

Log Message:
This minor release includes 1 security fix following the security policy:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and
CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2 endpoint to read
arbitrary amounts of header data, all associated with a request which is going
to be rejected. These headers can include Huffman-encoded data which is
significantly more expensive for the receiver to decode than for an attacker to
send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this
issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.


To generate a diff of this commit:
cvs rdiff -u -r1.204 -r1.205 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go122/PLIST
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go122/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.204 pkgsrc/lang/go/version.mk:1.205
--- pkgsrc/lang/go/version.mk:1.204     Tue Mar  5 19:37:52 2024
+++ pkgsrc/lang/go/version.mk   Fri Apr  5 18:51:52 2024
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.204 2024/03/05 19:37:52 bsiegert Exp $
+# $NetBSD: version.mk,v 1.205 2024/04/05 18:51:52 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
 #
 .include "go-vars.mk"
 
-GO122_VERSION= 1.22.1
+GO122_VERSION= 1.22.2
 GO121_VERSION= 1.21.8
 GO120_VERSION= 1.20.14
 GO119_VERSION= 1.19.13

Index: pkgsrc/lang/go122/PLIST
diff -u pkgsrc/lang/go122/PLIST:1.2 pkgsrc/lang/go122/PLIST:1.3
--- pkgsrc/lang/go122/PLIST:1.2 Tue Mar  5 19:37:52 2024
+++ pkgsrc/lang/go122/PLIST     Fri Apr  5 18:51:52 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.2 2024/03/05 19:37:52 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.3 2024/04/05 18:51:52 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go122/CONTRIBUTING.md
@@ -6653,6 +6653,7 @@ go122/src/internal/types/testdata/fixedb
 go122/src/internal/types/testdata/fixedbugs/issue63563.go
 go122/src/internal/types/testdata/fixedbugs/issue64406.go
 go122/src/internal/types/testdata/fixedbugs/issue64704.go
+go122/src/internal/types/testdata/fixedbugs/issue65854.go
 go122/src/internal/types/testdata/fixedbugs/issue6977.go
 go122/src/internal/types/testdata/spec/assignability.go
 go122/src/internal/types/testdata/spec/comparable.go
@@ -11904,7 +11905,11 @@ go122/test/fixedbugs/issue6513.dir/a.go
 go122/test/fixedbugs/issue6513.dir/b.go
 go122/test/fixedbugs/issue6513.dir/main.go
 go122/test/fixedbugs/issue6513.go
+go122/test/fixedbugs/issue65593.go
 go122/test/fixedbugs/issue6572.go
+go122/test/fixedbugs/issue66066.go
+go122/test/fixedbugs/issue66066b.go
+go122/test/fixedbugs/issue66096.go
 go122/test/fixedbugs/issue6671.go
 go122/test/fixedbugs/issue6703a.go
 go122/test/fixedbugs/issue6703b.go

Index: pkgsrc/lang/go122/distinfo
diff -u pkgsrc/lang/go122/distinfo:1.3 pkgsrc/lang/go122/distinfo:1.4
--- pkgsrc/lang/go122/distinfo:1.3      Tue Apr  2 14:12:57 2024
+++ pkgsrc/lang/go122/distinfo  Fri Apr  5 18:51:52 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.3 2024/04/02 14:12:57 jperkin Exp $
+$NetBSD: distinfo,v 1.4 2024/04/05 18:51:52 bsiegert Exp $
 
-BLAKE2s (go1.22.1.src.tar.gz) = 87e9705c9221285dc0362891b320252da5ca380f73329e564026133807f7205f
-SHA512 (go1.22.1.src.tar.gz) = 627530c3fa2ea872478e1df8ee20db2ddc3c94581fff4e66bda21ca45a643e9915f97115401f79667cd7e856ccca1b40a842f4c0b509a472c75696e3bdb3a908
-Size (go1.22.1.src.tar.gz) = 27548577 bytes
+BLAKE2s (go1.22.2.src.tar.gz) = 1cda38de9b035db9c153c21042f23f62bc3ad1cd516b012916a446ca09b94d70
+SHA512 (go1.22.2.src.tar.gz) = f2491d2b5d4ef2dd86ca7820503a2534cd1860822049dc01a6cb40b556a0812cfc4196fa83173765816060253ac949f4165b0fb4b2bed5d45e30d03bb69e434d
+Size (go1.22.2.src.tar.gz) = 27551470 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: [pkgsrc-2024Q1] pkgsrc/sysutils
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: [pkgsrc-2024Q1] pkgsrc/sysutils
Indexes:

Home | Main Index | Thread Index | Old Index