- go1.19.10 (released 2023-06-06) includes four security fixes to
the cmd/go and runtime packages, as well as bug fixes to the
compiler, the go command, and the runtime.
Refs boo#1200441 go1.19 release tracking
CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405
* go#60515 go#60167 boo#1212073 security: fix CVE-2023-29402 cmd/go: cgo code injection
* go#60517 go#60272 boo#1212074 security: fix CVE-2023-29403 runtime: unexpected behavior of setuid/setgid binaries
* go#60511 go#60305 boo#1212075 security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS
* go#60513 go#60306 boo#1212076 security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS
* go#59974 cmd/compile: multiple memories live at block start
* go#60000 cmd/go: missing checksums for dependencies of go get arguments and tests of external dependencies
* go#60457 cmd/go: document GOROOT/bin/go PATH entry for go test and go generate
OBS-URL: https://build.opensuse.org/request/show/1091157
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=35
- Revert re-enable binary stripping and debuginfo boo#1210938.
go1.19 and earlier store pre-compiled packages in $GOROOT/pkg as
Go .a files which are not ar archives. These .a are incorrectly
passed to strip by brp-15-strip-debug. strip incorrectly modifies
Go .a files rendering them invalid. Some Go applications fail to
build with "reference to nonexistent package" errors.
Refs boo#1210938 boo#1211073
* go1.19 and earlier store pre-compiled packages for the standard
library as .a files under pkg/GOARCH[_{dynlink,race}].
* Go emitted .a files are a Go specific format, not ar archives.
* go1.10+ stores recently built packages in build cache GOCACHE.
These are separate from the installed packages in $GOROOT/pkg.
* Go build cache objects use a different file format than Go .a.
* go1.20+ switches to the GOCACHE for both recently built
packages and the installed packages in $GOROOT/pkg.
* Current versions of readelf detect Go .a files correctly, e.g.:
readelf -d /usr/lib64/go/1.19/pkg/linux_amd64/bytes.a
File: /usr/lib64/go/1.19/pkg/linux_amd64/bytes.a(__.PKGDEF )
readelf: Error: This is a GO binary file - try using 'go tool objdump' or 'go tool nm'
* binutils strip as of 2.40 detects Go .a files correctly, but
incorrectly modifies the .a files altering path resulting in
"reference to nonexistent package" errors.
* brp_check_suse/brp-15-strip-debug passes files to strip based
primarily on the file extension including .a.
OBS-URL: https://build.opensuse.org/request/show/1084541
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=33
- go1.19.9 (released 2023-05-02) includes three security fixes to
the html/template package, as well as bug fixes to the compiler,
the runtime, and the crypto/tls and syscall packages.
Refs boo#1200441 go1.19 release tracking
CVE-2023-29400 CVE-2023-24540 CVE-2023-24539
- Packaging revert go1.x Suggests go1.x-race boo#1210963
* Upstream go binary distributions do include race detector .syso
* Default Recommends for subpackages is best suited in this case
OBS-URL: https://build.opensuse.org/request/show/1084132
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=32
- Add subpackage go1.x-libstd for compiled shared object libstd.so.
only on Tumbleweed at this time.
* Main go1.x package included libstd.so in previous versions
* Split libstd.so into subpackage that can be installed standalone
* Continues the slimming down of main go1.x package by 40 Mb
* Experimental and not recommended for general use, Go currently has no ABI
* Upstream Go has not committed to support buildmode=shared long-term
* Do not use in packaging, build static single binaries (the default)
* Upstream Go go1.x binary releases do not include libstd.so
* go1.x Suggests go1.x-libstd so not installed by default Recommends
* go1.x-libstd does not Require: go1.x so can install standalone
* Provides go-libstd unversioned package name
* Fix build step -buildmode=shared std to omit -linkshared
- Packaging improvements:
* go1.x Suggests go1.x-doc so not installed by default Recommends
* Use Group: Development/Languages/Go instead of Other
* On Tumbleweed bootstrap with current default gcc13 and gccgo118
* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
using go1.x package (%bcond_without gccgo). This is no longer
needed on current SLE-12:Update and removing will consolidate
the build configurations used.
* Change source URLs to go.dev as per Go upstream
* On x86_64 export GOAMD64=v1 as per the current baseline.
At this time forgo GOAMD64=v3 option for x86_64_v3 support.
* On x86_64 %define go_amd64=v1 as current instruction baseline
OBS-URL: https://build.opensuse.org/request/show/1079836
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=28
- go1.19.8 (released 2023-04-04) includes security fixes to the
go/parser, html/template, mime/multipart, net/http, and
net/textproto packages, as well as bug fixes to the linker, the
runtime, and the time package.
Refs boo#1200441 go1.19 release tracking
CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
* go#59267 go#58975 boo#1210127 net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
* go#59269 go#59153 boo#1210128 net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
* go#59273 go#59180 boo#1210129 go/parser: infinite loop in parsing (CVE-2023-24537)
* go#59271 go#59234 boo#1210130 html/template: backticks not treated as string delimiters (CVE-2023-24538)
* go#58937 cmd/go: timeout on darwin-amd64-race builder
* go#58939 runtime/pprof: TestLabelSystemstack due to sample with no location
* go#58941 internal/testpty: fails on some Linux machines due to incorrect error handling
* go#59050 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
* go#59058 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
* go#59074 time: time zone lookup using extend string makes wrong start time for non-DST zones
* go#59219 runtime: crash on linux-ppc64le
OBS-URL: https://build.opensuse.org/request/show/1077382
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=24
- go1.19.7 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the linker, the
runtime, and the crypto/x509 and syscall packages.
Refs boo#1200441 go1.19 release tracking
CVE-2023-24532
* go#58719 go#58647 boo#1209030 security: fix CVE-2023-24532 crypto/elliptic: specific unreduced P-256 scalars produce incorrect results
* go#58441 runtime: some linkname signatures do not match
* go#58502 cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
* go#58535 runtime: long latency of sweep assists
* go#58716 net: TestTCPSelfConnect failures due to unexpected connections
* go#58773 syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
* go#58810 crypto/x509: TestSystemVerify consistently failing
OBS-URL: https://build.opensuse.org/request/show/1070080
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=22
- go1.19.6 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the go command, the linker, the runtime,
and the crypto/x509, net/http, and time packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
* go#57275 boo#1208269 security: fix CVE-2022-41722
* go#58355 boo#1208270 security: fix CVE-2022-41723
* go#58358 boo#1208271 security: fix CVE-2022-41724
* go#58362 boo#1208272 security: fix CVE-2022-41725
* go#56154 net/http: bad handling of HEAD requests with a body
* go#57635 crypto/x509: TestBoringAllowCert failures
* go#57812 runtime: performance regression due to bad instruction used in morestack_noctxt for ppc64 in CL 425396
* go#58118 time: update zoneinfo_abbrs on Windows
* go#58223 cmd/link: .go.buildinfo is gc'ed by --gc-sections
* go#58449 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing
OBS-URL: https://build.opensuse.org/request/show/1066110
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=20
- go1.19.5 (released 2023-01-10) includes fixes to the compiler,
the linker, and the crypto/x509, net/http, sync/atomic, and
syscall packages.
Refs boo#1200441 go1.19 release tracking
* go#57706 Misc/cgo: backport needed for dlltool fix
* go#57556 crypto/x509: re-allow duplicate attributes in CSRs
* go#57444 cmd/link: need to handle new-style LoongArch relocs
* go#57427 crypto/x509: Verify on macOS does not return typed errors
* go#57345 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
* go#57339 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
* go#57214 os: TestLstat failure on Linux Aarch64
* go#57212 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
* go#57124 sync/atomic: allow linked lists of atomic.Pointer
* go#57100 cmd/compile: non-retpoline-compatible errors
* go#57058 cmd/go: remove test dependency on gopkg.in service
* go#57055 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
* go#56983 runtime: failure in TestRaiseException on windows-amd64-2012
* go#56834 cmd/link/internal/ppc64: too-far trampoline is reused
* go#56770 cmd/compile: walkConvInterface produces broken IR
* go#56744 cmd/compile: internal compiler error: missing typecheck
* go#56712 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
* go#56154 net/http: bad handling of HEAD requests with a body
OBS-URL: https://build.opensuse.org/request/show/1057692
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=18
- go1.19.4 (released 2022-12-06) includes security fixes to the
net/http and os packages, as well as bug fixes to the compiler,
the runtime, and the crypto/x509, os/exec, and sync/atomic
packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41717 CVE-2022-41720
* go#57009 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries
* go#57006 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
* go#56752 runtime,cmd/compile: apparent memory corruption in compress/flate
* go#56710 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com
* go#56672 crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072
* go#56638 sync/atomic: atomic.Pointer[T] can be misused with type conversions.
* go#56636 runtime: traceback stuck in runtime.systemstack
* go#56557 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable"
* go#56551 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8)
* go#56438 crypto/x509: respect GODEBUG changes during program lifetime
* go#56397 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter
* go#56360 cmd/compile: panic: offset too large
OBS-URL: https://build.opensuse.org/request/show/1041233
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=16
- go1.19.2 (released 2022-10-04) includes security fixes to the
archive/tar, net/http/httputil, and regexp packages, as well as
bug fixes to the compiler, the linker, the runtime, and the
go/types package.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41715 CVE-2022-2879 CVE-2022-2880
* go#55951 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
* go#55926 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers
* go#55843 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters
* go#55270 cmd/compile: internal compiler error: method Len on *uint8 not found
* go#55152 cmd/compile: typebits.Set: invalid initial alignment: type Peer has alignment 8, but offset is 4
* go#55149 go/types: no way to construct the signature of append(s, "string"...) via the API
* go#55124 fatal error: bulkBarrierPreWrite: unaligned arguments (go 1.19.1, looks like regression)
* go#55114 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation
* go#54917 cmd/compile: Value live at entry
* go#54764 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel (regression in 1.19 when building for i686)
OBS-URL: https://build.opensuse.org/request/show/1008076
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=12
- go1.19.1 (released 2022-09-06) includes security fixes to the
net/http and net/url packages, as well as bug fixes to the
compiler, the go command, the pprof command, the linker, the
runtime, and the crypto/tls and crypto/x509 packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-27664 CVE-2022-32190
* go#54376 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY
* go#54635 bsc#1203186 CVE-2022-32190 net/url: JoinPath doesn't strip relative path components in all circumstances
* go#54736 cmd/go: cannot find package when importing dependencies with the unix build constraint
* go#54734 cmd/go: git fetch errors dropped when producing pseudo-versions for commits
* go#54726 cmd/compile: compile failed with "Value live at entry"
* go#54697 cmd/compile: ICE at composite literal assignment with alignment > PtrSize
* go#54675 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert
* go#54665 runtime: segfault running ppc64/linux binaries with kernel 5.18
* go#54660 cmd/go: go test -race does not set implicit race build tag
* go#54643 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension
* go#54637 cmd/go: data race in TestScript
* go#54633 cmd/go/internal/modfetch/codehost: racing writes to Origin fields
* go#54629 cmd/compile: miscompilation of partially-overlapping array assignments
* go#54420 cmd/pprof: graphviz node names are funny with generics
* go#54406 cmd/link: trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64
* go#54309 cmd/compile: internal compiler error: panic: runtime error: invalid memory address or nil pointer dereference
* go#54295 crypto/x509: panics on invalid curve instead of returning error
* go#54243 cmd/compile: internal compiler error when compiling code with unbound method of generic type
* go#54239 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT
* go#54235 cmd/compile: internal compiler error of atomic type and offsetof
OBS-URL: https://build.opensuse.org/request/show/1001532
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=10
- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere
- Add _constraints for worker disk space 5G needed by SLE-15 x86_64
- SLE-12 s390x use bcond_without gccgo to bootstrap using gcc11go
* Workaround for SLE-12 s390x build error while writing linker data:
bad carrier sym for symbol crypto/internal/nistec.p256OrdMul.args_stackmap
created by cmd/link/internal/ld.writeBlocks
/usr/lib64/go/1.19/src/cmd/link/internal/ld/data.go:958
OBS-URL: https://build.opensuse.org/request/show/998733
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=8
