"Hello gophers, We have just released Go versions 1.16.4 and 1.15.12, minor point releases. This minor release includes a security fix according to the new security policy (#44918). ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts, and is fixed in golang.org/x/net@v0.0.0-20210428140749-89ef3d95e781. This is issue #45710 and CVE-2021-31525. Thanks to Guido Vranken who reported the crash as part of the Ethereum 2.0 bounty program. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.16.minor You can download binary and source distributions from the Go web site: https://golang.org/dl/ To compile from source using a Git clone, update to the release with "git checkout go1.16.4" and build as usual. Thanks to everyone who contributed to the releases. Cheers, Heschi and Carlos for the Go team"
Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5a71f48d8187ef86ae15b111ee7415bdb039d58 commit d5a71f48d8187ef86ae15b111ee7415bdb039d58 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-05-12 21:50:56 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-05-12 22:11:58 +0000 dev-lang/go: 1.15.12 and 1.16.4 bump Bug: https://bugs.gentoo.org/788640 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.15.12.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.16.4.ebuild | 189 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 380 insertions(+)
Thank you! Please proceed with stabilization when ready.
Go ahead with stabilization.
(In reply to William Hubbs from comment #4) > Go ahead with stabilization. Thanks William!
arm done
ppc64 done
x86 stable
amd64 stable
arm64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfbf5dfcb9361e5f6e339af3c8190055d7fbe068 commit bfbf5dfcb9361e5f6e339af3c8190055d7fbe068 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-05-24 19:48:53 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-05-24 19:50:22 +0000 dev-lang/go: remove old Bug: https://bugs.gentoo.org/788640 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 - dev-lang/go/go-1.15.10.ebuild | 189 ------------------------------------------ dev-lang/go/go-1.16.2.ebuild | 189 ------------------------------------------ 3 files changed, 380 deletions(-)
Thank you!
Unable to check for sanity: > no match for package: dev-lang/go-1.15.12
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-04 13:53:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-04 13:59:34 +0000 [ GLSA 202208-02 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/754210 Bug: https://bugs.gentoo.org/766216 Bug: https://bugs.gentoo.org/775326 Bug: https://bugs.gentoo.org/788640 Bug: https://bugs.gentoo.org/794784 Bug: https://bugs.gentoo.org/802054 Bug: https://bugs.gentoo.org/806659 Bug: https://bugs.gentoo.org/807049 Bug: https://bugs.gentoo.org/816912 Bug: https://bugs.gentoo.org/821859 Bug: https://bugs.gentoo.org/828655 Bug: https://bugs.gentoo.org/833156 Bug: https://bugs.gentoo.org/834635 Bug: https://bugs.gentoo.org/838130 Bug: https://bugs.gentoo.org/843644 Bug: https://bugs.gentoo.org/849290 Bug: https://bugs.gentoo.org/857822 Bug: https://bugs.gentoo.org/862822 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+)
GLSA released, all done!