CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Fri, 5 May 2023 18:33:15 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri May  5 18:33:15 UTC 2023

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go120: PLIST distinfo

Log Message:
go120: update to 1.20.4 (security)

This minor release includes 3 security fixes following the security policy:

* html/template: improper sanitization of CSS values

  Angle brackets (<>) were not considered dangerous characters when inserted
  into CSS contexts. Templates containing multiple actions separated by a '/'
  character could result in unexpectedly closing the CSS context and allowing
  for injection of unexpected HMTL, if executed with untrusted input.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.

* html/template: improper handling of JavaScript whitespace

  Not all valid JavaScript whitespace characters were considered to be
  whitespace. Templates containing whitespace characters outside of the
  character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also
  contain actions may not be properly sanitized during execution.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.

* html/template: improper handling of empty HTML attributes

  Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
  executed with empty input could result in output that would have unexpected
  results when parsed due to HTML normalization rules. This may allow injection
  of arbitrary attributes into tags.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.


To generate a diff of this commit:
cvs rdiff -u -r1.178 -r1.179 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go120/PLIST pkgsrc/lang/go120/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.178 pkgsrc/lang/go/version.mk:1.179
--- pkgsrc/lang/go/version.mk:1.178     Wed May  3 19:24:54 2023
+++ pkgsrc/lang/go/version.mk   Fri May  5 18:33:15 2023
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.178 2023/05/03 19:24:54 bsiegert Exp $
+# $NetBSD: version.mk,v 1.179 2023/05/05 18:33:15 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,7 +6,7 @@
 #
 .include "go-vars.mk"
 
-GO120_VERSION= 1.20.3
+GO120_VERSION= 1.20.4
 GO119_VERSION= 1.19.9
 GO118_VERSION= 1.18.10
 GO14_VERSION=  1.4.3

Index: pkgsrc/lang/go120/PLIST
diff -u pkgsrc/lang/go120/PLIST:1.4 pkgsrc/lang/go120/PLIST:1.5
--- pkgsrc/lang/go120/PLIST:1.4 Tue Apr  4 18:33:25 2023
+++ pkgsrc/lang/go120/PLIST     Fri May  5 18:33:15 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2023/04/04 18:33:25 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go120/CONTRIBUTING.md
@@ -1904,6 +1904,7 @@ go120/src/cmd/go/testdata/script/build_i
 go120/src/cmd/go/testdata/script/build_import_cycle.txt
 go120/src/cmd/go/testdata/script/build_internal.txt
 go120/src/cmd/go/testdata/script/build_issue48319.txt
+go120/src/cmd/go/testdata/script/build_issue59571.txt
 go120/src/cmd/go/testdata/script/build_issue6480.txt
 go120/src/cmd/go/testdata/script/build_link_x_import_path_escape.txt
 go120/src/cmd/go/testdata/script/build_multi_main.txt
@@ -6875,10 +6876,6 @@ go120/src/os/readfrom_stub.go
 go120/src/os/removeall_at.go
 go120/src/os/removeall_noat.go
 go120/src/os/removeall_test.go
-go120/src/os/rlimit.go
-go120/src/os/rlimit_darwin.go
-go120/src/os/rlimit_stub.go
-go120/src/os/rlimit_test.go
 go120/src/os/signal/doc.go
 go120/src/os/signal/example_test.go
 go120/src/os/signal/example_unix_test.go
@@ -8235,6 +8232,7 @@ go120/src/syscall/exec_windows.go
 go120/src/syscall/exec_windows_test.go
 go120/src/syscall/export_darwin_test.go
 go120/src/syscall/export_linux_test.go
+go120/src/syscall/export_rlimit_test.go
 go120/src/syscall/export_unix_test.go
 go120/src/syscall/export_windows_test.go
 go120/src/syscall/flock.go
@@ -8274,6 +8272,10 @@ go120/src/syscall/netlink_linux.go
 go120/src/syscall/ptrace_darwin.go
 go120/src/syscall/ptrace_ios.go
 go120/src/syscall/pwd_plan9.go
+go120/src/syscall/rlimit.go
+go120/src/syscall/rlimit_darwin.go
+go120/src/syscall/rlimit_stub.go
+go120/src/syscall/rlimit_test.go
 go120/src/syscall/route_bsd.go
 go120/src/syscall/route_darwin.go
 go120/src/syscall/route_dragonfly.go
@@ -11013,10 +11015,15 @@ go120/test/fixedbugs/issue5910.dir/a.go
 go120/test/fixedbugs/issue5910.dir/main.go
 go120/test/fixedbugs/issue5910.go
 go120/test/fixedbugs/issue59293.go
+go120/test/fixedbugs/issue59334.go
+go120/test/fixedbugs/issue59367.go
+go120/test/fixedbugs/issue59378.go
 go120/test/fixedbugs/issue5957.dir/a.go
 go120/test/fixedbugs/issue5957.dir/b.go
 go120/test/fixedbugs/issue5957.dir/c.go
 go120/test/fixedbugs/issue5957.go
+go120/test/fixedbugs/issue59572.go
+go120/test/fixedbugs/issue59572.out
 go120/test/fixedbugs/issue5963.go
 go120/test/fixedbugs/issue6004.go
 go120/test/fixedbugs/issue6036.go
Index: pkgsrc/lang/go120/distinfo
diff -u pkgsrc/lang/go120/distinfo:1.4 pkgsrc/lang/go120/distinfo:1.5
--- pkgsrc/lang/go120/distinfo:1.4      Tue Apr  4 18:33:25 2023
+++ pkgsrc/lang/go120/distinfo  Fri May  5 18:33:15 2023
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.4 2023/04/04 18:33:25 bsiegert Exp $
+$NetBSD: distinfo,v 1.5 2023/05/05 18:33:15 bsiegert Exp $
 
-BLAKE2s (go1.20.3.src.tar.gz) = 412257ea01e9308b6afcde71094d222c14fb06297a502b0892a4ceac00e5d812
-SHA512 (go1.20.3.src.tar.gz) = 47ebb3925956a3facef9e5e6f4efec3058e55632020ea247844c55b160d23e2be3880ea24dec2f73382a7c7858259896cbb7de1bb764c481c176bed479676029
-Size (go1.20.3.src.tar.gz) = 26184364 bytes
+BLAKE2s (go1.20.4.src.tar.gz) = fe3bbdd7cce52b89e3ce260e926ae7b79388b55d026c8f2c8e6039fff92133d3
+SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
+Size (go1.20.4.src.tar.gz) = 26185429 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 0a06403609cb7bce2e6f65444fd322f486761afe
 SHA1 (patch-src_cmd_dist_util.go) = 2d9c2f59e27672d56f5f1a0e3f9d5101a05546a7
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/devel
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/devel
Indexes:

Home | Main Index | Thread Index | Old Index