summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2022-23806
Origin: https://github.com/golang/go/commit/
6b3e741a834c34b8a844a33b3aa060dd4ed37231
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-18
From
6b3e741a834c34b8a844a33b3aa060dd4ed37231 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Wed, 2 Feb 2022 09:15:44 -0800
Subject: [PATCH] [release-branch.go1.16] crypto/elliptic: make IsOnCurve
return false for invalid field elements
Updates #50974
Fixes #50977
Fixes CVE-2022-23806
Change-Id: I0201c2c88f13dd82910985a495973f1683af9259
Reviewed-on: https://go-review.googlesource.com/c/go/+/382855
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Katie Hockman <katie@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Gbp-Pq: Name CVE-2022-23806.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-44717
Origin: https://github.com/golang/net/commit/
44a3fb49d99cc8a4de4925b69650f97bb07faf1d
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-04-18
From
44a3fb49d99cc8a4de4925b69650f97bb07faf1d Mon Sep 17 00:00:00 2001
From: Russ Cox <rsc@golang.org>
Date: Wed, 8 Dec 2021 18:05:11 -0500
Subject: [PATCH] [release-branch.go1.16] syscall: fix ForkLock spurious
close(0) on pipe failure
Pipe (and therefore forkLockPipe) does not make any guarantees
about the state of p after a failed Pipe(p). Avoid that assumption
and the too-clever goto, so that we don't accidentally Close a real fd
if the failed pipe leaves p[0] or p[1] set >= 0.
Updates #50057
Fixes CVE-2021-44717
Change-Id: Iff8e19a6efbba0c73cc8b13ecfae381c87600bb4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/
1291270
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/370514
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Alex Rakoczy <alex@golang.org>
Gbp-Pq: Name CVE-2021-44717.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-44716
Origin: https://github.com/golang/net/commit/
491a49abca63de5e07ef554052d180a1b5fe2d70
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21
From
491a49abca63de5e07ef554052d180a1b5fe2d70 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 6 Dec 2021 14:31:43 -0800
Subject: [PATCH] http2: cap the size of the server's canonical header cache
The HTTP/2 server keeps a per-connection cache mapping header keys
to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
maximum size of this cache to prevent a peer sending many unique
header keys from causing unbounded memory growth.
Cap chosen arbitrarily at 32 entries. Since this cache does not
include common headers (e.g., "content-type"), 32 seems like more
than enough for almost all normal uses.
Fixes #50058
Fixes CVE-2021-44716
Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/
1290827
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Gbp-Pq: Name CVE-2021-44716.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-41771
Origin: https://github.com/golang/go/commit/
d19c5bdb24e093a2d5097b7623284eb02726cede
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21
From
d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Thu, 14 Oct 2021 13:02:01 -0700
Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
symbol table command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fail out when loading a file that contains a dynamic symbol table
command that indicates a larger number of symbols than exist in the
loaded symbol table.
Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
reporting this issue.
Updates #48990
Fixes #48991
Fixes CVE-2021-41771
Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
(cherry picked from commit
61536ec03063b4951163bd09609c86d82631fa27)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Gbp-Pq: Name CVE-2021-41771.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-36221
Origin: https://github.com/golang/go/commit/
ba93baa74a52d57ae79313313ea990cc791ef50e
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-15
From
ba93baa74a52d57ae79313313ea990cc791ef50e Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 7 Jul 2021 16:34:34 -0700
Subject: [PATCH] [release-branch.go1.15] net/http/httputil: close incoming
ReverseProxy request body
Reading from an incoming request body after the request handler aborts
with a panic can cause a panic, becuse http.Server does not (contrary
to its documentation) close the request body in this case.
Always close the incoming request body in ReverseProxy.ServeHTTP to
ensure that any in-flight outgoing requests using the body do not
read from it.
Fixes #47473
Updates #46866
Fixes CVE-2021-36221
Change-Id: I310df269200ad8732c5d9f1a2b00de68725831df
Reviewed-on: https://go-review.googlesource.com/c/go/+/333191
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
(cherry picked from commit
b7a85e0003cedb1b48a1fd3ae5b746ec6330102e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/338550
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Gbp-Pq: Name CVE-2021-36221.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-39293
Origin: https://github.com/golang/go/commit/
6c480017ae600b2c90a264a922e041df04dfa785
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21
Backport note: test case now also deals with prior detection removed
in
483d6d99256b3c486e0c99106e232b4909938328 (v1.14)
From
6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Wed, 18 Aug 2021 11:49:29 -0700
Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation
check from overflowing
If the indicated directory size in the archive header is so large that
subtracting it from the archive size overflows a uint64, the check that
the indicated number of files in the archive can be effectively
bypassed. Prevent this from happening by checking that the indicated
directory size is less than the size of the archive.
Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.
Fixes #47985
Updates #47801
Fixes CVE-2021-39293
Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
(cherry picked from commit
bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/345409
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
Trust: Cherry Mui <cherryyz@google.com>
Gbp-Pq: Name CVE-2021-39293.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-33196
Origin: https://github.com/golang/go/commit/
c92adf420a3d9a5510f9aea382d826f0c9216a10
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21
Backport note: test case now also deals with prior detection removed
in
483d6d99256b3c486e0c99106e232b4909938328 (v1.14)
From
c92adf420a3d9a5510f9aea382d826f0c9216a10 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Tue, 11 May 2021 11:31:31 -0700
Subject: [PATCH] [release-branch.go1.15] archive/zip: only preallocate File
slice if reasonably sized
Since the number of files in the EOCD record isn't validated, it isn't
safe to preallocate Reader.Files using that field. A malformed archive
can indicate it contains up to 1 << 128 - 1 files. We can still safely
preallocate the slice by checking if the specified number of files in
the archive is reasonable, given the size of the archive.
Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.
Updates #46242
Fixes #46396
Fixes CVE-2021-33196
Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
(cherry picked from commit
74242baa4136c7a9132a8ccd9881354442788c8c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Gbp-Pq: Name CVE-2021-33196.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2021-38297
Origin: https://github.com/golang/go/commit/
4548fcc8dfd933c237f29bba6f90040a85922564
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-15
From
4548fcc8dfd933c237f29bba6f90040a85922564 Mon Sep 17 00:00:00 2001
From: Michael Knyszek <mknyszek@google.com>
Date: Thu, 2 Sep 2021 16:51:59 -0400
Subject: [PATCH] [release-branch.go1.16] misc/wasm, cmd/link: do not let
command line args overwrite global data
On Wasm, wasm_exec.js puts command line arguments at the beginning
of the linear memory (following the "zero page"). Currently there
is no limit for this, and a very long command line can overwrite
the program's data section. Prevent this by limiting the command
line to 4096 bytes, and in the linker ensuring the data section
starts at a high enough address (8192).
(Arguably our address assignment on Wasm is a bit confusing. This
is the minimum fix I can come up with.)
Thanks to Ben Lubar for reporting this issue.
Change by Cherry Mui <cherryyz@google.com>.
For #48797
Fixes #48799
Fixes CVE-2021-38297
Change-Id: I0f50fbb2a5b6d0d047e3c134a88988d9133e4ab3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/
1205933
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/354591
Trust: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Heschi Kreinick <heschi@google.com>
Gbp-Pq: Name CVE-2021-38297.patch
Go Compiler Team [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
CVE-2020-28367
Origin: https://github.com/golang/go/commit/
ff5addb6be2fb3001f0cb026c3e4931090a85664
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-04-14
From
ff5addb6be2fb3001f0cb026c3e4931090a85664 Mon Sep 17 00:00:00 2001
From: Ian Lance Taylor <iant@golang.org>
Date: Mon, 2 Nov 2020 21:31:06 -0800
Subject: [PATCH] [release-branch.go1.14-security] cmd/go: in cgoflags, permit
-DX1, prohibit -Wp,-D,opt
Restrict -D and -U to ASCII C identifiers, but do permit trailing digits.
When using -Wp, prohibit commas in -D values.
Thanks to Imre Rad (https://www.linkedin.com/in/imre-rad-
2358749b) for reporting this.
Fixes CVE-2020-28367
Change-Id: Ibfc4dfdd6e6c258e131448e7682610c44eee9492
Reviewed-on: https://go-review.googlesource.com/c/go/+/267277
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/899923
Reviewed-by: Filippo Valsorda <valsorda@google.com>
Gbp-Pq: Name CVE-2020-28367.patch
Filippo Valsorda [Fri, 8 Jan 2021 02:56:58 +0000 (03:56 +0100)]
Fixes CVE-2021-3114
Cherry-pick from upstream:
https://github.com/golang/go/commit/
d95ca9138026cbe40e0857d76a81a16d03230871
Gbp-Pq: Name 0012-Fix-CVE-2021-3114.patch
Katie Hockman [Tue, 4 Aug 2020 15:45:32 +0000 (11:45 -0400)]
Fix CVE-2020-16845
Cherry-picked from upstream:
https://github.com/golang/go/commit/
027d7241ce050d197e7fabea3d541ffbe3487258
Gbp-Pq: Name 0011-Fix-CVE-2020-16845.patch
Russ Cox [Mon, 13 Jul 2020 17:27:22 +0000 (13:27 -0400)]
Fix CVE-2020-15586
Cherry-picked from upstream:
https://github.com/golang/go/commit/
fa98f46741f818913a8c11b877520a548715131f
Gbp-Pq: Name 0010-Fix-CVE-2020-15586.patch
Dr. Tobias Quathamer [Fri, 31 Jan 2020 21:15:57 +0000 (22:15 +0100)]
Fix CVE-2020-7919
Cherry-picked from upstream:
https://github.com/golang/go/commit/
b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
Gbp-Pq: Name 0009-Fix-CVE-2020-7919.patch
Dr. Tobias Quathamer [Sat, 19 Oct 2019 12:03:22 +0000 (14:03 +0200)]
Fix CVE-2019-17596
Cherry-picked from upstream:
https://github.com/golang/go/commit/
2017d88dbc096381d4f348d2fb08bfb3c2b7ed73
Gbp-Pq: Name 0008-Fix-CVE-2019-17596.patch
Dr. Tobias Quathamer [Thu, 26 Sep 2019 09:46:46 +0000 (11:46 +0200)]
Fix CVE-2019-16276
Cherry-picked from upstream:
https://github.com/golang/go/commit/
6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
Gbp-Pq: Name 0007-Fix-CVE-2019-16276.patch
Dr. Tobias Quathamer [Thu, 15 Aug 2019 19:37:24 +0000 (21:37 +0200)]
Fix CVE-2019-14809
Cherry-picked from upstream:
https://github.com/golang/go/commit/
c1d9ca70995dc232a2145e3214f94e03409f6fcc
Gbp-Pq: Name 0006-Fix-CVE-2019-14809.patch
Dr. Tobias Quathamer [Thu, 15 Aug 2019 19:34:14 +0000 (21:34 +0200)]
Fix CVE-2019-9512 and CVE-2019-9514
Cherry-picked from upstream:
https://github.com/golang/go/commit/
e152b01a468a1c18a290bf9aec52ccea7693c7f2
Gbp-Pq: Name 0005-Fix-CVE-2019-9512-and-CVE-2019-9514.patch
Anthony Fok [Fri, 28 Dec 2018 13:18:00 +0000 (06:18 -0700)]
[PATCH] unix: fix Fstatat by using fillStat_t on linux/mips64x
The stat structure on linux/mips64x differ between C library and the kernel,
as described in the stat(2) man page.
Fstat, Lstat and Stat on linux/mips64x already converts the stat structure
using a fillStat_t function, very similar to __xstat_conv in GLIBC.
Doing the same for Fstatat before calling SYS_NEWFSTATAT fixes the
"Fstatat: returned stat does not match Stat/Lstat" error in TestFstatat.
Fixes golang/go#29401
Change-Id: I0b2a7b274acc3c7c9fc7ae2afe722dd6225da383
Reviewed-on: https://go-review.googlesource.com/c/155747
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
Gbp-Pq: Name 0004-fix-Fstatat-by-using-fillStat_t-on-linux-mips64x.patch
Michael Hudson-Doyle [Thu, 20 Sep 2018 07:20:31 +0000 (09:20 +0200)]
arm64/arm64asm: recognise new ssbb/pssbb mnemonics from objdump
Fixes golang/go#27754
Change-Id: I8fcc3bc3c718cf0d93afbd1d383df48316b522d4
Reviewed-on: https://go-review.googlesource.com/136455
Run-TryBot: Michael Hudson-Doyle <michael.hudson@canonical.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Gbp-Pq: Name 0003-arm64-arm64asm-recognise-new-ssbb-pssbb-mnemonics-fr.patch
Dr. Tobias Quathamer [Wed, 19 Dec 2018 12:16:45 +0000 (13:16 +0100)]
Fix Lintian warnings about wrong interpreter path
The command used for this change is as follows:
grep -rH "/usr/bin/env perl" * | cut -d: -f1 | xargs -n1 sed -i -e "s,/usr/bin/env perl,/usr/bin/perl,"
Gbp-Pq: Name 0002-Fix-Lintian-warnings-about-wrong-interpreter-path.patch
Michael Stapelberg [Thu, 8 Feb 2018 09:00:00 +0000 (10:00 +0100)]
Reproducible BUILD_PATH_PREFIX_MAP
Make builds reproducible by honoring BUILD_PATH_PREFIX_MAP
Upstream has rejected the patch in this form and promised to implement an
alternative they are happy with instead. That hasn't happened yet though.
Bug: https://github.com/golang/go/issues/22491, https://github.com/golang/go/issues/16860
Forwarded: https://golang.org/cl/73291 (rejected upstream though)
Gbp-Pq: Name 0001-Reproducible-BUILD_PATH_PREFIX_MAP.patch
Sylvain Beucler [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
golang-1.11 (1.11.6-1+deb10u7) buster-security; urgency=high
* Non-maintainer upload by the LTS Security Team.
* Disable a few flaky tests on arm.
[dgit import unpatched golang-1.11 1.11.6-1+deb10u7]
Sylvain Beucler [Thu, 20 Apr 2023 14:32:58 +0000 (15:32 +0100)]
Import golang-1.11_1.11.6-1+deb10u7.debian.tar.xz
[dgit import tarball golang-1.11 1.11.6-1+deb10u7 golang-1.11_1.11.6-1+deb10u7.debian.tar.xz]
Michael Hudson-Doyle [Sun, 17 Mar 2019 20:37:17 +0000 (20:37 +0000)]
Import golang-1.11_1.11.6.orig.tar.gz
[dgit import orig golang-1.11_1.11.6.orig.tar.gz]
projects / golang-1.11.git / log