diff mbox series

[1/1] package/go: security bump to version 1.20.8

Message ID 20230906201358.2714756-1-christian@aperture.us
State Accepted
Delegated to: Peter Korsgaard
Headers show
Series [1/1] package/go: security bump to version 1.20.8 | expand

Commit Message

Christian Stewart Sept. 6, 2023, 8:13 p.m. UTC
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime, and
the crypto/tls, go/types, net/http, and path/filepath packages.

CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
CVE-2023-39319: html/template: improper handling of special tags within script contexts
CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections

https://go.dev/doc/devel/release#go1.20.0

Signed-off-by: Christian Stewart <christian@aperture.us>
---
 package/go/go.hash | 2 +-
 package/go/go.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Thomas Petazzoni Sept. 8, 2023, 8:24 p.m. UTC | #1
On Wed,  6 Sep 2023 13:13:58 -0700
Christian Stewart via buildroot <buildroot@buildroot.org> wrote:

> go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
> package, as well as bug fixes to the compiler, the go command, the runtime, and
> the crypto/tls, go/types, net/http, and path/filepath packages.
> 
> CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
> CVE-2023-39319: html/template: improper handling of special tags within script contexts
> CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
> 
> https://go.dev/doc/devel/release#go1.20.0
> 
> Signed-off-by: Christian Stewart <christian@aperture.us>

This is not relevant for the master branch, which already has 1.21.1.
However, this patch is applicable to 2023.08.x. For 2023.05.x and
2023.02.x, the 1.19.x series is used, so we would need an updated to
1.19.13 I believe.

Thomas
Peter Korsgaard Sept. 14, 2023, 6:22 p.m. UTC | #2
>>>>> "Christian" == Christian Stewart <christian@aperture.us> writes:

 > go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
 > package, as well as bug fixes to the compiler, the go command, the runtime, and
 > the crypto/tls, go/types, net/http, and path/filepath packages.

 > CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
 > CVE-2023-39319: html/template: improper handling of special tags within script contexts
 > CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections

 > https://go.dev/doc/devel/release#go1.20.0

 > Signed-off-by: Christian Stewart <christian@aperture.us>

Committed to 2023.08.x, thanks.
diff mbox series

Patch

diff --git a/package/go/go.hash b/package/go/go.hash
index 2298534d91..19405982ba 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@ 
 # From https://go.dev/dl
-sha256  2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597  go1.20.7.src.tar.gz
+sha256  38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e  go1.20.8.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index fc1d9ed681..c1e9f2f8f6 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-GO_VERSION = 1.20.7
+GO_VERSION = 1.20.8
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz