From 637709038c49f25a9f804999ca620b81f52947c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Tue, 5 Nov 2024 13:21:39 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 go1.21-openssl revision be0e6a7a42fd00aa9ef26053c600b45a --- go1.21-openssl.changes | 168 ++++++++++++++++++++++++++++++++- go1.21-openssl.spec | 12 ++- go1.21.13.4-openssl.src.tar.gz | 3 + go1.21.13.src.tar.gz | 3 + go1.21.7.1-openssl.src.tar.gz | 3 - go1.21.7.src.tar.gz | 3 - 6 files changed, 178 insertions(+), 14 deletions(-) create mode 100644 go1.21.13.4-openssl.src.tar.gz create mode 100644 go1.21.13.src.tar.gz delete mode 100644 go1.21.7.1-openssl.src.tar.gz delete mode 100644 go1.21.7.src.tar.gz diff --git a/go1.21-openssl.changes b/go1.21-openssl.changes index a8d8fc5..78f6541 100644 --- a/go1.21-openssl.changes +++ b/go1.21-openssl.changes @@ -1,3 +1,142 @@ +------------------------------------------------------------------- +Tue Oct 1 00:31:42 UTC 2024 - Jeff Kowalczyk +- Packaging improvements: + Refs jsc#SLE-18320 + * Iterate over all patches in the upstream patch set. In addition + to the two large primary patches 000-initial-setup.patch and + 001-initial-openssl-for-fips.patch, various fixes are being + applied in smaller patches. Ensure that we apply all of these. + +------------------------------------------------------------------- +Mon Sep 16 16:09:28 UTC 2024 - Jeff Kowalczyk + +- Update to version 1.21.13.4 cut from the go1.21-fips-release + branch at the revision tagged go1.21.13-4-openssl-fips. + Refs jsc#SLE-18320 + * Update update initial openssl patch to reflect the previous + update (1.21.13.2) to the openssl bindings + +------------------------------------------------------------------- +Thu Sep 12 12:55:39 UTC 2024 - Jeff Kowalczyk + +- Update to version 1.21.13.3 cut from the go1.21-fips-release + branch at the revision tagged go1.21.13-3-openssl-fips. + Refs jsc#SLE-18320 + * Backport CVE fixes from Go 1.22.7 (#230) + Upstream creates backports since go1.23-openssl not yet branched + * go#69142 go#69138 boo#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists + * go#69144 go#69139 boo#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth + * go#69148 go#69141 boo#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits + +------------------------------------------------------------------- +Wed Sep 4 13:29:02 UTC 2024 - Jeff Kowalczyk + +- Update to version 1.21.13.2 cut from the go1.21-fips-release + branch at the revision tagged go1.21.13-2-openssl-fips. + Refs jsc#SLE-18320 + * Fast forward golang-fips/openssl to latest v1 (#225) + +------------------------------------------------------------------- +Mon Aug 19 11:32:12 UTC 2024 - Jeff Kowalczyk + +- Update to version 1.21.13.1 cut from the go1.21-fips-release + branch at the revision tagged go1.21.13-1-openssl-fips. + Refs jsc#SLE-18320 + * Update to go1.21.13 + +------------------------------------------------------------------- +Tue Aug 6 17:39:08 UTC 2024 - Jeff Kowalczyk + +- go1.21.13 (released 2024-08-06) includes fixes to the go command, + the covdata command, and the bytes package. + Refs boo#1212475 go1.21 release tracking + * go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop + * go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm + * go#68221 cmd/go: list with -export and -covermode=atomic fails to build + +------------------------------------------------------------------- +Tue Jul 2 18:51:48 UTC 2024 - Jeff Kowalczyk + +- go1.21.12 (released 2024-07-02) includes security fixes to the + net/http package, as well as bug fixes to the compiler, the go + command, the runtime, and the crypto/x509, net/http, net/netip, + and os packages. + Refs boo#1212475 go1.21 release tracking + CVE-2024-24791 + * go#68199 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways + * go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds + * go#67426 cmd/link: need to handle new-style loong64 relocs + * go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders + * go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0 + * go#67933 net: go DNS resolver fails to connect to local DNS server + * go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure + * go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N) + +------------------------------------------------------------------- +Wed Jun 5 19:13:50 2024 - Jeff Kowalczyk +- Update to version 1.21.11.1 cut from the go1.21-fips-release + branch at the revision tagged go1.21.11-1-openssl-fips. + Refs jsc#SLE-18320 + * Update to go1.21.11 + +------------------------------------------------------------------- +Tue Jun 4 18:11:01 UTC 2024 - Jeff Kowalczyk + +- go1.21.11 (released 2024-06-04) includes security fixes to the + archive/zip and net/netip packages, as well as bug fixes to the + compiler, the go command, the runtime, and the os package. + Refs boo#1212475 go1.21 release tracking + CVE-2024-24789 CVE-2024-24790 + * go#67553 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations + * go#67681 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses + * go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag + * go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64 + * go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes + * go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21' + * go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally + * go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections + * go#67695 os: RemoveAll susceptible to symlink race + +------------------------------------------------------------------- +Wed May 22 13:12:33 2024 - Jeff Kowalczyk +- Update to version 1.21.10.1 cut from the go1.21-fips-release + branch at the revision tagged go1.21.10-1-openssl-fips. + Refs jsc#SLE-18320 + * Update to go1.21.10 + * backport of fix linkage in RHEL builds to go1.21 + * Skip broken PKCS overlong message test + +------------------------------------------------------------------- +Tue May 7 16:00:50 UTC 2024 - Jeff Kowalczyk + +- go1.21.10 (released 2024-05-07) includes security fixes to the go + command, as well as bug fixes to the net/http package. + Refs boo#1212475 go1.21 release tracking + CVE-2024-24787 + * go#67121 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin + * go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 + +------------------------------------------------------------------- +Thu Apr 4 19:11:07 UTC 2024 - Jeff Kowalczyk + +- Update to version 1.21.9.1 cut from the go1.21-fips-release + branch at the revision tagged go1.21.9-1-openssl-fips. + Refs jsc#SLE-18320 + * Update to go1.21.9 + +------------------------------------------------------------------- +Wed Apr 3 15:35:16 UTC 2024 - Jeff Kowalczyk + +- go1.21.9 (released 2024-04-03) includes a security fix to the + net/http package, as well as bug fixes to the linker, and the + go/types and net/http packages. + Refs boo#1212475 go1.21 release tracking + CVE-2023-45288 + * go#65387 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers + * go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock + * go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21 + * go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le + ------------------------------------------------------------------- Wed Mar 13 14:06:49 UTC 2024 - Jeff Kowalczyk @@ -11,6 +150,27 @@ Wed Mar 13 14:06:49 UTC 2024 - Jeff Kowalczyk * Feature go build -buildmode=shared is deprecated by upstream, but not yet removed. +------------------------------------------------------------------- +Tue Mar 5 17:38:51 UTC 2024 - Jeff Kowalczyk + +- go1.21.8 (released 2024-03-05) includes security fixes to the + crypto/x509, html/template, net/http, net/http/cookiejar, and + net/mail packages, as well as bug fixes to the go command and the + runtime. + Refs boo#1212475 go1.21 release tracking + CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785 + * go#65385 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect + * go#65389 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm + * go#65392 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm + * go#65848 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled + * go#65968 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping + * go#65472 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders + * go#65475 internal/testenv: support LUCI mobile builders in testenv tests + * go#65478 runtime: don't let the tests leave core files behind + * go#65640 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing + * go#65851 cmd/go: "missing ziphash" error with go.work + * go#65882 internal/poll: invalid uintptr conversion in call to windows.SetFileInformationByHandle + ------------------------------------------------------------------- Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk @@ -20,7 +180,7 @@ Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk ------------------------------------------------------------------- Thu Feb 8 13:19:41 UTC 2024 - Jeff Kowalczyk -- Update to version 1.21.7.1 cut from the go1.21-openssl-fips +- Update to version 1.21.7.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.7-1-openssl-fips. * Update to go1.21.7 @@ -69,7 +229,7 @@ Tue Jan 9 18:40:15 UTC 2024 - Jeff Kowalczyk ------------------------------------------------------------------- Thu Dec 7 19:15:40 UTC 2023 - Jeff Kowalczyk -- Update to version 1.21.5.1 cut from the go1.21-openssl-fips +- Update to version 1.21.5.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.5-1-openssl-fips. * Update to go1.21.5 @@ -97,7 +257,7 @@ Tue Dec 5 19:03:51 UTC 2023 - Jeff Kowalczyk ------------------------------------------------------------------- Tue Nov 7 22:51:37 UTC 2023 - Jeff Kowalczyk -- Update to version 1.21.4.1 cut from the go1.21-openssl-fips +- Update to version 1.21.4.1 cut from the go1.21-fips-release branch at the revision tagged go1.21.4-1-openssl-fips. * Update to go1.21.4 @@ -123,7 +283,7 @@ Tue Nov 7 19:29:09 UTC 2023 - Jeff Kowalczyk Thu Oct 19 13:08:42 UTC 2023 - Jeff Kowalczyk - Initial package go1.21-openssl version 1.21.3.1 cut from the - go1.21-openssl-fips branch at the revision tagged + go1.21-fips-release branch at the revision tagged go1.21.3-1-openssl-fips. Refs jsc#SLE-18320 * Go upstream merged branch dev.boringcrypto in go1.19+. diff --git a/go1.21-openssl.spec b/go1.21-openssl.spec index 8d1c960..da0ed73 100644 --- a/go1.21-openssl.spec +++ b/go1.21-openssl.spec @@ -126,9 +126,9 @@ %endif Name: go1.21-openssl -Version: 1.21.7.1 +Version: 1.21.13.4 # Drop our added final dot and digit to define upstream version -%define shortversion 1.21.7 +%define shortversion 1.21.13 Release: 0 Summary: A compiled, garbage-collected, concurrent programming language License: BSD-3-Clause @@ -238,8 +238,12 @@ cp %{SOURCE4} . # Apply golang-fips OpenSSL patch set to upstream go1.x sources %setup -q -D -T -b 10 -n go -patch -p1