[Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6

[Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6

[Christian Stewart]

These minor releases include a security fix according to the new security policy (#44918).

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

This is CVE-2021-34558.

View the release notes for more information:

https://golang.org/doc/devel/release.html#go1.16.minor

Signed-off-by: Christian Stewart <christian@paral.in>
---
 package/go/go.hash | 2 +-
 package/go/go.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/go/go.hash b/package/go/go.hash
index bc6147bb52..cd7f2b3813 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
 # From https://golang.org/dl/
-sha256  7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80  go1.16.5.src.tar.gz
+sha256  a3a5d4bc401b51db065e4f93b523347a4d343ae0c0b08a65c3423b05a138037d  go1.16.6.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 4252691343..7d6355df92 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GO_VERSION = 1.16.5
+GO_VERSION = 1.16.6
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz
 
-- 
2.32.0

_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6

[Thomas Petazzoni]

On Thu, 29 Jul 2021 15:49:49 -0700
Christian Stewart <christian@paral.in> wrote:

> These minor releases include a security fix according to the new security policy (#44918).
> 
> crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
> net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
> in a privileged network position without access to the server certificate's private key, as long as a trusted
> ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
> Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
> suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
> 
> This is CVE-2021-34558.
> 
> View the release notes for more information:
> 
> https://golang.org/doc/devel/release.html#go1.16.minor
> 
> Signed-off-by: Christian Stewart <christian@paral.in>
> ---
>  package/go/go.hash | 2 +-
>  package/go/go.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6

[Peter Korsgaard]

>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:

 > These minor releases include a security fix according to the new security policy (#44918).
 > crypto/tls clients can panic when provided a certificate of the wrong
 > type for the negotiated parameters.
 > net/http clients performing HTTPS requests are also affected. The
 > panic can be triggered by an attacker
 > in a privileged network position without access to the server
 > certificate's private key, as long as a trusted
 > ECDSA or Ed25519 certificate for the server exists (or can be issued),
 > or the client is configured with
 > Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher
 > suites (that is, TLS 1.0–1.2 cipher
 > suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.

 > This is CVE-2021-34558.

 > View the release notes for more information:

 > https://golang.org/doc/devel/release.html#go1.16.minor

 > Signed-off-by: Christian Stewart <christian@paral.in>

Committed to 2021.05.x, thanks. For 2021.02.x I will instead bump to
1.5.15, which contains the same fixes.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot