- go1.18.5 (released 2022-08-01) includes security fixes to the
encoding/gob and math/big packages, as well as bug fixes to the
compiler, the go command, the runtime, and the testing package.
Refs boo#1193742 go1.18 release tracking
CVE-2022-32189
* boo#1202035 CVE-2022-32189 go#53871
* go#54095 math/big: index out of range in Float.GobDecode
* go#53883 cmd/compile: interface conversion with generics reports "types from different scopes"
* go#53875 cmd/go: livelock when computing module graph in a workspace with GOPROXY=off
* go#53852 cmd/compile: internal compiler error: assertion failed
* go#53847 runtime: modified timer results in extreme cpu load
* go#53119 cmd/go: Build information embedded by Go 1.18 impairs build reproducibility with cgo flags
* go#53112 runtime: gentraceback() dead loop on arm64 casued the process hang
* go#52986 testing: TempDir RemoveAll cleanup failures with "The process cannot access the file because it is being used by another process."
* go#52961 cmd/compile: miscompilation in pointer operations
OBS-URL: https://build.opensuse.org/request/show/992076
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=25
- go1.18.4 (released 2022-07-12) includes security fixes to the
compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs,
net/http, and path/filepath packages, as well as bug fixes to the
compiler, the go command, the linker, the runtime, and the
runtime/metrics package.
Refs boo#1193742 go1.18 release tracking
CVE-2022-1705 CVE-2022-32148 CVE-2022-30631 CVE-2022-30633 CVE-2022-28131 CVE-2022-30635 CVE-2022-30632 CVE-2022-30630 CVE-2022-1962
OBS-URL: https://build.opensuse.org/request/show/988807
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=23
- go1.18.3 (released 2022-06-01) includes security fixes to the
crypto/rand, crypto/tls, os/exec, and path/filepath packages, as
well as bug fixes to the compiler, and the crypto/tls and
text/template/parse packages.
Refs boo#1193742 go1.18 release tracking
CVE-2022-30634 CVE-2022-30629 CVE-2022-30580 CVE-2022-29804
* boo#1200134 go#52561 CVE-2022-30634
* go#52933 crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1
* boo#1200135 go#52814 CVE-2022-30629
* go#52833 crypto/tls: randomly generate ticket_age_add
* boo#1200136 go#52574 CVE-2022-30580
* go#53057 os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset
* boo#1200137 go#52476 CVE-2022-29804
* go#52479 path/filepath: Clean(.\c:) returns c: on Windows
* go#51849 cmd/compile: crash on pointer conversion in call to mapaccess2
* go#52242 cmd/compile: compiler crash on valid code
* go#52286 cmd/compile: compiler crash with "Dictionary should have already been generated"
* go#52791 crypto/tls: 500% increase in allocations from (*tls.Conn).Read in go 1.17
* go#52878 text/template: break/continue require no whitespace around them
* go#53043 misc/cgo/testsanitizers: occasional hangs in TestTSAN/tsan12
* go#53115 misc/cgo/testsanitizers: deadlock in TestTSAN/tsan11
OBS-URL: https://build.opensuse.org/request/show/980418
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=21
- go1.18.2 (released 2022-05-10) includes security fixes to the
syscall package, as well as bug fixes to the compiler, runtime,
the go command, and the crypto/x509, go/types, net/http/httptest,
reflect, and sync/atomic packages.
Refs boo#1193742 go1.18 release tracking
CVE-2022-29526
* boo#1199413 go#52313 CVE-2022-29526
* go#52440 syscall: Faccessat checks wrong group
* go#51738 runtime: wrong type assertion result when using generic types
* go#51798 cmd/go: add (and default to) -buildvcs=auto
* go#51859 crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error
* go#51897 net/http/httptest: race in Close
* go#52028 go/types: documentation on instance de-duplication is unclear about guarantees
* go#52149 syscall: TestGroupCleanupUserNamespace failure on linux-s390x-ibm
* go#52244 go/types, types2: go generic assert compile escape
* go#52305 runtime: doAllThreadsSyscall has an unaligned atomic load on 32-bit architectures
* go#52366 cmd/compile/internal/ssa: occurred the wrong rewrite cycle detection
* go#52375 runtime: executable compiled under Go 1.17.7 will occasionally wedge
* go#52386 reflect: can set map elem with string key of a different string type
* go#52441 cmd/compile: incorrect handling of iota in 1.18
* go#52468 cmd/go: go run -mod=mod [files...] does not update go.mod and go.sum
* go#52558 cmd/compile: cannot convert v (variable of type *Bar[T]) to type *Foo[T]
* go#52606 cmd/compile: internal compiler error: weird package in name: .dict0 => .dict0 from "", not "test/p"
* go#52615 sync/atomic: compare and swap of inconsistently typed values with uninitialized Value
* go#52691 cmd/compile: generic function appears to use incorrect type descriptor
* go#52699 runtime: support debugCall on arm64
* go#52706 net: TestDialCancel is not compatible with new macOS ARM64 builders
* go#52804 go/types: NewMethodSet doesn't terminate for recursively embedded generics
OBS-URL: https://build.opensuse.org/request/show/976170
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=19
- Remove remaining use of gold linker when bootstrapping with
gccgo. The binutils-gold package will be removed in the future.
* History: go1.8.3 2017-06-18 added conditional if gccgo defined
BuildRequires: binutils-gold for arches other than s390x
* No information available why binutils-gold was used initially
* Unrelated to upstream recent hardcoded gold dependency for ARM
OBS-URL: https://build.opensuse.org/request/show/974489
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=17
- go1.18.1 (released 2022-04-12) includes security fixes to the
crypto/elliptic, crypto/x509, and encoding/pem packages, as well
as bug fixes to the compiler, linker, runtime, the go command,
vet, and the bytes, crypto/x509, and go/types packages.
Refs boo#1193742 go1.18 release tracking
CVE-2022-24675 CVE-2022-28327 CVE-2022-27536
* boo#1198423 go#51853 CVE-2022-24675
* go#52037 encoding/pem: stack overflow
boo#1198424 go#52075 CVE-2022-28327
* go#52077 crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes
* boo#1198427 go#51759 CVE-2022-27536
* go#51763 crypto/x509: Certificate.Verify crash on macOS with Go 1.18
* go#52140 cmd/go: go work use -r panics when given a directory that does not exist
* go#52119 go/types, cmd/compile: type set overlapping implementation for interface types might be not correct
* go#52032 go/types: spurious diagnostics for untyped shift operands with GoVersion < go1.13
* go#52007 go/types, types2: scope is unset on receivers of instantiated methods
* go#51874 cmd/go: Segfault on ppc64le during Go 1.18 build on Alpine Linux
* go#51855 cmd/compile: internal compiler error: panic: runtime error: index out of range [0] with length 0
* go#51852 crypto/x509: reject SHA-1 signatures in Verify
* go#51847 cmd/compile: cannot import "package" (type parameter bound more than once)
* go#51846 cmd/compile: internal compiler error: walkExpr: switch 1 unknown op RECOVER
* go#51796 bytes: Trim returns empty slice instead of nil in 1.18
* go#51767 cmd/go: "go test" seems to now require git due to -buildvcs
* go#51764 cmd/go: go work use panics when given a file
* go#51741 cmd/cgo: pointer to incomplete C type is mangled when passed through interface type and generic type assert
* go#51737 plugin: tls handshake panic: unreachable method called. linker bug?
* go#51727 cmd/vet, go/types: go vet crash when using self-recursive anonymous types in constraints
* go#51697 runtime: some tests fails on Windows with CGO_ENABLED=0
* go#51669 cmd/compile: irgen uses wrong dict param to generate code for getting dict type
* go#51665 go/types, types2: gopls crash in recordTypeAndValue
OBS-URL: https://build.opensuse.org/request/show/969623
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=15
- Template gcc-go.patch to substitute gcc_go_version and eliminate
multiple similar patches each with hardcoded gcc go binary name.
gcc-go.patch inserts gcc-go binary name e.g. go-8 to compensate
for current lack of gcc-go update-alternatives usage.
* add gcc-go.patch
* drop gcc6-go.patch
* drop gcc7-go.patch
- For SLE-12 set gcc_go_version to 8 to bootstrap using gcc8-go.
gcc6-go and gcc7-go no longer successfully bootstrap go1.17 or
go1.18 on SLE-12 aarch64 ppc64le or s390x.
* gcc6-go fails with errors e.g. libnoder.a(_go_.o):(.toc+0x0):
undefined reference to `__go_pimt__I4_DiagFrN4_boolee3
OBS-URL: https://build.opensuse.org/request/show/967628
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=11
- Add .bin assembler pattern table file and test data to packaging.
* Error manifests building some Go applications as:
src/crypto/elliptic/p256_asm.go:24:12:
pattern p256_asm_table.bin: no matching files found
* A Quick Guide to Go's Assembler https://go.dev/doc/asm
* New assembler pattern file added to packaging with mode 644:
src/crypto/elliptic/p256_asm_table.bin
* Existing test data files added to packaging with mode 644:
src/compress/bzip2/testdata/pass-random2.bin
src/compress/bzip2/testdata/pass-random1.bin
src/debug/dwarf/testdata/line-gcc-win.bin
OBS-URL: https://build.opensuse.org/request/show/955775
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.18?expand=0&rev=5
