[Buildroot] [PATCH] package/go: security bump to version 1.16.5

Peter Korsgaard peter at korsgaard.com
Thu Jun 10 20:51:57 UTC 2021

>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
 >> Fixes the following security issues:
 >> - CVE-2021-33195: The LookupCNAME, LookupSRV, LookupMX, LookupNS, and
 >> LookupAddr functions in net, and their respective methods on the Resolver
 >> type may return arbitrary values retrieved from DNS which do not follow
 >> the established RFC 1035 rules for domain names.  If these names are used
 >> without further sanitization, for instance unsafely included in HTML, they
 >> may allow for injection of unexpected content.  Note that LookupTXT may
 >> still return arbitrary values that could require sanitization before
 >> further use

 >> - CVE-2021-33196: The NewReader and OpenReader functions in archive/zip can
 >> cause a panic or an unrecoverable fatal error when reading an archive that
 >> claims to contain a large number of files, regardless of its actual size

 >> - CVE-2021-33197: ReverseProxy in net/http/httputil could be made to forward
 >> certain hop-by-hop headers, including Connection.  In case the target of
 >> the ReverseProxy was itself a reverse proxy, this would let an attacker
 >> drop arbitrary headers, including those set by the ReverseProxy.Director

 >> - CVE-2021-33198: The SetString and UnmarshalText methods of math/big.Rat
 >> may cause a panic or an unrecoverable fatal error if passed inputs with
 >> very large exponents

 >> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

For 2021.02.x I have instead bumped to 1.15.13, which contains the same
security fixes.

Bye, Peter Korsgaard

More information about the buildroot mailing list