[pkgsrc/pkgsrc-2016Q2]: pkgsrc/lang/go Pullup ticket #5064 - requested by bsi...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/18240bef549e
branches:  pkgsrc-2016Q2
changeset: 408849:18240bef549e
user:      spz <spz%pkgsrc.org@localhost>
date:      Wed Jul 20 03:02:31 2016 +0000

description:
Pullup ticket #5064 - requested by bsiegert
lang/go: security update

Revisions pulled up:
- lang/go/Makefile                                              1.43
- lang/go/distinfo                                              1.37
- lang/go/version.mk                                            1.15

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Mon Jul 18 20:37:40 UTC 2016

   Modified Files:
           pkgsrc/lang/go: Makefile distinfo version.mk

   Log Message:
   Update Go to 1.6.3.

   A security-related issue was recently reported in Go's net/http/cgi =
   package and
   net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 =
   contain
   a fix for this issue.

   Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation =
   flaw in
   the CGI components resulting in the HTTP_PROXY environment variable =
   being set
   by the incoming Proxy header. This environment variable was also used to =
   set
   the outgoing proxy, enabling an attacker to insert a proxy into outgoing
   requests of a CGI program.

   This is CVE-2016-5386 and was addressed by this change:
   https://golang.org/cl/25010, tracked in this issue:
   https://golang.org/issue/16405

   The Go team would like to thank Dominic Scheirlinck for coordinating =
   disclosure
   of this issue across multiple languages and CGI environments. Read more =
   about
   "httpoxy" here: https://httpoxy.org/

   Go 1.6.3 also adds support for macOS Sierra. See =
   https://golang.org/issue/16354
   for details.


   To generate a diff of this commit:
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/lang/go/Makefile
   cvs rdiff -u -r1.36 -r1.37 pkgsrc/lang/go/distinfo
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/lang/go/version.mk

diffstat:

 lang/go/distinfo   |  10 +++++-----
 lang/go/version.mk |   4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (32 lines):

diff -r 2c411fc950c5 -r 18240bef549e lang/go/distinfo
--- a/lang/go/distinfo  Wed Jul 20 02:55:36 2016 +0000
+++ b/lang/go/distinfo  Wed Jul 20 03:02:31 2016 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.36 2016/04/30 11:22:28 bsiegert Exp $
+$NetBSD: distinfo,v 1.36.2.1 2016/07/20 03:02:31 spz Exp $
 
-SHA1 (go1.6.2.src.tar.gz) = 09232ac0e76635cc9e0a1f33a81bf03ae9cb9db5
-RMD160 (go1.6.2.src.tar.gz) = 012b5845dad83c47cbc2d915ab062bf4341803cb
-SHA512 (go1.6.2.src.tar.gz) = e148022f9e18b5d5b05744f1aa9fa3ef82e255752179545711ade077e271216aa5b450859a764fdfb028ae4faa26adad8d0a0a5268b31396ab9d14de3cb2f20a
-Size (go1.6.2.src.tar.gz) = 12617724 bytes
+SHA1 (go1.6.3.src.tar.gz) = b487b9127afba37e6c62305165bf840758d6adaf
+RMD160 (go1.6.3.src.tar.gz) = 215142f0c2f67a49fec97056974113caca95672b
+SHA512 (go1.6.3.src.tar.gz) = 43e9b01220788112a185500bd53f091e7a0023a790092f428e2f40fc1a334dd148558b99d2a1c871b8cc79ad7d2d87a092b93eee7b5a27c2ee675c494de35306
+Size (go1.6.3.src.tar.gz) = 12617426 bytes
 SHA1 (patch-lib_time_update.bash) = bcf565b97ae7898a9e5cef7686fe42c69bc0bba1
 SHA1 (patch-misc_io_clangwrap.sh) = cd91c47ba0fe7b6eb8009dd261c0c26c7d581c29
 SHA1 (patch-src_cmd_go_pkg.go) = ccc470577951bd00741c39229599c0c06be52d0a
diff -r 2c411fc950c5 -r 18240bef549e lang/go/version.mk
--- a/lang/go/version.mk        Wed Jul 20 02:55:36 2016 +0000
+++ b/lang/go/version.mk        Wed Jul 20 03:02:31 2016 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: version.mk,v 1.14 2016/04/30 11:22:28 bsiegert Exp $
+# $NetBSD: version.mk,v 1.14.2.1 2016/07/20 03:02:31 spz Exp $
 
 .include "../../mk/bsd.prefs.mk"
 
-GO_VERSION=    1.6.2
+GO_VERSION=    1.6.3
 GO14_VERSION=  1.4.3
 
 ONLY_FOR_PLATFORM=     *-*-i386 *-*-x86_64 *-*-evbarm