* [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6
@ 2021-07-29 22:49 Christian Stewart
2021-07-30 21:37 ` Thomas Petazzoni
2021-08-06 20:51 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Christian Stewart @ 2021-07-29 22:49 UTC (permalink / raw)
To: buildroot; +Cc: Christian Stewart, Yann E . MORIN, Thomas Petazzoni
These minor releases include a security fix according to the new security policy (#44918).
crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
in a privileged network position without access to the server certificate's private key, as long as a trusted
ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is CVE-2021-34558.
View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
---
package/go/go.hash | 2 +-
package/go/go.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/go/go.hash b/package/go/go.hash
index bc6147bb52..cd7f2b3813 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
# From https://golang.org/dl/
-sha256 7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 go1.16.5.src.tar.gz
+sha256 a3a5d4bc401b51db065e4f93b523347a4d343ae0c0b08a65c3423b05a138037d go1.16.6.src.tar.gz
sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 4252691343..7d6355df92 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GO_VERSION = 1.16.5
+GO_VERSION = 1.16.6
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
--
2.32.0
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6
2021-07-29 22:49 [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6 Christian Stewart
@ 2021-07-30 21:37 ` Thomas Petazzoni
2021-08-06 20:51 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2021-07-30 21:37 UTC (permalink / raw)
To: Christian Stewart; +Cc: Yann E . MORIN, buildroot
On Thu, 29 Jul 2021 15:49:49 -0700
Christian Stewart <christian@paral.in> wrote:
> These minor releases include a security fix according to the new security policy (#44918).
>
> crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
> net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
> in a privileged network position without access to the server certificate's private key, as long as a trusted
> ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
> Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
> suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
>
> This is CVE-2021-34558.
>
> View the release notes for more information:
>
> https://golang.org/doc/devel/release.html#go1.16.minor
>
> Signed-off-by: Christian Stewart <christian@paral.in>
> ---
> package/go/go.hash | 2 +-
> package/go/go.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6
2021-07-29 22:49 [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6 Christian Stewart
2021-07-30 21:37 ` Thomas Petazzoni
@ 2021-08-06 20:51 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-08-06 20:51 UTC (permalink / raw)
To: Christian Stewart; +Cc: Yann E . MORIN, Thomas Petazzoni, buildroot
>>>>> "Christian" == Christian Stewart <christian@paral.in> writes:
> These minor releases include a security fix according to the new security policy (#44918).
> crypto/tls clients can panic when provided a certificate of the wrong
> type for the negotiated parameters.
> net/http clients performing HTTPS requests are also affected. The
> panic can be triggered by an attacker
> in a privileged network position without access to the server
> certificate's private key, as long as a trusted
> ECDSA or Ed25519 certificate for the server exists (or can be issued),
> or the client is configured with
> Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher
> suites (that is, TLS 1.0–1.2 cipher
> suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
> This is CVE-2021-34558.
> View the release notes for more information:
> https://golang.org/doc/devel/release.html#go1.16.minor
> Signed-off-by: Christian Stewart <christian@paral.in>
Committed to 2021.05.x, thanks. For 2021.02.x I will instead bump to
1.5.15, which contains the same fixes.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-06 20:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-29 22:49 [Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6 Christian Stewart
2021-07-30 21:37 ` Thomas Petazzoni
2021-08-06 20:51 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.