All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
@ 2021-12-12  9:01 Christian Stewart via buildroot
  2021-12-12 15:13 ` Arnout Vandecappelle
  2022-01-06 21:39 ` Christian Stewart via buildroot
  0 siblings, 2 replies; 6+ messages in thread
From: Christian Stewart via buildroot @ 2021-12-12  9:01 UTC (permalink / raw)
  To: buildroot
  Cc: Christian Stewart, Anisse Astier, Thomas Petazzoni,
	Yann E . MORIN

go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages.

go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages:

 - CVE-2021-44716
 - CVE-2021-44717

https://go.dev/doc/devel/release#go1.17

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/go/go.hash | 2 +-
 package/go/go.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/go/go.hash b/package/go/go.hash
index 9031c33d8a..39f8226aae 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
 # From https://golang.org/dl/
-sha256  705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0  go1.17.3.src.tar.gz
+sha256  3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d  go1.17.5.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 59177e54db..0d9ceab2bb 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GO_VERSION = 1.17.3
+GO_VERSION = 1.17.5
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz
 
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
  2021-12-12  9:01 [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5 Christian Stewart via buildroot
@ 2021-12-12 15:13 ` Arnout Vandecappelle
  2021-12-12 16:00   ` Yann E. MORIN
  2022-01-06 21:39 ` Christian Stewart via buildroot
  1 sibling, 1 reply; 6+ messages in thread
From: Arnout Vandecappelle @ 2021-12-12 15:13 UTC (permalink / raw)
  To: Christian Stewart, buildroot
  Cc: Anisse Astier, Thomas Petazzoni, Yann E . MORIN



On 12/12/2021 10:01, Christian Stewart via buildroot wrote:
> go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
> and the go/types, net/http, and time packages.
> 
> go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
> net/http packages:
> 
>   - CVE-2021-44716
>   - CVE-2021-44717
> 
> https://go.dev/doc/devel/release#go1.17
> 
> Signed-off-by: Christian Stewart <christian@paral.in>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   package/go/go.hash | 2 +-
>   package/go/go.mk   | 2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/go/go.hash b/package/go/go.hash
> index 9031c33d8a..39f8226aae 100644
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,3 +1,3 @@
>   # From https://golang.org/dl/
> -sha256  705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0  go1.17.3.src.tar.gz
> +sha256  3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d  go1.17.5.src.tar.gz
>   sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index 59177e54db..0d9ceab2bb 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -GO_VERSION = 1.17.3
> +GO_VERSION = 1.17.5
>   GO_SITE = https://storage.googleapis.com/golang
>   GO_SOURCE = go$(GO_VERSION).src.tar.gz
>   
> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
  2021-12-12 15:13 ` Arnout Vandecappelle
@ 2021-12-12 16:00   ` Yann E. MORIN
  0 siblings, 0 replies; 6+ messages in thread
From: Yann E. MORIN @ 2021-12-12 16:00 UTC (permalink / raw)
  To: Arnout Vandecappelle; +Cc: Anisse Astier, Thomas Petazzoni, buildroot

Christian, All,

On 2021-12-12 16:13 +0100, Arnout Vandecappelle spake thusly:
> 
> 
> On 12/12/2021 10:01, Christian Stewart via buildroot wrote:
> >go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
> >and the go/types, net/http, and time packages.
> >
> >go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
> >net/http packages:
> >
> >  - CVE-2021-44716
> >  - CVE-2021-44717
> >
> >https://go.dev/doc/devel/release#go1.17
> >
> >Signed-off-by: Christian Stewart <christian@paral.in>
> 
>  Applied to master, thanks.

Arnout and I stepped on each other's toe when applying, and Arnout ran
away before he got the opportunity to push the patches he applied. So I
did.

Applied to master, thanks.

Regards,
Yann E. MORIN.

> 
>  Regards,
>  Arnout
> 
> >---
> >  package/go/go.hash | 2 +-
> >  package/go/go.mk   | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> >diff --git a/package/go/go.hash b/package/go/go.hash
> >index 9031c33d8a..39f8226aae 100644
> >--- a/package/go/go.hash
> >+++ b/package/go/go.hash
> >@@ -1,3 +1,3 @@
> >  # From https://golang.org/dl/
> >-sha256  705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0  go1.17.3.src.tar.gz
> >+sha256  3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d  go1.17.5.src.tar.gz
> >  sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
> >diff --git a/package/go/go.mk b/package/go/go.mk
> >index 59177e54db..0d9ceab2bb 100644
> >--- a/package/go/go.mk
> >+++ b/package/go/go.mk
> >@@ -4,7 +4,7 @@
> >  #
> >  ################################################################################
> >-GO_VERSION = 1.17.3
> >+GO_VERSION = 1.17.5
> >  GO_SITE = https://storage.googleapis.com/golang
> >  GO_SOURCE = go$(GO_VERSION).src.tar.gz
> >
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
  2021-12-12  9:01 [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5 Christian Stewart via buildroot
  2021-12-12 15:13 ` Arnout Vandecappelle
@ 2022-01-06 21:39 ` Christian Stewart via buildroot
  2022-01-06 21:54   ` Arnout Vandecappelle
  2022-01-15 10:56   ` Peter Korsgaard
  1 sibling, 2 replies; 6+ messages in thread
From: Christian Stewart via buildroot @ 2022-01-06 21:39 UTC (permalink / raw)
  To: Christian Stewart; +Cc: Thomas Petazzoni, Buildroot Mailing List

Hi maintainers, all,

Currently 2021.11.x branch is at version 1.17.3 which is vulnerable to:

 - CVE-2021-44716
 - CVE-2021-44717

Is it currently policy to backport security patches?

Similarly the 2021.02.x LTS branch is at 1.16.10, when the security
fixes landed in 1.16.12.

I've just submitted 1.17.6 to the list and will submit 1.16.12 for
2021.02.x as well.

On Sun, Dec 12, 2021 at 1:01 AM Christian Stewart <christian@paral.in> wrote:
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,3 +1,3 @@
>  # From https://golang.org/dl/
> -sha256  705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0  go1.17.3.src.tar.gz
> +sha256  3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d  go1.17.5.src.tar.gz
>  sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index 59177e54db..0d9ceab2bb 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>
> -GO_VERSION = 1.17.3
> +GO_VERSION = 1.17.5
>  GO_SITE = https://storage.googleapis.com/golang
>  GO_SOURCE = go$(GO_VERSION).src.tar.gz

Thanks & best regards,
Christian Stewart
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
  2022-01-06 21:39 ` Christian Stewart via buildroot
@ 2022-01-06 21:54   ` Arnout Vandecappelle
  2022-01-15 10:56   ` Peter Korsgaard
  1 sibling, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle @ 2022-01-06 21:54 UTC (permalink / raw)
  To: Christian Stewart; +Cc: Thomas Petazzoni, Buildroot Mailing List



On 06/01/2022 22:39, Christian Stewart via buildroot wrote:
> Hi maintainers, all,
> 
> Currently 2021.11.x branch is at version 1.17.3 which is vulnerable to:
> 
>   - CVE-2021-44716
>   - CVE-2021-44717
> 
> Is it currently policy to backport security patches?

  Yes, of course. Peter regularly goes through the master branch and identifies 
commits for backporting. If he misses something, you can definitely ping him on it.

  Due to holidays, the last time he did that was somewhere mid-December, so the 
stable branches are running a bit behind.

> Similarly the 2021.02.x LTS branch is at 1.16.10, when the security
> fixes landed in 1.16.12.
> 
> I've just submitted 1.17.6 to the list and will submit 1.16.12 for
> 2021.02.x as well.

  A 1.1.6.12 bump for the 2021.02.x branch will definitely be welcome.

  Regards,
  Arnout

> 
> On Sun, Dec 12, 2021 at 1:01 AM Christian Stewart <christian@paral.in> wrote:
>> --- a/package/go/go.hash
>> +++ b/package/go/go.hash
>> @@ -1,3 +1,3 @@
>>   # From https://golang.org/dl/
>> -sha256  705c64251e5b25d5d55ede1039c6aa22bea40a7a931d14c370339853643c3df0  go1.17.3.src.tar.gz
>> +sha256  3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d  go1.17.5.src.tar.gz
>>   sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
>> diff --git a/package/go/go.mk b/package/go/go.mk
>> index 59177e54db..0d9ceab2bb 100644
>> --- a/package/go/go.mk
>> +++ b/package/go/go.mk
>> @@ -4,7 +4,7 @@
>>   #
>>   ################################################################################
>>
>> -GO_VERSION = 1.17.3
>> +GO_VERSION = 1.17.5
>>   GO_SITE = https://storage.googleapis.com/golang
>>   GO_SOURCE = go$(GO_VERSION).src.tar.gz
> 
> Thanks & best regards,
> Christian Stewart
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5
  2022-01-06 21:39 ` Christian Stewart via buildroot
  2022-01-06 21:54   ` Arnout Vandecappelle
@ 2022-01-15 10:56   ` Peter Korsgaard
  1 sibling, 0 replies; 6+ messages in thread
From: Peter Korsgaard @ 2022-01-15 10:56 UTC (permalink / raw)
  To: Christian Stewart via buildroot; +Cc: Thomas Petazzoni

>>>>> "Christian" == Christian Stewart via buildroot <buildroot@buildroot.org> writes:

 > Hi maintainers, all,
 > Currently 2021.11.x branch is at version 1.17.3 which is vulnerable to:

 >  - CVE-2021-44716
 >  - CVE-2021-44717

 > Is it currently policy to backport security patches?

 > Similarly the 2021.02.x LTS branch is at 1.16.10, when the security
 > fixes landed in 1.16.12.

 > I've just submitted 1.17.6 to the list and will submit 1.16.12 for
 > 2021.02.x as well.

Committed to 2021.11.x, thanks. Sorry for the delay.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-15 10:56 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-12  9:01 [Buildroot] [PATCH 1/1] package/go: security bump to 1.17.5 Christian Stewart via buildroot
2021-12-12 15:13 ` Arnout Vandecappelle
2021-12-12 16:00   ` Yann E. MORIN
2022-01-06 21:39 ` Christian Stewart via buildroot
2022-01-06 21:54   ` Arnout Vandecappelle
2022-01-15 10:56   ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.