CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Fri, 5 Apr 2024 19:07:55 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Apr  5 19:07:55 UTC 2024

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go121: PLIST distinfo

Log Message:
go121: Update to 1.21.9.

This minor release includes 1 security fix following the security policy:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and
CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but we do
parse them. This permits an attacker to cause an HTTP/2 endpoint to read
arbitrary amounts of header data, all associated with a request which is going
to be rejected. These headers can include Huffman-encoded data which is
significantly more expensive for the receiver to decode than for an attacker to
send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this
issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.


To generate a diff of this commit:
cvs rdiff -u -r1.205 -r1.206 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go121/PLIST
cvs rdiff -u -r1.10 -r1.11 pkgsrc/lang/go121/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.205 pkgsrc/lang/go/version.mk:1.206
--- pkgsrc/lang/go/version.mk:1.205     Fri Apr  5 18:51:52 2024
+++ pkgsrc/lang/go/version.mk   Fri Apr  5 19:07:55 2024
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.205 2024/04/05 18:51:52 bsiegert Exp $
+# $NetBSD: version.mk,v 1.206 2024/04/05 19:07:55 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO122_VERSION= 1.22.2
-GO121_VERSION= 1.21.8
+GO121_VERSION= 1.21.9
 GO120_VERSION= 1.20.14
 GO119_VERSION= 1.19.13
 GO118_VERSION= 1.18.10

Index: pkgsrc/lang/go121/PLIST
diff -u pkgsrc/lang/go121/PLIST:1.8 pkgsrc/lang/go121/PLIST:1.9
--- pkgsrc/lang/go121/PLIST:1.8 Tue Mar  5 19:27:58 2024
+++ pkgsrc/lang/go121/PLIST     Fri Apr  5 19:07:55 2024
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.8 2024/03/05 19:27:58 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.9 2024/04/05 19:07:55 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go121/CONTRIBUTING.md
@@ -6469,6 +6469,7 @@ go121/src/internal/types/testdata/fixedb
 go121/src/internal/types/testdata/fixedbugs/issue61879.go
 go121/src/internal/types/testdata/fixedbugs/issue61903.go
 go121/src/internal/types/testdata/fixedbugs/issue62157.go
+go121/src/internal/types/testdata/fixedbugs/issue66064.go
 go121/src/internal/types/testdata/fixedbugs/issue6977.go
 go121/src/internal/types/testdata/spec/assignability.go
 go121/src/internal/types/testdata/spec/comparable.go

Index: pkgsrc/lang/go121/distinfo
diff -u pkgsrc/lang/go121/distinfo:1.10 pkgsrc/lang/go121/distinfo:1.11
--- pkgsrc/lang/go121/distinfo:1.10     Tue Apr  2 13:21:42 2024
+++ pkgsrc/lang/go121/distinfo  Fri Apr  5 19:07:55 2024
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.10 2024/04/02 13:21:42 jperkin Exp $
+$NetBSD: distinfo,v 1.11 2024/04/05 19:07:55 bsiegert Exp $
 
-BLAKE2s (go1.21.8.src.tar.gz) = 3f63992ded6331b1c43b5a7acbb9c636600e750dc40ad159815e62bb366f51e5
-SHA512 (go1.21.8.src.tar.gz) = dde764ee12fbf58a603d31c20ea239805ffec359a90b0aad7575cc857e241393c2adc47d2f00136db5dff2cbe11b90e8d009d67f9329d363e75a0720067123b0
-Size (go1.21.8.src.tar.gz) = 26992984 bytes
+BLAKE2s (go1.21.9.src.tar.gz) = 089cdce5fe54fe3f1cab7c8ddb573b1c41e021a2f0c39456e8a40eb8b68020ea
+SHA512 (go1.21.9.src.tar.gz) = e1cf7e458d41f8b343c34b7d35dc4a1696bacbad2ad64abac36dbbeaf1e0a1b71cdb32cebb1686c6e5c90bf0ad3474714d09acea010d6c074730c59d71e79f4e
+Size (go1.21.9.src.tar.gz) = 26993426 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: [pkgsrc-2024Q1] pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2024Q1] pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index