aboutsummaryrefslogtreecommitdiff
path: root/lang/golang
Commit message (Collapse)AuthorAge
* golang: Update to 1.22.1Zephyr Lykos2024-03-20
| | | | | | | | | | | | | | | | | | | | | | | Go 1.22.1 contains the following security fixes: - CVE-2024-24783: crypto/x509: Verify panics on certificates with an unknown public key algorithm - CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm - CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect - CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping - CVE-2024-24784 net/mail: comments in display names are incorrectly handled https://go.dev/doc/devel/release#go1.22.1 https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg Signed-off-by: Zephyr Lykos <git@mochaa.ws>
* golang: Update to 1.22.0Zephyr Lykos2024-03-20
| | | | | | | | | Added a third bootstrap stage since go1.22 (and onwards) requires at least go1.20.14 to build.[1] [1]: https://go.dev/doc/go1.22#bootstrap Signed-off-by: Zephyr Lykos <git@mochaa.ws>
* golang: Update to 1.21.7Tianling Shen2024-03-02
| | | | | | | | | | go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and the crypto/tls, maps, and runtime/pprof packages. go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command, the runtime, and the crypto/x509 package. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: Update to 1.21.5Jeffery To2023-12-11
| | | | | | Includes fix for CVE-2023-39326 (net/http: limit chunked data overhead). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.21.4Jeffery To2023-11-13
| | | | | | | Includes fixes for CVE-2023-45283 and CVE-2023-45284 (path/filepath: insecure parsing of Windows paths). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.21.3Jeffery To2023-10-15
| | | | | | | Includes fix for CVE-2023-39325 (net/http, x/net/http2: rapid stream resets can cause excessive work). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.21.2Jeffery To2023-10-07
| | | | | | | Includes fix for CVE-2023-39323 (cmd/go: line directives allows arbitrary execution during build). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.21.1Jeffery To2023-09-11
| | | | | | | | | | | | | | | | | | Includes fixes for: * CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts * CVE-2023-39319: html/template: improper handling of special tags within script contexts * CVE-2023-39320: cmd/go: go.mod toolchain directive allows arbitrary execution * CVE-2023-39321 and CVE-2023-39322: crypto/tls: panic when processing partial post-handshake message in QUICConn.HandleData Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.21.0, remove patchJeffery To2023-08-15
| | | | | | | | | | | | | | Upstream has updated the Go compiler to not use gold when building for arm, and is waiting for a fix to binutils (released in 2.41) before doing the same for aarch64.[1] Based on the above, it does not appear that https://github.com/golang/go/pull/49748 will be merged. This removes the patch from that pull request. [1]: https://github.com/golang/go/issues/22040 Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.7Jeffery To2023-08-07
| | | | | | | Includes fix for CVE-2023-29409 (crypto/tls: verifying certificate chains containing large RSA keys is slow). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.6Jeffery To2023-07-17
| | | | | | | | | | Includes fix for CVE-2023-29406 (net/http: insufficient sanitization of Host header). This also updates the copyright information for various Go packaging files. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.5Jeffery To2023-06-12
| | | | | | | | | | | Includes fixes for: * CVE-2023-29402: cmd/go: cgo code injection * CVE-2023-29403: runtime: unexpected behavior of setuid/setgid binaries * CVE-2023-29404: cmd/go: improper sanitization of LDFLAGS * CVE-2023-29405: cmd/go: improper sanitization of LDFLAGS Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Enable riscv64 for Go compiler and packagesJeffery To2023-06-04
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.4Jeffery To2023-05-08
| | | | | | | | | | | Includes fixes for: * CVE-2023-24539: html/template: improper sanitization of CSS values * CVE-2023-24540: html/template: improper handling of JavaScript whitespace * CVE-2023-29400: html/template: improper handling of empty HTML attributes Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.20.3Tianling Shen2023-04-14
| | | | | | | | | | | | Included fixes for: - CVE-2023-24534 - CVE-2023-24536 - CVE-2023-24537 - CVE-2023-24538 Refreshed patches. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* treewide: refactor to use PKG_BUILD_FLAGS:=no-mips16Andre Heider2023-04-08
| | | | | | | See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16" on the main repository. Signed-off-by: Andre Heider <a.heider@gmail.com>
* golang: Update to 1.20.2, refresh patchJeffery To2023-03-20
| | | | | | | | | | | | | | | | | | | Includes fixes for: * 1.20.1: * CVE-2022-41722: path/filepath: path traversal in filepath.Clean on Windows * CVE-2022-41723: net/http: avoid quadratic complexity in HPACK decoding * CVE-2022-41724: crypto/tls: large handshake records may cause panics * CVE-2022-41725: net/http, mime/multipart: denial of service from excessive resource consumption * 1.20.2: * CVE-2023-24532: crypto/elliptic: specific unreduced P-256 scalars produce incorrect results Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.19.7Jeffery To2023-03-14
| | | | | | | | | Includes fix for CVE-2023-2453 (crypto/elliptic: specific unreduced P-256 scalars produce incorrect results). This also includes makefile updates for Go 1.19. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.19.6Tianling Shen2023-02-22
| | | | | | | | | go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go command, the linker, the runtime, and the crypto/x509, net/http, and time packages. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: Update to 1.19.5Tianling Shen2023-01-14
| | | | | | | | | | Go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker, and the crypto/x509, net/http, sync/atomic, and syscall packages. Removed upstreamed patch. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: backport an upstream fix for non-retpoline-compatible errorTianling Shen2022-12-28
| | | | | | | | | | | | | | | | | | | | | | | This fixes the following build error: ``` Building targets runtime <autogenerated>:1: non-retpoline-compatible: 00200 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:915) JMP (R15)(R12*8) <autogenerated>:1: non-retpoline-compatible: 00115 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/type.go:614) JMP (AX)(SI*8) <autogenerated>:1: non-retpoline-compatible: 00028 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:452) JMP (R11)(R10*8) <autogenerated>:1: non-retpoline-compatible: 00021 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/error.go:261) JMP (DX)(CX*8) <autogenerated>:1: non-retpoline-compatible: 00050 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:691) JMP (CX)(R12*8) <autogenerated>:1: non-retpoline-compatible: 00024 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/debuglog.go:616) JMP (CX)(SI*8) <autogenerated>:1: non-retpoline-compatible: 00079 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/time.go:617) JMP (R9)(R8*8) <autogenerated>:1: non-retpoline-compatible: 00025 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/cgocall.go:453) JMP (R9)(DX*8) <autogenerated>:1: non-retpoline-compatible: 00018 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/type.go:66) JMP (DX)(CX*8) <autogenerated>:1: non-retpoline-compatible: 00020 (/home/username/works/openwrt/staging_dir/hostpkg/lib/go-cross/src/runtime/alg.go:156) JMP (SI)(DX*8) <autogenerated>:1: too many errors ``` Fixes: #20026 Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: Update to 1.19.4Tianling Shen2022-12-08
| | | | | | | | go1.19.4 (released 2022-12-06) includes security fixes to the net/http and os packages, as well as bug fixes to the compiler, the runtime, and the crypto/x509, os/exec, and sync/atomic packages. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* golang: update to v1.19.3Stanislav Petrashov2022-11-23
| | | | Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
* golang: update to v1.19.2Stanislav Petrashov2022-11-14
| | | | | | | | | | | | | | Includes fixes for security vulnerabilities: * [CVE-2022-27664](https://github.com/advisories/GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](https://github.com/golang/go/issues/54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](https://github.com/golang/go/issues/54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](https://github.com/golang/go/issues/54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](https://github.com/golang/go/issues/55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * https://github.com/openwrt/packages/pull/19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
* golang: update to version 1.18.8Josef Schlehofer2022-11-10
| | | | | | | | | | | | | | | | | | | | Fixes following CVEs: - CVE-2022-32189 (version 1.18.5 [1]] - CVE-2022-27664 (version 1.18.6 [2]) - CVE-2022-32190 (version 1.18.6 [2]) - CVE-2022-2879 (version 1.18.7 [3]) - CVE-2022-2880 (version 1.18.7 [3]) - CVE-2022-41715 (version 1.18.7 [3]) - CVE-2022-41716 (version 1.18.8 [4]) and refreshed patch [1] https://groups.google.com/g/golang-announce/c/YqYYG87xB10 [2] https://groups.google.com/g/golang-announce/c/x49AQzIVX-s [3] https://groups.google.com/g/golang-announce/c/xtuG5faxtaU [4] https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* golang: Update to 1.18.4Jeffery To2022-07-18
| | | | | | | | | | | | | | | | | | Includes fixes for: * CVE-2022-1705: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30630: io/fs: stack exhaustion in Glob * CVE-2022-30631: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-30632: path/filepath: stack exhaustion in Glob * CVE-2022-30633: encoding/xml: stack exhaustion in Unmarshal * CVE-2022-30635: encoding/gob: stack exhaustion in Decoder.Decode * CVE-2022-32148: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18.3Jeffery To2022-06-06
| | | | | | | Includes fix for CVE-2022-30634 (crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: do not rely on Go script host detectionMichael Pratt2022-05-27
| | | | | | | | | | | | | | | | for some use cases, for example: a system with 64 bit kernel and 32 bit userspace programs the local Go installation is "detected" using the kernel "uname", causing build failure if they happen to differ by adding the argument GOHOSTARCH using the corresponding make variable it would be fully controlled in the openwrt git tree based on the HOST_ARCH make variable. Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: enable verbose outputMichael Pratt2022-05-27
| | | | | | | allow the building script of Go to output verbose when make is executed with "V=s..." Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: split compile recipe into configure and compileMichael Pratt2022-05-27
| | | | | | | | | | | | | | the default Configure recipe for packages assumes that there is a "configure" script in the source tree directory Go does not have such a script, configure and compile is done with the same script so split the current Compile recipe into both Configure and Compile recipes Signed-off-by: Michael Pratt <mcpratt@pm.me>
* golang: Update to 1.18.2Jeffery To2022-05-14
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Fix conditionals not strippedJeffery To2022-04-15
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18.1Jeffery To2022-04-15
| | | | | | | | | | | Includes fixes for: * CVE-2022-24675 - encoding/pem: stack overflow * CVE-2022-28327 - crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes This also adds -buildvcs=false to omit VCS information in Go programs. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.18, update patchJeffery To2022-03-28
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.8Jeffery To2022-03-06
| | | | | | | Includes fix for CVE-2022-24921 (regexp: stack overflow (process exit) handling deeply nested regexp). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.7, refresh patchJeffery To2022-02-14
| | | | | | | | | | | | This includes fixes for: * CVE-2022-23772: math/big: Rat.SetString may consume large amount of RAM and crash * CVE-2022-23806: crypto/elliptic: IsOnCurve returns true for invalid field elements Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.6Jeffery To2022-01-11
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.5, add patchJeffery To2021-12-28
| | | | | | | | | | | | | | | Includes fixes for: * CVE-2021-44716: unbounded growth of HTTP/2 header canonicalization cache * CVE-2021-44717: syscall.ForkExec error can close file descriptor 0 Added patches: * 001-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-available.patch: https://github.com/golang/go/pull/49748 backported for Go 1.17, this removes the requirement for the gold linker when building Go programs that use Go plugins on arm/arm64 Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.3Jeffery To2021-11-19
| | | | | | | | | | | | Contains fixes for: * CVE-2021-41771: ImportedSymbols in debug/macho (for Open or OpenFat) accesses a memory location after the end of a buffer * CVE-2021-41772: archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.2Jeffery To2021-10-10
| | | | | | | Includes fix for CVE-2021-38297 (passing very large arguments to WASM module functions can cause portions of the module to be overwritten). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Remove deprecated variables in golang-package.mkJeffery To2021-09-13
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17.1Jeffery To2021-09-13
| | | | | | | Includes fix for CVE-2021-39293 (archive/zip: overflow in preallocation check can cause OOM panic). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.17Jeffery To2021-08-23
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.7Jeffery To2021-08-09
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.6Jeffery To2021-07-19
| | | | | | | Includes fix for CVE-2021-34558 (crypto/tls: clients can panic when provided a certificate of the wrong type for the negotiated parameters). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16.5Jeffery To2021-06-11
| | | | | | | | | | | | | | | | | | | | | | | 1.16.1 included fixes for: * CVE-2021-27918 - encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader * CVE-2021-27919 - archive/zip: can panic when calling Reader.Open 1.16.4 included fixes for: * CVE-2021-31525 - net/http: ReadRequest can stack overflow due to recursion with very large headers 1.16.5 includes fixes for: * CVE-2021-33195 - net: Lookup functions may return invalid host names * CVE-2021-33196 - archive/zip: malformed archive may cause panic or memory exhaustion * CVE-2021-33197 - net/http/httputil: ReverseProxy forwards Connection headers if first one is empty Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.16Jeffery To2021-02-22
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.8Jeffery To2021-02-08
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.7Jeffery To2021-01-25
| | | | | | | | | | This includes fixes for: * CVE-2021-3114: crypto/elliptic: incorrect operations on the P-224 curve * CVE-2021-3115: cmd/go: packages using cgo can cause arbitrary code execution on Windows Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* golang: Update to 1.15.6Jeffery To2020-12-07
| | | | Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Powered by cgit, Themed by Ted Yin.