[Buildroot] [PATCH 1/1] package/go: security bump version to 1.16.6
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Jul 30 21:37:13 UTC 2021
On Thu, 29 Jul 2021 15:49:49 -0700
Christian Stewart <christian at paral.in> wrote:
> These minor releases include a security fix according to the new security policy (#44918).
>
> crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters.
> net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker
> in a privileged network position without access to the server certificate's private key, as long as a trusted
> ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with
> Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
> suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
>
> This is CVE-2021-34558.
>
> View the release notes for more information:
>
> https://golang.org/doc/devel/release.html#go1.16.minor
>
> Signed-off-by: Christian Stewart <christian at paral.in>
> ---
> package/go/go.hash | 2 +-
> package/go/go.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list