[Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6
Peter Korsgaard
peter at korsgaard.com
Fri Aug 6 20:51:39 UTC 2021
>>>>> "Christian" == Christian Stewart <christian at paral.in> writes:
> These minor releases include a security fix according to the new security policy (#44918).
> crypto/tls clients can panic when provided a certificate of the wrong
> type for the negotiated parameters.
> net/http clients performing HTTPS requests are also affected. The
> panic can be triggered by an attacker
> in a privileged network position without access to the server
> certificate's private key, as long as a trusted
> ECDSA or Ed25519 certificate for the server exists (or can be issued),
> or the client is configured with
> Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher
> suites (that is, TLS 1.0–1.2 cipher
> suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
> This is CVE-2021-34558.
> View the release notes for more information:
> https://golang.org/doc/devel/release.html#go1.16.minor
> Signed-off-by: Christian Stewart <christian at paral.in>
Committed to 2021.05.x, thanks. For 2021.02.x I will instead bump to
1.5.15, which contains the same fixes.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list