[pkgsrc/trunk]: pkgsrc/lang go117: update to 1.17.12 (security update)

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/lang go117: update to 1.17.12 (security update)
From: bsiegert <bsiegert%pkgsrc.org@localhost>
Date: Wed, 13 Jul 2022 15:24:08 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/1b4e23662576
branches:  trunk
changeset: 381787:1b4e23662576
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Wed Jul 13 14:14:18 2022 +0000

description:
go117: update to 1.17.12 (security update)

This minor release includes 9 security fixes following the security policy:

net/http: improper sanitization of Transfer-Encoding header

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.

This is CVE-2022-1705 and https://go.dev/issue/53188.

When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.

This is https://go.dev/issue/53423 and CVE-2022-32148.

Thanks to Christian Mehlmauer for reporting this issue.

compress/gzip: stack exhaustion in Reader.Read

Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.

This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

encoding/xml: stack exhaustion in Unmarshal

Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.

This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

encoding/xml: stack exhaustion in Decoder.Skip

Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion.

The Go Security team discovered this issue, and it was independently reported
by Juho Nurminen of Mattermost.

This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

encoding/gob: stack exhaustion in Decoder.Decode

Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion.

This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

path/filepath: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

io/fs: stack exhaustion in Glob

Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.

This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

go/parser: stack exhaustion in all Parse* functions

Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.

Thanks to Juho Nurminen of Mattermost for reporting this issue.

This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

diffstat:

 lang/go/version.mk  |  4 ++--
 lang/go117/Makefile |  8 ++++++--
 lang/go117/PLIST    |  8 +++++---
 lang/go117/distinfo |  8 ++++----
 4 files changed, 17 insertions(+), 11 deletions(-)

diffs (86 lines):

diff -r 44a7e67ced71 -r 1b4e23662576 lang/go/version.mk
--- a/lang/go/version.mk        Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go/version.mk        Wed Jul 13 14:14:18 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.151 2022/06/02 18:50:40 bsiegert Exp $
+# $NetBSD: version.mk,v 1.152 2022/07/13 14:14:18 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -7,7 +7,7 @@
 .include "go-vars.mk"
 
 GO118_VERSION= 1.18.3
-GO117_VERSION= 1.17.11
+GO117_VERSION= 1.17.12
 GO116_VERSION= 1.16.15
 GO110_VERSION= 1.10.8
 GO19_VERSION=  1.9.7
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/Makefile
--- a/lang/go117/Makefile       Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/Makefile       Wed Jul 13 14:14:18 2022 +0000
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.6 2022/06/28 11:34:12 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2022/07/13 14:14:18 bsiegert Exp $
 
-PKGREVISION= 1
 .include "../../lang/go/version.mk"
 .include "../../lang/go/bootstrap.mk"
 
@@ -93,6 +92,11 @@
 PLIST.route=   yes
 .endif
 
+PRINT_PLIST_AWK+=      /^bin\/go${GOVERSSUFFIX}/ { print "bin/go$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+=      /^bin\/gofmt${GOVERSSUFFIX}/ { print "bin/gofmt$${GOVERSSUFFIX}"; next; }
+PRINT_PLIST_AWK+=      /internal\/pty\.a/ { printf "%s", "$${PLIST.pty}"; }
+PRINT_PLIST_AWK+=      /x\/net\/route\.a/ { printf "%s", "$${PLIST.route}"; }
+
 post-extract:
        ${RM} -r -f ${WRKSRC}/test/fixedbugs/issue27836*
 
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/PLIST
--- a/lang/go117/PLIST  Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/PLIST  Wed Jul 13 14:14:18 2022 +0000
@@ -1,6 +1,6 @@
-@comment $NetBSD: PLIST,v 1.10 2022/06/02 18:19:26 bsiegert Exp $
-bin/go117
-bin/gofmt117
+@comment $NetBSD: PLIST,v 1.11 2022/07/13 14:14:18 bsiegert Exp $
+bin/go${GOVERSSUFFIX}
+bin/gofmt${GOVERSSUFFIX}
 go117/AUTHORS
 go117/CONTRIBUTING.md
 go117/CONTRIBUTORS
@@ -2402,6 +2402,7 @@
 go117/src/cmd/go/testdata/script/mod_dot.txt
 go117/src/cmd/go/testdata/script/mod_download.txt
 go117/src/cmd/go/testdata/script/mod_download_concurrent_read.txt
+go117/src/cmd/go/testdata/script/mod_download_git_decorate_full.txt
 go117/src/cmd/go/testdata/script/mod_download_hash.txt
 go117/src/cmd/go/testdata/script/mod_download_json.txt
 go117/src/cmd/go/testdata/script/mod_download_partial.txt
@@ -10065,6 +10066,7 @@
 go117/test/fixedbugs/issue5291.dir/pkg1.go
 go117/test/fixedbugs/issue5291.dir/prog.go
 go117/test/fixedbugs/issue5291.go
+go117/test/fixedbugs/issue53454.go
 go117/test/fixedbugs/issue5358.go
 go117/test/fixedbugs/issue5373.go
 go117/test/fixedbugs/issue5470.dir/a.go
diff -r 44a7e67ced71 -r 1b4e23662576 lang/go117/distinfo
--- a/lang/go117/distinfo       Wed Jul 13 12:16:37 2022 +0000
+++ b/lang/go117/distinfo       Wed Jul 13 14:14:18 2022 +0000
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.17 2022/06/02 18:19:26 bsiegert Exp $
+$NetBSD: distinfo,v 1.18 2022/07/13 14:14:18 bsiegert Exp $
 
-BLAKE2s (go1.17.11.src.tar.gz) = 56f12ee3395f5ccec66790391e18f7c4e6462531f75c5ae007637472086fe374
-SHA512 (go1.17.11.src.tar.gz) = cd08062e3357e8e73ad05572ac575b9d8b15599bdb3ea0ca743b04936fa5cca438886e6a06d6453334b8bb5fbe1ab3512657d11651f9199d2254736a6554e71d
-Size (go1.17.11.src.tar.gz) = 22197784 bytes
+BLAKE2s (go1.17.12.src.tar.gz) = 061cbbc13a599a2bba01fccd6c6686c5174f4f4f6cbac8cb515ffd233ef6ad2a
+SHA512 (go1.17.12.src.tar.gz) = d2bcea2a33723af5c2ae871f5c44694c69d37c74c62e81eddeaf4bfedf124feea2752997d3a359990071bf01f88942fc66b21cb092385946ad4ae9410854c8b9
+Size (go1.17.12.src.tar.gz) = 22205674 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 27636e0d8c121ccec6c46a3a82cd0e0469473a6e

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/go117 to 1.17.12
Next by Date: [pkgsrc/trunk]: pkgsrc/doc doc: note update of Ruby on Rails 5.2 related paca...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated lang/go117 to 1.17.12
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: note update of Ruby on Rails 5.2 related paca...
Indexes:

Home | Main Index | Thread Index | Old Index