| Message ID | 20181215155010.2033-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/go: security bump to version 1.11.4 | expand |
Hello, On Sat, 15 Dec 2018 16:50:10 +0100, Peter Korsgaard wrote: > go 1.11.3 fixes the following security issues: > > cmd/go: remote command execution during "go get -u" > The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details. > Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue. > > cmd/go: directory traversal in "go get" via curly braces in import paths > The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details. > Thanks to ztz of Tencent Security Platform for discovering and reporting this issue. > > crypto/x509: CPU denial of service in chain validation > The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details. > Thanks to Netflix for discovering and reporting this issue. > > go 1.11.4 fixes issues, including regressions introduced by 1.11.3: > > 1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go > command, and the net/http and go/types packages. It includes a fix to a bug > introduced in Go 1.11.3 that broke go get for import path patterns > containing "...". > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> > --- > package/go/go.hash | 2 +- > package/go/go.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > go 1.11.3 fixes the following security issues: > cmd/go: remote command execution during "go get -u" > The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details. > Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue. > cmd/go: directory traversal in "go get" via curly braces in import paths > The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details. > Thanks to ztz of Tencent Security Platform for discovering and reporting this issue. > crypto/x509: CPU denial of service in chain validation > The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details. > Thanks to Netflix for discovering and reporting this issue. > go 1.11.4 fixes issues, including regressions introduced by 1.11.3: > 1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go > command, and the net/http and go/types packages. It includes a fix to a bug > introduced in Go 1.11.3 that broke go get for import path patterns > containing "...". > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2018.11.x, thanks.
diff --git a/package/go/go.hash b/package/go/go.hash index bd6af0358f..ee1c881e6a 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 042fba357210816160341f1002440550e952eb12678f7c9e7e9d389437942550 go1.11.2.src.tar.gz +sha256 4cfd42720a6b1e79a8024895fa6607b69972e8e32446df76d6ce79801bbadb15 go1.11.4.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 2e434f3bad..0d7b961dda 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.11.2 +GO_VERSION = 1.11.4 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz
go 1.11.3 fixes the following security issues: cmd/go: remote command execution during "go get -u" The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details. Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue. cmd/go: directory traversal in "go get" via curly braces in import paths The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details. Thanks to ztz of Tencent Security Platform for discovering and reporting this issue. crypto/x509: CPU denial of service in chain validation The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details. Thanks to Netflix for discovering and reporting this issue. go 1.11.4 fixes issues, including regressions introduced by 1.11.3: 1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)