* [Buildroot] [PATCH-2023.08.x] package/go: security bump to version 1.20.9
@ 2023-10-06 9:51 Peter Korsgaard
2023-10-08 16:11 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2023-10-06 9:51 UTC (permalink / raw)
To: buildroot; +Cc: Anisse Astier, Christian Stewart
Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
flags to be passed during compilation. This can result in unexpected
execution of arbitrary code when running "go build".
go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
package, as well as bug fixes to the go command and the linker.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/go/go.hash | 2 +-
package/go/go.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/go/go.hash b/package/go/go.hash
index 19405982ba..ac603e6e3b 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
# From https://go.dev/dl
-sha256 38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e go1.20.8.src.tar.gz
+sha256 4923920381cd71d68b527761afefa523ea18c5831b4795034c827e18b685cdcf go1.20.9.src.tar.gz
sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index c1e9f2f8f6..d75c1afa9e 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GO_VERSION = 1.20.8
+GO_VERSION = 1.20.9
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [Buildroot] [PATCH-2023.08.x] package/go: security bump to version 1.20.9
2023-10-06 9:51 [Buildroot] [PATCH-2023.08.x] package/go: security bump to version 1.20.9 Peter Korsgaard
@ 2023-10-08 16:11 ` Peter Korsgaard
2023-10-08 19:23 ` Christian Stewart via buildroot
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2023-10-08 16:11 UTC (permalink / raw)
To: buildroot; +Cc: Anisse Astier, Christian Stewart
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass the
> restrictions on "//go:cgo_" directives, allowing blocked linker and compiler
> flags to be passed during compilation. This can result in unexpected
> execution of arbitrary code when running "go build".
> go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
> package, as well as bug fixes to the go command and the linker.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2023.08.x, thanks.
I'll also bump 2023.02.x to this as 1.19.x no longer is getting updates.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Buildroot] [PATCH-2023.08.x] package/go: security bump to version 1.20.9
2023-10-08 16:11 ` Peter Korsgaard
@ 2023-10-08 19:23 ` Christian Stewart via buildroot
2023-10-08 19:33 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Christian Stewart via buildroot @ 2023-10-08 19:23 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Anisse Astier, Buildroot Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 898 bytes --]
Hi Peter,
On Sun, Oct 8, 2023, 9:12 AM Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>
> > Fixes CVE-2023-39323: Line directives ("//line") can be used to bypass
> the
> > restrictions on "//go:cgo_" directives, allowing blocked linker and
> compiler
> > flags to be passed during compilation. This can result in unexpected
> > execution of arbitrary code when running "go build".
>
> > go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go
> > package, as well as bug fixes to the go command and the linker.
>
> > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>
> Committed to 2023.08.x, thanks.
>
> I'll also bump 2023.02.x to this as 1.19.x no longer is getting updates.
>
Please also note that the bump from 1.19 to 1.20 requires the additional
bootstrap packages.
Best,
Christian Stewart
>
[-- Attachment #1.2: Type: text/html, Size: 1746 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-08 19:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-06 9:51 [Buildroot] [PATCH-2023.08.x] package/go: security bump to version 1.20.9 Peter Korsgaard
2023-10-08 16:11 ` Peter Korsgaard
2023-10-08 19:23 ` Christian Stewart via buildroot
2023-10-08 19:33 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox