On 21-06-05 09:01:15, Daniel Jakots wrote: > Hi, > > > go1.16.5 (released 2021-06-03) includes security fixes to the > > archive/zip, math/big, net, and net/http/httputil packages, as well > > as bug fixes to the linker, the go command, and the net/http > > packagckage. > > https://golang.org/doc/devel/release#go1.16.minor > > More details can be found on the announce: > https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI/m/r_EP-NlKBgAJ > > > The SetString and UnmarshalText methods of math/big.Rat may cause a > > panic or an unrecoverable fatal error if passed inputs with very large > > exponents. This is issue #45910 and CVE-2021-33198. > > > > ReverseProxy in net/http/httputil could be made to forward certain > > hop-by-hop headers, including Connection. In case the target of the > > ReverseProxy was itself a reverse proxy, this would let an attacker > > drop arbitrary headers, including those set by the > > ReverseProxy.Director. This is issue #46313 and CVE-2021-33197. > > > > The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr > > functions in net, and their respective methods on the Resolver type > > may return arbitrary values retrieved from DNS which do not follow the > > established RFC 1035 rules for domain names. If these names are used > > without further sanitization, for instance unsafely included in HTML, > > they may allow for injection of unexpected content. Note that > > LookupTXT may still return arbitrary values that could require > > sanitization before further use. This is issue #46241 and > > CVE-2021-33195. > > > > The NewReader and OpenReader functions in archive/zip can cause a > > panic or an unrecoverable fatal error when reading an archive that > > claims to contain a large number of files, regardless of its actual > > size. This is issue #46242 and CVE-2021-33196. > > > Patches didn't need to be regenerated and all tests pass on my amd64 > machine. > > Comments? OK?
Also tested on arm64 and i386 - this appears to be missing an update to the PLIST: +go/src/cmd/go/testdata/script/mod_tidy_too_new.txt With this, ok jsing@ > Index: Makefile > =================================================================== > RCS file: /cvs/ports/lang/go/Makefile,v > retrieving revision 1.100 > diff -u -p -r1.100 Makefile > --- Makefile 16 May 2021 07:40:45 -0000 1.100 > +++ Makefile 5 Jun 2021 12:52:23 -0000 > @@ -7,7 +7,7 @@ BIN_BOOTSTRAP_VERSION = 1.16 > > COMMENT = Go programming language > > -VERSION = 1.16.4 > +VERSION = 1.16.5 > DISTNAME = go${VERSION}.src > PKGNAME = go-${VERSION} > PKGSPEC = ${FULLPKGNAME:S/go-/go-=/} > Index: distinfo > =================================================================== > RCS file: /cvs/ports/lang/go/distinfo,v > retrieving revision 1.62 > diff -u -p -r1.62 distinfo > --- distinfo 16 May 2021 07:40:45 -0000 1.62 > +++ distinfo 5 Jun 2021 12:52:23 -0000 > @@ -2,9 +2,9 @@ SHA256 (go-openbsd-386-bootstrap-1.16.ta > SHA256 (go-openbsd-arm-bootstrap-1.16.tar.gz) = > DjjCEzU/FnndIrKC8gh5PKAZkKp9Lt49aT3XPqhEWNM= > SHA256 (go-openbsd-arm64-bootstrap-1.16.tar.gz) = > qqc/TtaBfoq5oJcOHoqNZ6+bO+OOIRZoW1zlj19uBVw= > SHA256 (go-openbsd-mips64-bootstrap-1.16.tar.gz) = > dwojdjHgxrLlKC8QbseRYnOf8s/wN/Wx+UkPhH2aeJY= > -SHA256 (go1.16.4.src.tar.gz) = rk9rbioWd9MYF5hGVadiB0tTVtpQ+1hyK5kQSHDUNQM= > +SHA256 (go1.16.5.src.tar.gz) = e/p+WQjHzJ512l3fMGbXy88/2fpRlFhRMl7rwX9QuoA= > SIZE (go-openbsd-386-bootstrap-1.16.tar.gz) = 131493298 > SIZE (go-openbsd-arm-bootstrap-1.16.tar.gz) = 128073881 > SIZE (go-openbsd-arm64-bootstrap-1.16.tar.gz) = 126892240 > SIZE (go-openbsd-mips64-bootstrap-1.16.tar.gz) = 129935270 > -SIZE (go1.16.4.src.tar.gz) = 20917203 > +SIZE (go1.16.5.src.tar.gz) = 20921372