Hi gophers, We have just released Go 1.12.8 and Go 1.11.13 to address recently reported security issues. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.12.8). net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages. The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606. Thanks to Jonathan Looney from Netflix for discovering and reporting these issues. This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2. net/url: parsing validation issue url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications. Note that URLs with invalid, not numeric ports will now return an error from url.Parse. The issue is CVE-2019-14809 and Go issue golang.org/issue/29098. Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering and reporting this issue. Downloads are available at https://golang.org/dl for all supported platforms. Thank you, Dmitri on behalf of the Go team
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=deb937ea1e309ff0f7473e5346f265a1855df3d8 commit deb937ea1e309ff0f7473e5346f265a1855df3d8 Author: William Hubbs <william.hubbs@sony.com> AuthorDate: 2019-08-14 17:06:07 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2019-08-14 17:07:58 +0000 dev-lang/go: 1.11.13 and 1.12.8 security bump Bug: https://bugs.gentoo.org/692152 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.69, Repoman-2.3.16 RepoMan-Options: --force Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 2 + dev-lang/go/go-1.11.13.ebuild | 246 ++++++++++++++++++++++++++++++++++++++++++ dev-lang/go/go-1.12.8.ebuild | 246 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 494 insertions(+)
Arm and x86, please stabilize dev-lang/go-1.11.13 and dev-lang/go-1.12.8. Thanks, William
x86 stable
arm stable
@maintainer, please drop vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad9515a15cbab9ce0b71f045ef4c47195589ed7 commit 2ad9515a15cbab9ce0b71f045ef4c47195589ed7 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2019-09-06 13:24:39 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2019-09-06 13:25:23 +0000 dev-lang/go: remove old 1.12 versions All 1.11 versions are removed since that version is no longer supported upstream. Bug: https://bugs.gentoo.org/692152 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 3 - dev-lang/go/go-1.12.5.ebuild | 246 ------------------------------------------- dev-lang/go/go-1.12.6.ebuild | 246 ------------------------------------------- dev-lang/go/go-1.12.7.ebuild | 246 ------------------------------------------- 4 files changed, 741 deletions(-)
