From patchwork Wed Jan 20 08:36:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1429088 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=Ucj3T1sZ; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DLJly37Cxz9sVX for ; Wed, 20 Jan 2021 19:36:46 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E6BFA85A81; Wed, 20 Jan 2021 08:36:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfyIGJQUg-eQ; Wed, 20 Jan 2021 08:36:38 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id C874C859B6; Wed, 20 Jan 2021 08:36:38 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id B385D1BF409 for ; Wed, 20 Jan 2021 08:36:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id AD37985DCA for ; Wed, 20 Jan 2021 08:36:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQjvhq9MVi-m for ; Wed, 20 Jan 2021 08:36:33 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 7D9B085D59 for ; Wed, 20 Jan 2021 08:36:33 +0000 (UTC) Received: by mail-ed1-f50.google.com with SMTP id g24so24684721edw.9 for ; Wed, 20 Jan 2021 00:36:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UncUd6pzqqEgpU5JEeWGMDCCaGM6Tr7DkYoEWygw3K4=; b=Ucj3T1sZRQmxSviZ3QsI4touRopQbuw4GpSH3dHZIcZcRcE43/fGBO3MczWXSfTD5s sPGgMUEiPPFcurb9JPBehg1mdy26t9TJnGesVSd/kM7I3NFo80g6In5vKdKodMh7RbSp i+1aOgSuUGZtZy4syWfY5nXevtPJkXjBcqit4diARsAhQ7FIFY3y2GIdythAuMVcbF/Z CBLGXI1RhLWZWJHunOWvSC4mzpywP4GigNX9tZBvFfUJLPxcRq5AeD7G9h6LxFr2UYap Cev0AuNdV9cF1605h0Lci/alDGH5vw8CY0TD/40CM+aLRoGK5X8/8t8nVUjkIhSIgXkl dfvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=UncUd6pzqqEgpU5JEeWGMDCCaGM6Tr7DkYoEWygw3K4=; b=CcbJqRTu6bCHkUpN9ld//3bgSVc6Erz9CspHkc90mlTVCCTAcRTaypuq15uRyvoVzp 9ulYit0Udszo9jcKZVhLXaPL7OpJE8w/irJCEHFWhjmvc9QxaWC11KBqjzkCPbNnvZ8c TTKuQqSD7n0bCevu/hh0F4B3kRI8IE89VU/fWo0oAJIE2Dt+S4BeH9jrn6ZdTX5gC9Jd BIVrSDioGqRxdumXxU/pscvjlR7w35HXBVwXeo6fFCHFynuNBAl4dej4+nQ504wiiAtV HaINquAWom+5gwz4+j/B+4kRhNRDWhO2rS2rRV5FAwG4J1AGUVYaNJKLK5v+JcTB6bhb VXsg== X-Gm-Message-State: AOAM532ujuConqUwc+NBCwU0/T4BeDgwlyCRf7YPLiRtBQGZoBf8x3Ed BLsQTsMmpETAMI+dzHHe14lnIlUZMBQ= X-Google-Smtp-Source: ABdhPJyzTdy0SlFB8vTMkpRulW2MbOKEfpTl6JLyBqA6nb3mkfPEQOZVRm6/CF+BVuhdYtpbqB5jwg== X-Received: by 2002:aa7:d504:: with SMTP id y4mr6265649edq.372.1611131791834; Wed, 20 Jan 2021 00:36:31 -0800 (PST) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id z2sm573430ejd.44.2021.01.20.00.36.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Jan 2021 00:36:30 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1l28yc-0001Xv-8X; Wed, 20 Jan 2021 09:36:30 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Wed, 20 Jan 2021 09:36:26 +0100 Message-Id: <20210120083627.5893-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] packago/go: security bump to version 1.5.7 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Korsgaard , Anisse Astier Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security issues: - cmd/go: packages using cgo can cause arbitrary code execution at build time The go command may execute arbitrary code at build time when cgo is in use on Windows. This may occur when running “go get”, or any other command that builds code. Only users who build untrusted code (and don’t execute it) are affected. In addition to Windows users, this can also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” or build commands outside of a module or with module mode disabled. Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. This issue is CVE-2021-3115 and Go issue golang.org/issue/43783. - crypto/elliptic: incorrect operations on the P-224 curve The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult. The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages support P-224 ECDSA keys, but they are not supported by publicly trusted certificate authorities. No other standard library or golang.org/x/crypto package supports or uses the P-224 curve. The incorrect output was found by the elliptic-curve-differential-fuzzer project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). This issue is CVE-2021-3114 and Go issue golang.org/issue/43786. Signed-off-by: Peter Korsgaard --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/go/go.hash b/package/go/go.hash index de2cf74cbb..1bd7ab7ca9 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 890bba73c5e2b19ffb1180e385ea225059eb008eb91b694875dd86ea48675817 go1.15.6.src.tar.gz +sha256 8631b3aafd8ecb9244ec2ffb8a2a8b4983cf4ad15572b9801f7c5b167c1a2abc go1.15.7.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index e65b24364f..21a33d215c 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.15.6 +GO_VERSION = 1.15.7 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz