aboutsummaryrefslogtreecommitdiff
path: root/lang/golang
Commit message (Collapse)AuthorAge
* golang: Update to 1.20.4Jeffery To2023-05-08
| | | | | | | | | | | Includes fixes for: * CVE-2023-24539: html/template: improper sanitization of CSS values * CVE-2023-24540: html/template: improper handling of JavaScript whitespace * CVE-2023-29400: html/template: improper handling of empty HTML attributes Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.3Tianling Shen2023-04-14
| | | | | | | | | | | | Included fixes for: - CVE-2023-24534 - CVE-2023-24536 - CVE-2023-24537 - CVE-2023-24538 Refreshed patches. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* treewide: refactor to use PKG_BUILD_FLAGS:=no-mips16Andre Heider2023-04-08
| | | | | | | See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16" on the main repository. Signed-off-by: Andre Heider <a.heider@gmail.com>
* golang: Update to 1.20.2, refresh patchJeffery To2023-03-20
| | | | | | | | | | | | | | | | | | | Includes fixes for: * 1.20.1: * CVE-2022-41722: path/filepath: path traversal in filepath.Clean on Windows * CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding * CVE-2022-41724: crypto/tls: large handshake records may cause panics * CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption * 1.20.2: * CVE-2023-24532: crypto/elliptic: specific unreduced P-256 scalars produce incorrect results Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.19.7Jeffery To2023-03-14
| | | | | | | | | Includes fix for CVE-2023-2453 (crypto/elliptic: specific unreduced P-256 scalars produce incorrect results). This also includes makefile updates for Go 1.19. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.19.6Tianling Shen2023-02-22
| | | | | | | | | go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go command, the linker, the runtime, and the crypto/x509, net/http, and time packages. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: Update to 1.19.5Tianling Shen2023-01-14
| | | | | | | | | | Go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and the crypto/x509, net/http, sync/atomic, and syscall packages. Removed upstreamed patch. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: backport an upstream fix for non-retpoline-compatible errorTianling Shen2022-12-28
| | | | | | | | | | | | | | | | | | | | | | | This fixes the following build error: ``` Building targets runtime <autogenerated>:1: non-retpoline-compatible: 00200 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:915) JMP (R15)(R12*8) <autogenerated>:1: non-retpoline-compatible: 00115 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/type.go:614) JMP (AX)(SI*8) <autogenerated>:1: non-retpoline-compatible: 00028 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:452) JMP (R11)(R10*8) <autogenerated>:1: non-retpoline-compatible: 00021 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/error.go:261) JMP (DX)(CX*8) <autogenerated>:1: non-retpoline-compatible: 00050 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:691) JMP (CX)(R12*8) <autogenerated>:1: non-retpoline-compatible: 00024 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/debuglog.go:616) JMP (CX)(SI*8) <autogenerated>:1: non-retpoline-compatible: 00079 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:617) JMP (R9)(R8*8) <autogenerated>:1: non-retpoline-compatible: 00025 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/cgocall.go:453) JMP (R9)(DX*8) <autogenerated>:1: non-retpoline-compatible: 00018 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/type.go:66) JMP (DX)(CX*8) <autogenerated>:1: non-retpoline-compatible: 00020 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/alg.go:156) JMP (SI)(DX*8) <autogenerated>:1: too many errors ``` Fixes: #20026 Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: Update to 1.19.4Tianling Shen2022-12-08
| | | | | | | | go1.19.4 (released 2022-12-06) includes security fixes to the net/http and os packages, as well as bug fixes to the compiler, the runtime, and the crypto/x509, os/exec, and sync/atomic packages. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: update to v1.19.3Stanislav Petrashov2022-11-23
| | | | Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
* golang: update to v1.19.2Stanislav Petrashov2022-11-14
| | | | | | | | | | | | | | Includes fixes for security vulnerabilities: * [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](https://github.com/golang/go/issues/54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](https://github.com/golang/go/issues/54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](https://github.com/golang/go/issues/54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](https://github.com/golang/go/issues/55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * https://github.com/openwrt/packages/pull/19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
* golang: update to version 1.18.8Josef Schlehofer2022-11-10
| | | | | | | | | | | | | | | | | | | | Fixes following CVEs: - CVE-2022-32189 (version 1.18.5 [1]] - CVE-2022-27664 (version 1.18.6 [2]) - CVE-2022-32190 (version 1.18.6 [2]) - CVE-2022-2879 (version 1.18.7 [3]) - CVE-2022-2880 (version 1.18.7 [3]) - CVE-2022-41715 (version 1.18.7 [3]) - CVE-2022-41716 (version 1.18.8 [4]) and refreshed patch [1] https://groups.google.com/g/golang-announce/c/YqYYG87xB10 [2] https://groups.google.com/g/golang-announce/c/x49AQzIVX-s [3] https://groups.google.com/g/golang-announce/c/xtuG5faxtaU [4] https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* golang: Update to 1.18.4Jeffery To2022-07-18
| | | | | | | | | | | | | | | | | | Includes fixes for: * CVE-2022-1705: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30630: io/fs: stack exhaustion in Glob * CVE-2022-30631: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-30632: path/filepath: stack exhaustion in Glob * CVE-2022-30633: encoding/xml: stack exhaustion in Unmarshal * CVE-2022-30635: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32148: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18.3Jeffery To2022-06-06
| | | | | | | Includes fix for CVE-2022-30634 (crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: do not rely on Go script host detectionMichael Pratt2022-05-27
| | | | | | | | | | | | | | | | for some use cases, for example: a system with 64 bit kernel and 32 bit userspace programs the local Go installation is "detected" using the kernel "uname", causing build failure if they happen to differ by adding the argument GOHOSTARCH using the corresponding make variable it would be fully controlled in the openwrt git tree based on the HOST_ARCH make variable. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: enable verbose outputMichael Pratt2022-05-27
| | | | | | | allow the building script of Go to output verbose when make is executed with "V=s..." Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: split compile recipe into configure and compileMichael Pratt2022-05-27
| | | | | | | | | | | | | | the default Configure recipe for packages assumes that there is a "configure" script in the source tree directory Go does not have such a script, configure and compile is done with the same script so split the current Compile recipe into both Configure and Compile recipes Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: Update to 1.18.2Jeffery To2022-05-14
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Fix conditionals not strippedJeffery To2022-04-15
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18.1Jeffery To2022-04-15
| | | | | | | | | | | Includes fixes for: * CVE-2022-24675 - encoding/pem: stack overflow * CVE-2022-28327 - crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes This also adds -buildvcs=false to omit VCS information in Go programs. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18, update patchJeffery To2022-03-28
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.8Jeffery To2022-03-06
| | | | | | | Includes fix for CVE-2022-24921 (regexp: stack overflow (process exit) handling deeply nested regexp). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.7, refresh patchJeffery To2022-02-14
| | | | | | | | | | | | This includes fixes for: * CVE-2022-23772: math/big: Rat.SetString may consume large amount of RAM and crash * CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid field elements Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.6Jeffery To2022-01-11
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.5, add patchJeffery To2021-12-28
| | | | | | | | | | | | | | | Includes fixes for: * CVE-2021-44716: unbounded growth of HTTP/2 header canonicalization cache * CVE-2021-44717: syscall.ForkExec error can close file descriptor 0 Added patches: * 001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch: https://github.com/golang/go/pull/49748 backported for Go 1.17, this removes the requirement for the gold linker when building Go programs that use Go plugins on arm/arm64 Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.3Jeffery To2021-11-19
| | | | | | | | | | | | Contains fixes for: * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) accesses a memory location after the end of a buffer * CVE-2021-41772: archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.2Jeffery To2021-10-10
| | | | | | | Includes fix for CVE-2021-38297 (passing very large arguments to WASM module functions can cause portions of the module to be overwritten). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Remove deprecated variables in golang-package.mkJeffery To2021-09-13
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.1Jeffery To2021-09-13
| | | | | | | Includes fix for CVE-2021-39293 (archive/zip: overflow in preallocation check can cause OOM panic). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17Jeffery To2021-08-23
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.7Jeffery To2021-08-09
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.6Jeffery To2021-07-19
| | | | | | | Includes fix for CVE-2021-34558 (crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.5Jeffery To2021-06-11
| | | | | | | | | | | | | | | | | | | | | | | 1.16.1 included fixes for: * CVE-2021-27918 - encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader * CVE-2021-27919 - archive/zip: can panic when calling Reader.Open 1.16.4 included fixes for: * CVE-2021-31525 - net/http: ReadRequest can stack overflow due to recursion with very large headers 1.16.5 includes fixes for: * CVE-2021-33195 - net: Lookup functions may return invalid host names * CVE-2021-33196 - archive/zip: malformed archive may cause panic or memory exhaustion * CVE-2021-33197 - net/http/httputil: ReverseProxy forwards Connection headers if first one is empty Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16Jeffery To2021-02-22
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.8Jeffery To2021-02-08
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.7Jeffery To2021-01-25
| | | | | | | | | | This includes fixes for: * CVE-2021-3114: crypto/elliptic: incorrect operations on the P-224 curve * CVE-2021-3115: cmd/go: packages using cgo can cause arbitrary code execution on Windows Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.6Jeffery To2020-12-07
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.5Jeffery To2020-11-15
| | | | | | | | | | | This includes security fixes for: * CVE-2020-28362: panic during recursive division of very large numbers * CVE-2020-28366: arbitrary code can be injected into cgo generated files * CVE-2020-28367: improper validation of cgo flags can lead to remote code execution at build time Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.4Jeffery To2020-11-09
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.3Jeffery To2020-10-20
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Fix vars not passed when calling cache_cleanupJeffery To2020-10-16
| | | | | | Fixes https://github.com/openwrt/packages/issues/13674. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Move build cache into $(TMP_DIR)Jeffery To2020-10-16
| | | | | | | | | | | | | This changes the default build cache directory from $(TOPDIR)/.go-build to $(TMP_DIR)/go-build, so that the cache directory is ignored by git and is removed by "make dirclean". This does not move/remove a build cache directory in the previous location; it will need to be removed manually. Fixes https://github.com/openwrt/packages/issues/13675. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Add option to enable Spectre mitigationsJeffery To2020-10-06
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Add golang-host-build.mkJeffery To2020-10-06
| | | | | | This adds a Makefile for host builds of Go programs. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Move package scripts into golang-build.shJeffery To2020-10-06
| | | | | | | | This also adds GO_PKG_INSTALL_BIN_PATH which determines the path where binaries are installed by GoPackage/Package/Install/Bin (this was previously hard-coded to /usr/bin). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Quote variables passed to the shellJeffery To2020-10-06
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Add more error handling for go-gcc-helperJeffery To2020-10-06
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Use external linking for target GoJeffery To2020-10-06
| | | | | | | | | | | | | | | | In Go 1.15, the linker now defaults to internal linking mode for -buildmode=pie on amd64 and arm64[1], however this results in go tool binaries with the wrong dynamic linker/interpreter. External linking is still used when PIE is enabled for other platforms, whereas internal linking is used when PIE is not enabled. This changes target Go to always use external linking, to fix PIE binaries for amd64/arm64 and for consistency. [1]: https://golang.org/doc/go1.15#linker Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Simplify target compileJeffery To2020-10-06
| | | | | | | | * Reuse GO_PKG_ENABLE_PIE from golang-package.mk * Replace $(if ...) with $(or ...) to get default values * Refactor vars common to each compile stage into variable Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Use GO_LDFLAGS to set buildmode=pie for host GoJeffery To2020-10-06
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Powered by cgit, Themed by Ted Yin.