[pkgsrc/trunk]: pkgsrc/lang/go Update Go to 1.9.1 (security fix).

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/1ad16b9f651f
branches:  trunk
changeset: 369847:1ad16b9f651f
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Oct 06 18:38:25 2017 +0000

description:
Update Go to 1.9.1 (security fix).

Two security-related issues were recently reported.
To address this issue, we have just released Go 1.8.4 and Go 1.9.1.

We recommend that all users update to one of these releases (if you're not sure
which, choose Go 1.9.1).

The issues addressed by these releases are:

By nesting a git checkout inside another version control repository, it was
possible for an attacker to trick the "go get" command into executing arbitrary
code. The go command now refuses to use version control checkouts found inside
other version control systems, with an exception for git submodules (git inside
git).
The issue is tracked as https://golang.org/issue/22125 (Go 1.8.4) and
https://golang.org/issue/22131 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Simon Rawet for the report.

In the smtp package, PlainAuth is documented as sending credentials only over
authenticated, encrypted TLS connections, but it was changed in Go 1.1 to also
send credentials on non-TLS connections when the remote server advertises that
PLAIN authentication is supported. The change was meant to allow use of PLAIN
authentication on localhost, but it has the effect of allowing a
man-in-the-middle attacker to harvest credentials. PlainAuth now requires
either TLS or a localhost connection before sending credentials, regardless of
what the remote server claims.
This issue is tracked as https://golang.org/issue/22134 (Go 1.8.4) and
https://golang.org/issue/22133 (Go 1.9.1). Fixes are linked from the issues.
Thanks to Stevie Johnstone for the report.

diffstat:

 lang/go/distinfo   |  10 +++++-----
 lang/go/version.mk |   4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (31 lines):

diff -r 70417cdbdb2e -r 1ad16b9f651f lang/go/distinfo
--- a/lang/go/distinfo  Fri Oct 06 17:02:24 2017 +0000
+++ b/lang/go/distinfo  Fri Oct 06 18:38:25 2017 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.51 2017/09/03 07:12:07 bsiegert Exp $
+$NetBSD: distinfo,v 1.52 2017/10/06 18:38:25 bsiegert Exp $
 
-SHA1 (go1.9.src.tar.gz) = 76f7a3db86defe65510607df2db0b065db003ed6
-RMD160 (go1.9.src.tar.gz) = cdf174a39b339bac08bc04e5d461972ec2d0c337
-SHA512 (go1.9.src.tar.gz) = 70c4b892b6883fb21fc1a547a2b8d174df8c7aca282a3906e3816b4442b16c5da578b69c19443122a4a45e66fc95d170528d826b70932af09f4afd2a46615d74
-Size (go1.9.src.tar.gz) = 16377363 bytes
+SHA1 (go1.9.1.src.tar.gz) = 87cf0af3820834faeb6e63b035a1abae1f5b60b3
+RMD160 (go1.9.1.src.tar.gz) = eaff2b7bdd386e6e36175a0fb5f9fb019c7fd3b8
+SHA512 (go1.9.1.src.tar.gz) = 3c5d11089a54c61acd1a4fad9618ddb2058cc783a54564407ee50e37c864deaadfd5effeab623080c136a599096f448aae091ef41d0afca1abfcdb98adf4a793
+Size (go1.9.1.src.tar.gz) = 16377700 bytes
 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 93a2de7c685a0919fe93f5bc99f156e105dace4d
diff -r 70417cdbdb2e -r 1ad16b9f651f lang/go/version.mk
--- a/lang/go/version.mk        Fri Oct 06 17:02:24 2017 +0000
+++ b/lang/go/version.mk        Fri Oct 06 18:38:25 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: version.mk,v 1.28 2017/09/03 07:12:07 bsiegert Exp $
+# $NetBSD: version.mk,v 1.29 2017/10/06 18:38:25 bsiegert Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
-GO_VERSION=    1.9
+GO_VERSION=    1.9.1
 GO14_VERSION=  1.4.3
 
 ONLY_FOR_PLATFORM=     *-*-i386 *-*-x86_64 *-*-*arm*