diff mbox series

[PATCH-2023.08.x] package/go: security bump to version 1.20.9

Message ID 20231006095142.2051641-1-peter@korsgaard.com
State Accepted
Headers show
Series [PATCH-2023.08.x] package/go: security bump to version 1.20.9 | expand

Commit Message

Peter Korsgaard Oct. 6, 2023, 9:51 a.m. UTC
Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
flags to be passed during compilation.  This can result in unexpected
execution of arbitrary code when running "go build".

go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
package, as well as bug fixes to the go command and the linker.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/go/go.hash | 2 +-
 package/go/go.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Peter Korsgaard Oct. 8, 2023, 4:11 p.m. UTC | #1
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
 > restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
 > flags to be passed during compilation.  This can result in unexpected
 > execution of arbitrary code when running "go build".

 > go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
 > package, as well as bug fixes to the go command and the linker.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2023.08.x, thanks.

I'll also bump 2023.02.x to this as 1.19.x no longer is getting updates.
Christian Stewart Oct. 8, 2023, 7:23 p.m. UTC | #2
Hi Peter,

On Sun, Oct 8, 2023, 9:12 AM Peter Korsgaard <peter@korsgaard.com> wrote:

> >>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>
>  > Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass
> the
>  > restrictions on "//go:cgo_" directives, allowing blocked linker and
> compiler
>  > flags to be passed during compilation.  This can result in unexpected
>  > execution of arbitrary code when running "go build".
>
>  > go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
>  > package, as well as bug fixes to the go command and the linker.
>
>  > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>
> Committed to 2023.08.x, thanks.
>
> I'll also bump 2023.02.x to this as 1.19.x no longer is getting updates.
>

Please also note that the bump from 1.19 to 1.20 requires the additional
bootstrap packages.

Best,
Christian Stewart

>
Peter Korsgaard Oct. 8, 2023, 7:33 p.m. UTC | #3
>>>>> "Christian" == Christian Stewart <christian@aperture.us> writes:

Hello,

 >> I'll also bump 2023.02.x to this as 1.19.x no longer is getting updates.
 >> 

 > Please also note that the bump from 1.19 to 1.20 requires the additional
 > bootstrap packages.

Thanks, but yes - Indeed. A bit unfortunate, but that's just how it is.
diff mbox series

Patch

diff --git a/package/go/go.hash b/package/go/go.hash
index 19405982ba..ac603e6e3b 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@ 
 # From https://go.dev/dl
-sha256  38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e  go1.20.8.src.tar.gz
+sha256  4923920381cd71d68b527761afefa523ea18c5831b4795034c827e18b685cdcf  go1.20.9.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index c1e9f2f8f6..d75c1afa9e 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-GO_VERSION = 1.20.8
+GO_VERSION = 1.20.9
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz