| Message ID | 20230906201358.2714756-1-christian@aperture.us |
|---|---|
| State | Accepted |
| Delegated to: | Peter Korsgaard |
| Headers | show |
| Series | [1/1] package/go: security bump to version 1.20.8 | expand |
On Wed, 6 Sep 2023 13:13:58 -0700 Christian Stewart via buildroot <buildroot@buildroot.org> wrote: > go1.20.8 (released 2023-09-06) includes two security fixes to the html/template > package, as well as bug fixes to the compiler, the go command, the runtime, and > the crypto/tls, go/types, net/http, and path/filepath packages. > > CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts > CVE-2023-39319: html/template: improper handling of special tags within script contexts > CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections > > https://go.dev/doc/devel/release#go1.20.0 > > Signed-off-by: Christian Stewart <christian@aperture.us> This is not relevant for the master branch, which already has 1.21.1. However, this patch is applicable to 2023.08.x. For 2023.05.x and 2023.02.x, the 1.19.x series is used, so we would need an updated to 1.19.13 I believe. Thomas
>>>>> "Christian" == Christian Stewart <christian@aperture.us> writes: > go1.20.8 (released 2023-09-06) includes two security fixes to the html/template > package, as well as bug fixes to the compiler, the go command, the runtime, and > the crypto/tls, go/types, net/http, and path/filepath packages. > CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts > CVE-2023-39319: html/template: improper handling of special tags within script contexts > CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections > https://go.dev/doc/devel/release#go1.20.0 > Signed-off-by: Christian Stewart <christian@aperture.us> Committed to 2023.08.x, thanks.
diff --git a/package/go/go.hash b/package/go/go.hash index 2298534d91..19405982ba 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://go.dev/dl -sha256 2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597 go1.20.7.src.tar.gz +sha256 38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e go1.20.8.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index fc1d9ed681..c1e9f2f8f6 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.20.7 +GO_VERSION = 1.20.8 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/tls, go/types, net/http, and path/filepath packages. CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts CVE-2023-39319: html/template: improper handling of special tags within script contexts CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections https://go.dev/doc/devel/release#go1.20.0 Signed-off-by: Christian Stewart <christian@aperture.us> --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)