projects / golang-1.7.git / log
? search:
summary | shortlog | log | commit | commitdiff | tree
first ⋅ prev ⋅ next
golang-1.7.git
4 years agoCVE-2020-15586
commit | commitdiff | tree
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2020-15586

===================================================================

Gbp-Pq: Name CVE-2020-15586.patch

4 years agoCVE-2020-16845
commit | commitdiff | tree
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
CVE-2020-16845

Gbp-Pq: Name CVE-2020-16845.patch

4 years ago[PATCH] cmd/go: restrict meta imports to valid schemes
commit | commitdiff | tree
Ian Lance Taylor [Thu, 15 Feb 2018 23:57:13 +0000 (15:57 -0800)]
[PATCH] cmd/go: restrict meta imports to valid schemes

Before this change, when using -insecure, we permitted any meta import
repo root as long as it contained "://". When not using -insecure, we
restrict meta import repo roots to be valid URLs. People may depend on
that somehow, so permit meta import repo roots to be invalid URLs, but
require them to have valid schemes per RFC 3986.

Fixes #23867

Change-Id: Iac666dfc75ac321bf8639dda5b0dba7c8840922d
Reviewed-on: https://go-review.googlesource.com/94603
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Gbp-Pq: Name cve-2018-7187.patch

4 years agocve-2019-6486
commit | commitdiff | tree
Go Compiler Team [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
cve-2019-6486

Gbp-Pq: Name cve-2019-6486.patch

4 years ago[PATCH] time: make the ParseInLocation test more robust
commit | commitdiff | tree
Alberto Donizetti [Thu, 9 Mar 2017 12:20:54 +0000 (13:20 +0100)]
[PATCH] time: make the ParseInLocation test more robust

The tzdata 2017a update (2017-02-28) changed the abbreviation of the
Asia/Baghdad time zone (used in TestParseInLocation) from 'AST' to the
numeric '+03'.

Update the test so that it skips the checks if we're using a recent
tzdata release.

Fixes #19457

Change-Id: I45d705a5520743a611bdd194dc8f8d618679980c
Reviewed-on: https://go-review.googlesource.com/37964
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

Gbp-Pq: Name cl-37964--tzdata-2017a.patch

4 years ago[PATCH] time: update test for tzdata-2016g
commit | commitdiff | tree
Alberto Donizetti [Thu, 29 Sep 2016 11:59:10 +0000 (13:59 +0200)]
[PATCH] time: update test for tzdata-2016g

From c5434f2973a87acff76bac359236e690d632ce95 Mon Sep 17 00:00:00 2001
Origin: https://golang.org/cl/29995
Bug: https://golang.org/issue/17276
Applied-Upstream: 1.8

Fixes #17276

Change-Id: I0188cf9bc5fdb48c71ad929cc54206d03e0b96e4
Reviewed-on: https://go-review.googlesource.com/29995
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

Gbp-Pq: Name cl-29995--tzdata-2016g.patch

4 years agogolang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high
commit | commitdiff | tree
Sylvain Beucler [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
golang-1.7 (1.7.4-2+deb9u3) stretch-security; urgency=high

  * Non-maintainer upload by the LTS Security Team.
  * CVE-2017-15041: Go allows "go get" remote command execution. Using
    custom domains, it is possible to arrange things so that
    example.com/pkg1 points to a Subversion repository but
    example.com/pkg1/pkg2 points to a Git repository. If the Subversion
    repository includes a Git checkout in its pkg2 directory and some
    other work is done to ensure the proper ordering of operations, "go
    get" can be tricked into reusing this Git checkout for the fetch of
    code from pkg2. If the Subversion repository's Git checkout has
    malicious commands in .git/hooks/, they will execute on the system
    running "go get."
  * CVE-2018-16873: the "go get" command is vulnerable to remote code
    execution when executed with the -u flag and the import path of a
    malicious Go package, as it may treat the parent directory as a Git
    repository root, containing malicious configuration.
  * CVE-2018-16874: the "go get" command is vulnerable to directory
    traversal when executed with the import path of a malicious Go package
    which contains curly braces (both '{' and '}' characters). The
    attacker can cause an arbitrary filesystem write, which can lead to
    code execution.
  * CVE-2019-9741: in net/http, CRLF injection is possible if the attacker
    controls a url parameter, as demonstrated by the second argument to
    http.NewRequest with \r\n followed by an HTTP header or a Redis
    command.
  * CVE-2019-16276: Go allows HTTP Request Smuggling.
  * CVE-2019-17596: Go can panic upon an attempt to process network
    traffic containing an invalid DSA public key. There are several attack
    scenarios, such as traffic from a client to a server that verifies
    client certificates.
  * CVE-2021-3114: crypto/elliptic/p224.go can generate incorrect outputs,
    related to an underflow of the lowest limb during the final complete
    reduction in the P-224 field.

[dgit import unpatched golang-1.7 1.7.4-2+deb9u3]

4 years agoImport golang-1.7_1.7.4-2+deb9u3.debian.tar.xz
commit | commitdiff | tree
Sylvain Beucler [Sat, 13 Mar 2021 14:48:57 +0000 (14:48 +0000)]
Import golang-1.7_1.7.4-2+deb9u3.debian.tar.xz

[dgit import tarball golang-1.7 1.7.4-2+deb9u3 golang-1.7_1.7.4-2+deb9u3.debian.tar.xz]

9 years agoImport golang-1.7_1.7.4.orig.tar.gz
commit | commitdiff | tree
Tianon Gravi [Fri, 2 Dec 2016 21:30:36 +0000 (21:30 +0000)]
Import golang-1.7_1.7.4.orig.tar.gz

[dgit import orig golang-1.7_1.7.4.orig.tar.gz]

Unnamed repository; edit this file 'description' to name the repository.