| Message ID | 20230215072923.184867-1-christian@paral.in |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v1,1/1] package/go: security bump to version 1.19.6 | expand |
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes: > go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, > mime/multipart, net/http, and path/filepath packages, as well as bug fixes to > the go command, the linker, the runtime, and the crypto/x509, net/http, and time > packages. See the Go 1.19.6 milestone on the Go issue tracker for details. > CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption > CVE-2022-41724: crypto/tls: large handshake records may cause panics > CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding > https://go.dev/doc/devel/release#go1.19.minor > Signed-off-by: Christian Stewart <christian@paral.in> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >>>>> "Christian" == Christian Stewart <christian@paral.in> writes: >> go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, >> mime/multipart, net/http, and path/filepath packages, as well as bug fixes to >> the go command, the linker, the runtime, and the crypto/x509, net/http, and time >> packages. See the Go 1.19.6 milestone on the Go issue tracker for details. >> CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption >> CVE-2022-41724: crypto/tls: large handshake records may cause panics >> CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding >> https://go.dev/doc/devel/release#go1.19.minor >> Signed-off-by: Christian Stewart <christian@paral.in> > Committed, thanks. Committed to 2022.11.x, thanks. For 2022.02.x I will instead bump to 1.18.10.
diff --git a/package/go/go.hash b/package/go/go.hash index 4c22f0f274..8254a91524 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://go.dev/dl -sha256 8e486e8e85a281fc5ce3f0bedc5b9d2dbf6276d7db0b25d3ec034f313da0375f go1.19.5.src.tar.gz +sha256 d7f0013f82e6d7f862cc6cb5c8cdb48eef5f2e239b35baa97e2f1a7466043767 go1.19.6.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index c38ae0b99c..a9056da47b 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.19.5 +GO_VERSION = 1.19.6 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz
go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go command, the linker, the runtime, and the crypto/x509, net/http, and time packages. See the Go 1.19.6 milestone on the Go issue tracker for details. CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption CVE-2022-41724: crypto/tls: large handshake records may cause panics CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding https://go.dev/doc/devel/release#go1.19.minor Signed-off-by: Christian Stewart <christian@paral.in> --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)