On 21-06-05 09:01:15, Daniel Jakots wrote:
> Hi,
>
> > go1.16.5 (released 2021-06-03) includes security fixes to the
> > archive/zip, math/big, net, and net/http/httputil packages, as well
> > as bug fixes to the linker, the go command, and the net/http
> > packagckage.
>
> https://golang.org/doc/devel/release#go1.16.minor
>
> More details can be found on the announce:
> https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ
>
> > The SetString and UnmarshalText methods of math/big.Rat may cause a
> > panic or an unrecoverable fatal error if passed inputs with very large
> > exponents. This is issue #45910 and CVE-2021-33198.
> >
> > ReverseProxy in net/http/httputil could be made to forward certain
> > hop-by-hop headers, including Connection. In case the target of the
> > ReverseProxy was itself a reverse proxy, this would let an attacker
> > drop arbitrary headers, including those set by the
> > ReverseProxy.Director. This is issue #46313 and CVE-2021-33197.
> >
> > The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
> > functions in net, and their respective methods on the Resolver type
> > may return arbitrary values retrieved from DNS which do not follow the
> > established RFC 1035 rules for domain names. If these names are used
> > without further sanitization, for instance unsafely included in HTML,
> > they may allow for injection of unexpected content. Note that
> > LookupTXT may still return arbitrary values that could require
> > sanitization before further use. This is issue #46241 and
> > CVE-2021-33195.
> >
> > The NewReader and OpenReader functions in archive/zip can cause a
> > panic or an unrecoverable fatal error when reading an archive that
> > claims to contain a large number of files, regardless of its actual
> > size. This is issue #46242 and CVE-2021-33196.
>
>
> Patches didn't need to be regenerated and all tests pass on my amd64
> machine.
>
> Comments? OK?
Also tested on arm64 and i386 - this appears to be missing an update
to the PLIST:
+go/src/cmd/go/testdata/script/mod_tidy_too_new.txt
With this, ok jsing@
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/lang/go/Makefile,v
> retrieving revision 1.100
> diff -u -p -r1.100 Makefile
> --- Makefile 16 May 2021 07:40:45 -0000 1.100
> +++ Makefile 5 Jun 2021 12:52:23 -0000
> @@ -7,7 +7,7 @@ BIN_BOOTSTRAP_VERSION = 1.16
>
> COMMENT = Go programming language
>
> -VERSION = 1.16.4
> +VERSION = 1.16.5
> DISTNAME = go${VERSION}.src
> PKGNAME = go-${VERSION}
> PKGSPEC = ${FULLPKGNAME:S/go-/go-=/}
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/lang/go/distinfo,v
> retrieving revision 1.62
> diff -u -p -r1.62 distinfo
> --- distinfo 16 May 2021 07:40:45 -0000 1.62
> +++ distinfo 5 Jun 2021 12:52:23 -0000
> @@ -2,9 +2,9 @@ SHA256 (go-openbsd-386-bootstrap-1.16.ta
> SHA256 (go-openbsd-arm-bootstrap-1.16.tar.gz) =
> DjjCEzU/FnndIrKC8gh5PKAZkKp9Lt49aT3XPqhEWNM=
> SHA256 (go-openbsd-arm64-bootstrap-1.16.tar.gz) =
> qqc/TtaBfoq5oJcOHoqNZ6+bO+OOIRZoW1zlj19uBVw=
> SHA256 (go-openbsd-mips64-bootstrap-1.16.tar.gz) =
> dwojdjHgxrLlKC8QbseRYnOf8s/wN/Wx+UkPhH2aeJY=
> -SHA256 (go1.16.4.src.tar.gz) = rk9rbioWd9MYF5hGVadiB0tTVtpQ+1hyK5kQSHDUNQM=
> +SHA256 (go1.16.5.src.tar.gz) = e/p+WQjHzJ512l3fMGbXy88/2fpRlFhRMl7rwX9QuoA=
> SIZE (go-openbsd-386-bootstrap-1.16.tar.gz) = 131493298
> SIZE (go-openbsd-arm-bootstrap-1.16.tar.gz) = 128073881
> SIZE (go-openbsd-arm64-bootstrap-1.16.tar.gz) = 126892240
> SIZE (go-openbsd-mips64-bootstrap-1.16.tar.gz) = 129935270
> -SIZE (go1.16.4.src.tar.gz) = 20917203
> +SIZE (go1.16.5.src.tar.gz) = 20921372
