| Message ID | 20210729224949.394669-1-christian@paral.in |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/go: security bump version to 1.16.6 | expand |
On Thu, 29 Jul 2021 15:49:49 -0700 Christian Stewart <christian@paral.in> wrote: > These minor releases include a security fix according to the new security policy (#44918). > > crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. > net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker > in a privileged network position without access to the server certificate's private key, as long as a trusted > ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with > Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher > suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. > > This is CVE-2021-34558. > > View the release notes for more information: > > https://golang.org/doc/devel/release.html#go1.16.minor > > Signed-off-by: Christian Stewart <christian@paral.in> > --- > package/go/go.hash | 2 +- > package/go/go.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Applied to master, thanks. Thomas
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes: > These minor releases include a security fix according to the new security policy (#44918). > crypto/tls clients can panic when provided a certificate of the wrong > type for the negotiated parameters. > net/http clients performing HTTPS requests are also affected. The > panic can be triggered by an attacker > in a privileged network position without access to the server > certificate's private key, as long as a trusted > ECDSA or Ed25519 certificate for the server exists (or can be issued), > or the client is configured with > Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher > suites (that is, TLS 1.0–1.2 cipher > suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. > This is CVE-2021-34558. > View the release notes for more information: > https://golang.org/doc/devel/release.html#go1.16.minor > Signed-off-by: Christian Stewart <christian@paral.in> Committed to 2021.05.x, thanks. For 2021.02.x I will instead bump to 1.5.15, which contains the same fixes.
diff --git a/package/go/go.hash b/package/go/go.hash index bc6147bb52..cd7f2b3813 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 go1.16.5.src.tar.gz +sha256 a3a5d4bc401b51db065e4f93b523347a4d343ae0c0b08a65c3423b05a138037d go1.16.6.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 4252691343..7d6355df92 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.16.5 +GO_VERSION = 1.16.6 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz
These minor releases include a security fix according to the new security policy (#44918). crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is CVE-2021-34558. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.16.minor Signed-off-by: Christian Stewart <christian@paral.in> --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)