* [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8
@ 2023-09-06 20:13 Christian Stewart via buildroot
2023-09-08 20:24 ` Thomas Petazzoni via buildroot
2023-09-14 18:22 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Christian Stewart via buildroot @ 2023-09-06 20:13 UTC (permalink / raw)
To: buildroot
Cc: Christian Stewart, Anisse Astier, Thomas Petazzoni,
Yann E . MORIN
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime, and
the crypto/tls, go/types, net/http, and path/filepath packages.
CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
CVE-2023-39319: html/template: improper handling of special tags within script contexts
CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
https://go.dev/doc/devel/release#go1.20.0
Signed-off-by: Christian Stewart <christian@aperture.us>
---
package/go/go.hash | 2 +-
package/go/go.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/go/go.hash b/package/go/go.hash
index 2298534d91..19405982ba 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
# From https://go.dev/dl
-sha256 2c5ee9c9ec1e733b0dbbc2bdfed3f62306e51d8172bf38f4f4e542b27520f597 go1.20.7.src.tar.gz
+sha256 38d71714fa5279f97240451956d8e47e3c1b6a5de7cb84137949d62b5dd3182e go1.20.8.src.tar.gz
sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index fc1d9ed681..c1e9f2f8f6 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GO_VERSION = 1.20.7
+GO_VERSION = 1.20.8
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8
2023-09-06 20:13 [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8 Christian Stewart via buildroot
@ 2023-09-08 20:24 ` Thomas Petazzoni via buildroot
2023-09-14 18:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-09-08 20:24 UTC (permalink / raw)
To: Christian Stewart via buildroot
Cc: Anisse Astier, Christian Stewart, Yann E . MORIN
On Wed, 6 Sep 2023 13:13:58 -0700
Christian Stewart via buildroot <buildroot@buildroot.org> wrote:
> go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
> package, as well as bug fixes to the compiler, the go command, the runtime, and
> the crypto/tls, go/types, net/http, and path/filepath packages.
>
> CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
> CVE-2023-39319: html/template: improper handling of special tags within script contexts
> CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
>
> https://go.dev/doc/devel/release#go1.20.0
>
> Signed-off-by: Christian Stewart <christian@aperture.us>
This is not relevant for the master branch, which already has 1.21.1.
However, this patch is applicable to 2023.08.x. For 2023.05.x and
2023.02.x, the 1.19.x series is used, so we would need an updated to
1.19.13 I believe.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8
2023-09-06 20:13 [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8 Christian Stewart via buildroot
2023-09-08 20:24 ` Thomas Petazzoni via buildroot
@ 2023-09-14 18:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-09-14 18:22 UTC (permalink / raw)
To: Christian Stewart
Cc: Thomas Petazzoni, Anisse Astier, Yann E . MORIN, buildroot
>>>>> "Christian" == Christian Stewart <christian@aperture.us> writes:
> go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
> package, as well as bug fixes to the compiler, the go command, the runtime, and
> the crypto/tls, go/types, net/http, and path/filepath packages.
> CVE-2023-39318: html/template: improper handling of HTML-like comments within script contexts
> CVE-2023-39319: html/template: improper handling of special tags within script contexts
> CVE-2023-39321: crypto/tls: panic when processing post-handshake message on QUIC connections
> https://go.dev/doc/devel/release#go1.20.0
> Signed-off-by: Christian Stewart <christian@aperture.us>
Committed to 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-14 18:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-06 20:13 [Buildroot] [PATCH 1/1] package/go: security bump to version 1.20.8 Christian Stewart via buildroot
2023-09-08 20:24 ` Thomas Petazzoni via buildroot
2023-09-14 18:22 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox