* CVE-2021-27918 Description: "encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element. Thanks to Sam Whited for reporting this issue. This issue is CVE-2021-27918 and Go issue golang.org/issue/44913." * CVE-2021-27919 Description: "archive/zip: panic when calling Reader.Open The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive containing files that start with “../”. This issue is CVE-2021-27919 and Go issue golang.org/issue/44916." Please bump to Go 1.16.1 and Go 1.15.9.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58e4b63111ef301c3088aca66f18b197677e12fd commit 58e4b63111ef301c3088aca66f18b197677e12fd Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-03-12 00:59:07 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-03-12 01:01:05 +0000 dev-lang/go: 1.16.2 bump Bug: https://bugs.gentoo.org/775326 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.16.2.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c90270721a7dda15113d834e5df1aa562e980c4 commit 6c90270721a7dda15113d834e5df1aa562e980c4 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-03-12 00:52:00 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-03-12 01:01:04 +0000 dev-lang/go: 1.15.10 bump Bug: https://bugs.gentoo.org/775326 Signed-off-by: William Hubbs <williamh@gentoo.org> dev-lang/go/Manifest | 1 + dev-lang/go/go-1.15.10.ebuild | 197 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+)
Please add arches and stabilize both 1.16.2 and 1.15.10.
(In reply to William Hubbs from comment #2) > Please add arches and stabilize both 1.16.2 and 1.15.10. Thank you!
amd64 stable
arm done
ppc64 done
commit 1b6bfb1917feea1e740f240794f35398356c0ccb Author: Sam James <sam@gentoo.org> Date: Fri Mar 12 15:30:16 2021 +0000 dev-lang/go: Stabilize 1.16.2 arm64, #775326 Signed-off-by: Sam James <sam@gentoo.org> commit 6c85beb0ce118687b09c3ee8a13cd57d12325ad1 Author: Sam James <sam@gentoo.org> Date: Fri Mar 12 15:30:15 2021 +0000 dev-lang/go: Stabilize 1.15.10 arm64, #775326 Signed-off-by: Sam James <sam@gentoo.org>
x86 stable
Unable to check for sanity: > no match for package: dev-lang/go-1.15.10
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3cb3a96a3023359a20f60ec1f45f10c1fc4012ca commit 3cb3a96a3023359a20f60ec1f45f10c1fc4012ca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-04 13:53:02 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-04 13:59:34 +0000 [ GLSA 202208-02 ] Go: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/754210 Bug: https://bugs.gentoo.org/766216 Bug: https://bugs.gentoo.org/775326 Bug: https://bugs.gentoo.org/788640 Bug: https://bugs.gentoo.org/794784 Bug: https://bugs.gentoo.org/802054 Bug: https://bugs.gentoo.org/806659 Bug: https://bugs.gentoo.org/807049 Bug: https://bugs.gentoo.org/816912 Bug: https://bugs.gentoo.org/821859 Bug: https://bugs.gentoo.org/828655 Bug: https://bugs.gentoo.org/833156 Bug: https://bugs.gentoo.org/834635 Bug: https://bugs.gentoo.org/838130 Bug: https://bugs.gentoo.org/843644 Bug: https://bugs.gentoo.org/849290 Bug: https://bugs.gentoo.org/857822 Bug: https://bugs.gentoo.org/862822 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-02.xml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+)
GLSA released, all done!