Sync from SUSE:SLFO:Main go1.21-openssl revision be0e6a7a42fd00aa9ef26053c600b45a

This commit is contained in:
Adrian Schröter 2024-10-30 16:11:40 +01:00
parent d6515252b0
commit dc8db3e77b
6 changed files with 178 additions and 14 deletions

View File

@ -1,3 +1,142 @@
-------------------------------------------------------------------
Tue Oct 1 00:31:42 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Packaging improvements:
Refs jsc#SLE-18320
* Iterate over all patches in the upstream patch set. In addition
to the two large primary patches 000-initial-setup.patch and
001-initial-openssl-for-fips.patch, various fixes are being
applied in smaller patches. Ensure that we apply all of these.
-------------------------------------------------------------------
Mon Sep 16 16:09:28 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.13.4 cut from the go1.21-fips-release
branch at the revision tagged go1.21.13-4-openssl-fips.
Refs jsc#SLE-18320
* Update update initial openssl patch to reflect the previous
update (1.21.13.2) to the openssl bindings
-------------------------------------------------------------------
Thu Sep 12 12:55:39 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.13.3 cut from the go1.21-fips-release
branch at the revision tagged go1.21.13-3-openssl-fips.
Refs jsc#SLE-18320
* Backport CVE fixes from Go 1.22.7 (#230)
Upstream creates backports since go1.23-openssl not yet branched
* go#69142 go#69138 boo#1230252 security: fixes CVE-2024-34155 go/parser: track depth in nested element lists
* go#69144 go#69139 boo#1230253 security: fixes CVE-2024-34156 encoding/gob: cover missed cases when checking ignore depth
* go#69148 go#69141 boo#1230254 security: fixes CVE-2024-34158 go/build/constraint: add parsing limits
-------------------------------------------------------------------
Wed Sep 4 13:29:02 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.13.2 cut from the go1.21-fips-release
branch at the revision tagged go1.21.13-2-openssl-fips.
Refs jsc#SLE-18320
* Fast forward golang-fips/openssl to latest v1 (#225)
-------------------------------------------------------------------
Mon Aug 19 11:32:12 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.13.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.13-1-openssl-fips.
Refs jsc#SLE-18320
* Update to go1.21.13
-------------------------------------------------------------------
Tue Aug 6 17:39:08 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.13 (released 2024-08-06) includes fixes to the go command,
the covdata command, and the bytes package.
Refs boo#1212475 go1.21 release tracking
* go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68221 cmd/go: list with -export and -covermode=atomic fails to build
-------------------------------------------------------------------
Tue Jul 2 18:51:48 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.12 (released 2024-07-02) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the go
command, the runtime, and the crypto/x509, net/http, net/netip,
and os packages.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24791
* go#68199 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
* go#67426 cmd/link: need to handle new-style loong64 relocs
* go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67933 net: go DNS resolver fails to connect to local DNS server
* go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
-------------------------------------------------------------------
Wed Jun 5 19:13:50 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.11.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.11-1-openssl-fips.
Refs jsc#SLE-18320
* Update to go1.21.11
-------------------------------------------------------------------
Tue Jun 4 18:11:01 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.11 (released 2024-06-04) includes security fixes to the
archive/zip and net/netip packages, as well as bug fixes to the
compiler, the go command, the runtime, and the os package.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24789 CVE-2024-24790
* go#67553 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67681 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
* go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67695 os: RemoveAll susceptible to symlink race
-------------------------------------------------------------------
Wed May 22 13:12:33 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.10.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.10-1-openssl-fips.
Refs jsc#SLE-18320
* Update to go1.21.10
* backport of fix linkage in RHEL builds to go1.21
* Skip broken PKCS overlong message test
-------------------------------------------------------------------
Tue May 7 16:00:50 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.10 (released 2024-05-07) includes security fixes to the go
command, as well as bug fixes to the net/http package.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24787
* go#67121 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
* go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0
-------------------------------------------------------------------
Thu Apr 4 19:11:07 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.9.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.9-1-openssl-fips.
Refs jsc#SLE-18320
* Update to go1.21.9
-------------------------------------------------------------------
Wed Apr 3 15:35:16 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.9 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the linker, and the
go/types and net/http packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45288
* go#65387 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
* go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 13 14:06:49 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com> Wed Mar 13 14:06:49 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
@ -11,6 +150,27 @@ Wed Mar 13 14:06:49 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
* Feature go build -buildmode=shared is deprecated by upstream, * Feature go build -buildmode=shared is deprecated by upstream,
but not yet removed. but not yet removed.
-------------------------------------------------------------------
Tue Mar 5 17:38:51 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- go1.21.8 (released 2024-03-05) includes security fixes to the
crypto/x509, html/template, net/http, net/http/cookiejar, and
net/mail packages, as well as bug fixes to the go command and the
runtime.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
* go#65385 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65389 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65392 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65848 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65968 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65472 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65475 internal/testenv: support LUCI mobile builders in testenv tests
* go#65478 runtime: don't let the tests leave core files behind
* go#65640 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65851 cmd/go: "missing ziphash" error with go.work
* go#65882 internal/poll: invalid uintptr conversion in call to windows.SetFileInformationByHandle
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com> Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
@ -20,7 +180,7 @@ Tue Feb 27 05:45:13 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 8 13:19:41 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com> Thu Feb 8 13:19:41 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.7.1 cut from the go1.21-openssl-fips - Update to version 1.21.7.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.7-1-openssl-fips. branch at the revision tagged go1.21.7-1-openssl-fips.
* Update to go1.21.7 * Update to go1.21.7
@ -69,7 +229,7 @@ Tue Jan 9 18:40:15 UTC 2024 - Jeff Kowalczyk <jkowalczyk@suse.com>
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Dec 7 19:15:40 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com> Thu Dec 7 19:15:40 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.5.1 cut from the go1.21-openssl-fips - Update to version 1.21.5.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.5-1-openssl-fips. branch at the revision tagged go1.21.5-1-openssl-fips.
* Update to go1.21.5 * Update to go1.21.5
@ -97,7 +257,7 @@ Tue Dec 5 19:03:51 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 7 22:51:37 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com> Tue Nov 7 22:51:37 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 1.21.4.1 cut from the go1.21-openssl-fips - Update to version 1.21.4.1 cut from the go1.21-fips-release
branch at the revision tagged go1.21.4-1-openssl-fips. branch at the revision tagged go1.21.4-1-openssl-fips.
* Update to go1.21.4 * Update to go1.21.4
@ -123,7 +283,7 @@ Tue Nov 7 19:29:09 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
Thu Oct 19 13:08:42 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com> Thu Oct 19 13:08:42 UTC 2023 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Initial package go1.21-openssl version 1.21.3.1 cut from the - Initial package go1.21-openssl version 1.21.3.1 cut from the
go1.21-openssl-fips branch at the revision tagged go1.21-fips-release branch at the revision tagged
go1.21.3-1-openssl-fips. go1.21.3-1-openssl-fips.
Refs jsc#SLE-18320 Refs jsc#SLE-18320
* Go upstream merged branch dev.boringcrypto in go1.19+. * Go upstream merged branch dev.boringcrypto in go1.19+.

View File

@ -126,9 +126,9 @@
%endif %endif
Name: go1.21-openssl Name: go1.21-openssl
Version: 1.21.7.1 Version: 1.21.13.4
# Drop our added final dot and digit to define upstream version # Drop our added final dot and digit to define upstream version
%define shortversion 1.21.7 %define shortversion 1.21.13
Release: 0 Release: 0
Summary: A compiled, garbage-collected, concurrent programming language Summary: A compiled, garbage-collected, concurrent programming language
License: BSD-3-Clause License: BSD-3-Clause
@ -238,8 +238,12 @@ cp %{SOURCE4} .
# Apply golang-fips OpenSSL patch set to upstream go1.x sources # Apply golang-fips OpenSSL patch set to upstream go1.x sources
%setup -q -D -T -b 10 -n go %setup -q -D -T -b 10 -n go
patch -p1 <patches/000-initial-setup.patch # The patchset is comprised of two large primary patches plus accumulated fixes
patch -p1 <patches/001-initial-openssl-for-fips.patch for file in patches/*.patch; do
if [ -f "$file" ]; then
patch -p1 <"$file"
fi
done
%build %build
# Remove the pre-included .sysos, to avoid shipping things we didn't compile # Remove the pre-included .sysos, to avoid shipping things we didn't compile

BIN
go1.21.13.4-openssl.src.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
go1.21.13.src.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
go1.21.7.1-openssl.src.tar.gz (Stored with Git LFS)

Binary file not shown.

BIN
go1.21.7.src.tar.gz (Stored with Git LFS)

Binary file not shown.