[Buildroot] [PATCH] package/go: security bump to version 1.11.4

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sun Dec 16 11:17:58 UTC 2018


Hello,

On Sat, 15 Dec 2018 16:50:10 +0100, Peter Korsgaard wrote:
> go 1.11.3 fixes the following security issues:
> 
> cmd/go: remote command execution during "go get -u"
> The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details.
> Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue.
> 
> cmd/go: directory traversal in "go get" via curly braces in import paths
> The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details.
> Thanks to ztz of Tencent Security Platform for discovering and reporting this issue.
> 
> crypto/x509: CPU denial of service in chain validation
> The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details.
> Thanks to Netflix for discovering and reporting this issue.
> 
> go 1.11.4 fixes issues, including regressions introduced by 1.11.3:
> 
> 1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go
> command, and the net/http and go/types packages.  It includes a fix to a bug
> introduced in Go 1.11.3 that broke go get for import path patterns
> containing "...".
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  package/go/go.hash | 2 +-
>  package/go/go.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list