From patchwork Sun Jun 6 11:50:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1488296 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=C/mtYHeA; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FyZZN6q53z9sPf for ; Sun, 6 Jun 2021 21:50:36 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id CFD116059A; Sun, 6 Jun 2021 11:50:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4M1G3YP-0YL9; Sun, 6 Jun 2021 11:50:29 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id E6942606F0; Sun, 6 Jun 2021 11:50:28 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 023301BF3AB for ; Sun, 6 Jun 2021 11:50:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id E01A940364 for ; Sun, 6 Jun 2021 11:50:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77UgC8WrUMRm for ; Sun, 6 Jun 2021 11:50:24 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by smtp4.osuosl.org (Postfix) with ESMTPS id 134B84035C for ; Sun, 6 Jun 2021 11:50:23 +0000 (UTC) Received: by mail-ej1-x62e.google.com with SMTP id og14so16494704ejc.5 for ; Sun, 06 Jun 2021 04:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=AIY+F10flobCGR746C1T0D2Gm7lGajbg/xKGa5DgCd8=; b=C/mtYHeAvWtgukvpMbBZwvropnUAJIzHJhmgVE4WCEuZERnByiyKeqmRP9RytgMPGn pnR92J2Azc2V/wAOd6j2AtACWhFW6zM4RihwV6aU1qHiPtMCssK/zpF2WneLMTVbO3yK WMv6qF2HtljYgRsCswYm9PqNRB1DS2oV2FuT62zGxUV2tCltvfG9ou4t6qeoxeOOYZ+J PAgQfsvhDU0TN4FSQhQxghpGRbEkRzuBUjXbmV04behu2z8tq9IBZdGf+tTTbHksrQzB BrhuZ8arG6+nwVldF/wnBeLewwwMPxvbTthoRtXX4eAuRl4VzEO4pzC7zd52bSlsz9kc 2nhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=AIY+F10flobCGR746C1T0D2Gm7lGajbg/xKGa5DgCd8=; b=VP4RU/xAKTYqHTX4AlzKEgiekJXZtBtZPsq/HyqQ1ehPohkXdV+HEfE/wobCXu+3RC FCajU2yNRsQSxR6ESkX4chm659kvcfaD1GgbDFAiy9sGFqBH1gbcbGmm0i6orA/TRwJP OcxInZEou9oMHnkBTabLAzqUau1W9VL5KPAycC9qtDlQU7dlNwBTc2g53gatEg/q0ja1 XZvOsVXVi7Eixu/pkhAzuTXICTQSURvg45WJCgZ/uVz8yqPklhGR74Pj/be4JYgGj20t /Z4S/bQrcoHZXykrzCu4elOp7LjiMidXGm6xlXr8dlQEFNNuwhbukLlSZjggN9umhwE1 +foQ== X-Gm-Message-State: AOAM533NMo/eOzKo2kdtazOvt1dX7vO1/l2Mv9FgLtRNeHJPnId+WdWu v/FNFp3sQOrpuYOwMfYtujO3WuFwbBQ= X-Google-Smtp-Source: ABdhPJy7GY2/j46WzTIm8XmsXOBwhMBwdfUMfmr4Zd808CrIygV6+3O8o5eCsT7DOFF+wUjgzZtm7g== X-Received: by 2002:a17:906:ae91:: with SMTP id md17mr13790864ejb.433.1622980222011; Sun, 06 Jun 2021 04:50:22 -0700 (PDT) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id gv11sm5312957ejb.13.2021.06.06.04.50.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Jun 2021 04:50:21 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.92) (envelope-from ) id 1lprIJ-0003SP-V1; Sun, 06 Jun 2021 13:50:19 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Sun, 6 Jun 2021 13:50:18 +0200 Message-Id: <20210606115018.13237-1-peter@korsgaard.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/go: security bump to version 1.16.5 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Anisse Astier Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes the following security issues: - CVE-2021-33195: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net, and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use - CVE-2021-33196: The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size - CVE-2021-33197: ReverseProxy in net/http/httputil could be made to forward certain hop-by-hop headers, including Connection. In case the target of the ReverseProxy was itself a reverse proxy, this would let an attacker drop arbitrary headers, including those set by the ReverseProxy.Director - CVE-2021-33198: The SetString and UnmarshalText methods of math/big.Rat may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents Signed-off-by: Peter Korsgaard --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/go/go.hash b/package/go/go.hash index a6676bc160..bc6147bb52 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 ae4f6b6e2a1677d31817984655a762074b5356da50fb58722b99104870d43503 go1.16.4.src.tar.gz +sha256 7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 go1.16.5.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 5b87915824..4252691343 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.16.4 +GO_VERSION = 1.16.5 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz