CVS commit: pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sat Sep 26 17:37:01 UTC 2015

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go14: Makefile PLIST distinfo

Log Message:
Update go14 to 1.4.3. It fixes four security-related issues.

The issues were reported in Go's net/http package. They affect programs using
that package to proxy HTTP requests. We recommend that all users upgrade to Go
1.5, which fixes these issues. For users unable to upgrade to Go 1.5, we have
released version 1.4.3, which is based on Go 1.4.2 plus fixes for these issues.
Affected Go programs—those that use the net/http package as a proxy server—must
be recompiled with Go 1.5 or Go 1.4.3 to receive the fixes.

The CVE issue descriptions and fixes are linked below.

CVE-2015-5739
"Content Length" treated as valid header:
https://go-review.googlesource.com/#/c/11772/

CVE-2015-5740
Double content-length headers does not return 400 error:
https://go-review.googlesource.com/#/c/11810/

CVE-2015-5741
Additional hardening, not sending Content-Length w/Transfer-Encoding,
Closing connections:
https://go-review.googlesource.com/#/c/11810/
https://go-review.googlesource.com/#/c/12865/
https://go-review.googlesource.com/#/c/13148/

The Go team would like to thank Jed Denlea and Régis Leroy for their
contributions to this release. They have been awarded 1337 USD under the Google
Security Bounty program.


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go14/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go14/PLIST
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go14/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.