* [Buildroot] [git commit branch/2021.02.x] package/go: security bump to version 1.15.15
@ 2021-08-06 20:57 Peter Korsgaard
0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2021-08-06 20:57 UTC (permalink / raw)
To: buildroot
[-- Attachment #1: Type: text/plain, Size: 2117 bytes --]
commit: https://git.buildroot.net/buildroot/commit/?id=9f2ea984eeb3d8c98fab184e9b2900c962112b85
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.02.x
Fixes the following security issues:
- CVE-2021-34558: crypto/tls clients can panic when provided a certificate
of the wrong type for the negotiated parameters. net/http clients
performing HTTPS requests are also affected. The panic can be triggered
by an attacker in a privileged network position without access to the
server certificate's private key, as long as a trusted ECDSA or Ed25519
certificate for the server exists (or can be issued), or the client is
configured with Config.InsecureSkipVerify. Clients that disable all
TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE),
as well as TLS 1.3-only clients, are unaffected.
- CVE-2021-36221: A net/http/httputil ReverseProxy can panic due to a race
condition if its Handler aborts with ErrAbortHandler, for example due to
an error in copying the response body. An attacker might be able to force
the conditions leading to the race condition.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/go/go.hash | 2 +-
package/go/go.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/go/go.hash b/package/go/go.hash
index e077d55441..d89c01911a 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,3 +1,3 @@
# From https://golang.org/dl/
-sha256 99069e7223479cce4553f84f874b9345f6f4045f27cf5089489b546da619a244 go1.15.13.src.tar.gz
+sha256 0662ae3813330280d5f1a97a2ee23bbdbe3a5a7cfa6001b24a9873a19a0dc7ec go1.15.15.src.tar.gz
sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index 3d1dcf02d7..913ee68482 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GO_VERSION = 1.15.13
+GO_VERSION = 1.15.15
GO_SITE = https://storage.googleapis.com/golang
GO_SOURCE = go$(GO_VERSION).src.tar.gz
[-- Attachment #2: Type: text/plain, Size: 145 bytes --]
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-06 21:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-06 20:57 [Buildroot] [git commit branch/2021.02.x] package/go: security bump to version 1.15.15 Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.