"We have just released Go 1.14.7 and Go 1.13.15 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.14.7). encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs. With the update, ReadUvarint and ReadVarint now always return after consuming a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The result being returned has not changed; the functions merely detect and return some errors without reading as much input. Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this issue. This issue is CVE-2020-16845 and Go issue golang.org/issue/40618."
Please bump to 1.13.15, 1.14.7.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5e8abfb9b2973e4b4f99b61b6b999184c0df9a5 commit e5e8abfb9b2973e4b4f99b61b6b999184c0df9a5 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:50:41 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:19 +0000 dev-lang/go: mark 1.13.15 and 1.14.7 stable on amd64 for security Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/go-1.13.15.ebuild | 2 +- dev-lang/go/go-1.14.7.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7047696d1eb4be0e320b3482e74a9473fae62f46 commit 7047696d1eb4be0e320b3482e74a9473fae62f46 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:47:47 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:19 +0000 dev-lang/go: 1.14.7 security bump Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.14.7.ebuild | 188 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 189 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3937ad23fc8918c53bd0266017838adb2d35e06 commit c3937ad23fc8918c53bd0266017838adb2d35e06 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-06 18:39:14 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-06 18:52:18 +0000 dev-lang/go: 1.13.15 security bump Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.13.15.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+)
arm done
arm64 done
x86 done
ppc64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a021d8bf00b7cf1a4a4cab5855ecc8c3689bae5a commit a021d8bf00b7cf1a4a4cab5855ecc8c3689bae5a Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2020-08-07 17:12:13 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2020-08-07 17:15:10 +0000 dev-lang/go: remove vulnerable versions Bug: https://bugs.gentoo.org/736156 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 4 - dev-lang/go/go-1.13.13.ebuild | 197 ------------------------------------------ dev-lang/go/go-1.13.14.ebuild | 197 ------------------------------------------ dev-lang/go/go-1.14.5.ebuild | 188 ---------------------------------------- dev-lang/go/go-1.14.6.ebuild | 188 ---------------------------------------- 5 files changed, 774 deletions(-)
Thanks William. GLSA vote: no. Closing.
