- go1.20.7 (released 2023-08-01) includes a security fix to the
crypto/tls package, as well as bug fixes to the assembler and the
compiler.
Refs boo#1206346 go1.20 release tracking
* go#64760 staticlockranking builders failing on release branches on LUCI
* go#65322 crypto: rollback BoringCrypto fips-20220613 update
* go#65379 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
OBS-URL: https://build.opensuse.org/request/show/1144735
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=40
- go1.20.13 (released 2024-01-09) includes fixes to the runtime and
the crypto/tls package.
Refs boo#1206346 go1.20 release tracking
* go#63910 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
* go#64409 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
* go#64718 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
OBS-URL: https://build.opensuse.org/request/show/1137839
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=38
- go1.20.12 (released 2023-12-05) includes security fixes to the go
command, and the net/http and path/filepath packages, as well as
bug fixes to the compiler and the go command.
Refs boo#1206346 go1.20 release tracking
CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
* go#63972 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
* go#64040 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
* go#64434 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
* go#63983 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
* go#63988 cmd/go: TestScript/mod_get_direct fails with "Filename too long" on Windows
OBS-URL: https://build.opensuse.org/request/show/1131272
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=36
- go1.20.11 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker and the
net/http package.
Refs boo#1206346 go1.20 release tracking
CVE-2023-45283 CVE-2023-45284
* go#63714 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
* go#63316 cmd/link: split text sections for arm 32-bit
* go#63740 net/http: http2 page fails on firefox/safari if pushing resources
OBS-URL: https://build.opensuse.org/request/show/1124116
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=34
- go1.20.9 (released 2023-10-05) includes one security fixes to the
cmd/go package, as well as bug fixes to the go command and the
linker.
Refs boo#1206346 go1.20 release tracking
CVE-2023-39323
* go#63213 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
* go#62597 cmd/link: issues with Apple's new linker in Xcode 15 beta
OBS-URL: https://build.opensuse.org/request/show/1115931
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=30
- go1.20.8 (released 2023-09-06) includes two security fixes to the
html/template package, as well as bug fixes to the compiler, the
go command, the runtime, and the crypto/tls, go/types, net/http,
and path/filepath packages.
Refs boo#1206346 go1.20 release tracking
CVE-2023-39318 CVE-2023-39319
* go#62395 go#62196 boo#1215084 security: fix CVE-2023-39318 html/template: improper handling of HTML-like comments within script contexts
* go#62397 go#62197 boo#1215085 security: fix CVE-2023-39319 html/template: improper handling of special tags within script contexts
* go#61198 cmd/go: extended forwards compatibility for Go
* go#61744 go/types: interface.Complete panics for interfaces with duplicate methods
* go#61826 net/http: go 1.20.6 host validation breaks setting Host to a unix socket address
* go#61867 path/filepath: Clean on some invalid Windows paths can lose .. components
* go#61873 cmd/go: using a module path without dot fails to build after toolchain selection
* go#61966 crypto/tls: add GODEBUG to control max RSA key size
* go#62018 runtime: execution halts with goroutines stuck in runtime.gopark (protocol error E08 during memory read for packet)
* go#62056 cmd/compile: internal compiler error: 'F': func F, startMem[b1] has different values
* go#62070 cmd/api: make non-importable
- Add missing directory pprof html asset directory to package.
Refs boo#1215090
* src/cmd/vendor/github.com/google/pprof/internal/driver/html/
dir containing html assets is present in upstream Go
distribution but missing from SUSE go1.x packages
* Go programs importing runtime/pprof may fail with error:
/usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
pattern html: no matching files found
* Reformat adjacent commment in spec file
OBS-URL: https://build.opensuse.org/request/show/1109618
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=28
- go1.20.7 (released 2023-08-01) includes a security fix to the
crypto/tls package, as well as bug fixes to the assembler and the
compiler.
Refs boo#1206346 go1.20 release tracking
CVE-2023-29409
* go#61580 go#61460 boo#1213880 security: fix CVE-2023-29409 crypto/tls: restrict RSA keys in certificates to <= 8192 bits
* go#61320 cmd/compile: ppc64le: sign extension issue in go 1.21rc2
* go#61449 net: TestInterfaceArrivalAndDepartureZoneCache is broken on linux-arm64
* go#61471 cmd/compile: failed to make Go on riscv64 CPU with numa
OBS-URL: https://build.opensuse.org/request/show/1101871
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=26
- go1.20.6 (released 2023-07-11) includes a security fix to the
net/http package, as well as bug fixes to the compiler, cgo, the
cover tool, the go command, the runtime, and the crypto/ecdsa,
go/build, go/printer, net/mail, and text/template packages.
Refs boo#1206346 go1.20 release tracking.
CVE-2023-29406
* go#61076 go#60374 boo#1213229 security: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
* go#60352 cmd/go: go mod tidy introduces ambiguous imports in pruned modules
* go#60535 runtime: TLS slot index over 64 and crash
* go#60675 cmd/compile: internal compiler error: out of range for go.shape.int64
* go#60698 cmd/go: go list fails with submodules which have test-only dependencies
* go#60744 crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
* go#60754 cmd/go: panic: LoadImport called with empty package path when listing GOROOT/test/*.go
* go#60760 runtime: checkdead fires due to suspected race in the Go runtime when GOMAXPROCS=1 on AWS
* go#60802 text/template: key/value assignment is reversed within range loop
* go#60845 runtime: SIGSEGV in race + coverage mode
* go#60849 cmd/go: go test deadlocked without enforcing timeouts when killed with ^C
* go#60874 net/mail: mail.ReadMessage in 1.20 cannot parse mbox headers
* go#60875 net/mail: characters allowed in RFC 5322 are invalid while parsing email header
* go#60927 x/tools/go/analysis/unitchecker: TestVetStdlib failures
* go#60947 crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI
* go#60949 runtime: goroutines that stop after calling runtime.RaceDisable break race detector
* go#61055 runtime: TestWindowsStackMemory flakes on windows-386-2016
OBS-URL: https://build.opensuse.org/request/show/1098255
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=23
- go1.20.5 (released 2023-06-06) includes four security fixes to
the cmd/go and runtime packages, as well as bug fixes to the
compiler, the go command, the runtime, and the crypto/rsa, net,
and os packages.
Refs boo#1206346 go1.20 release tracking
CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405
* go#60516 go#60167 boo#1212073 security: fix CVE-2023-29402 cmd/go: cgo code injection
* go#60518 go#60272 boo#1212074 security: fix CVE-2023-29403 runtime: unexpected behavior of setuid/setgid binaries
* go#60512 go#60305 boo#1212075 security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS
* go#60514 go#60306 boo#1212076 security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS
* go#58927 crypto/rsa: 4096 bit keys are not generated with BoringCrypto
* go#59975 cmd/compile: multiple memories live at block start
* go#60001 cmd/go: missing checksums for dependencies of go get arguments and tests of external dependencies
* go#60217 os: Read of a device driver fails only with Go 1.20
* go#60458 cmd/go: document GOROOT/bin/go PATH entry for go test and go generate
OBS-URL: https://build.opensuse.org/request/show/1091158
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=21
- go1.20.4 (released 2023-05-02) includes three security fixes to
the html/template package, as well as bug fixes to the compiler,
the runtime, and the crypto/subtle, crypto/tls, net/http, and
syscall packages.
Refs boo#1206346 go1.20 release tracking
CVE-2023-29400 CVE-2023-24540 CVE-2023-24539
- Packaging revert go1.x Suggests go1.x-race boo#1210963
* Upstream go binary distributions do include race detector .syso
* Default Recommends for subpackages is best suited in this case
- Revise changelog formatting of recent CVEs for readability
OBS-URL: https://build.opensuse.org/request/show/1084133
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=19
- go1.20.3 (released 2023-04-04) includes security fixes to the
go/parser, html/template, mime/multipart, net/http, and
net/textproto packages, as well as bug fixes to the compiler, the
linker, the runtime, and the time package.
Refs boo#1206346 go1.20 release tracking
CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
* go#59268 go#58975 boo#1210127 security: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
* go#59270 go#59153 boo#1210128 security: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
* go#59274 go#59180 boo#1210129 security: go/parser: infinite loop in parsing (CVE-2023-24537)
* go#59272 go#59234 boo#1210130 security: html/template: backticks not treated as string delimiters (CVE-2023-24538)
* go#58920 x/text: building as a plugin failure on darwin/arm64
* go#58938 cmd/go: timeout on darwin-amd64-race builder
* go#58942 internal/testpty: fails on some Linux machines due to incorrect error handling
* go#58954 cmd/link: Incorrect symbol linked in darwin/arm64
* go#59051 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
* go#59059 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
* go#59075 time: time zone lookup using extend string makes wrong start time for non-DST zones
* go#59220 runtime: crash on linux-ppc64le
* go#59236 cmd/compile: crypto/elliptic build error under -linkshared mode
* go#59296 cmd/compile: unsafe.SliceData incoherent resuilt with nil argument
- Build subpackage go1.20-libstd compiled shared object libstd.so
only on Tumbleweed at this time.
Refs jsc#PED-1962
OBS-URL: https://build.opensuse.org/request/show/1077383
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=14
- Add subpackage go1.x-libstd for compiled shared object libstd.so.
Refs jsc#PED-1962
* Main go1.x package included libstd.so in previous versions
* Split libstd.so into subpackage that can be installed standalone
* Continues the slimming down of main go1.x package by 40 Mb
* Experimental and not recommended for general use, Go currently has no ABI
* Upstream Go has not committed to support buildmode=shared long-term
* Do not use in packaging, build static single binaries (the default)
* Upstream Go go1.x binary releases do not include libstd.so
* go1.x Suggests go1.x-libstd so not installed by default Recommends
* go1.x-libstd does not Require: go1.x so can install standalone
* Provides go-libstd unversioned package name
* Fix build step -buildmode=shared std to omit -linkshared
- Packaging improvements:
* go1.x Suggests go1.x-doc so not installed by default Recommends
* Use Group: Development/Languages/Go instead of Other
OBS-URL: https://build.opensuse.org/request/show/1070660
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=12
- go1.20.2 (released 2023-03-07) includes a security fix to the
crypto/elliptic package, as well as bug fixes to the compiler,
the covdata command, the linker, the runtime, and the
crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages.
Refs boo#1206346 go1.20 release tracking
CVE-2023-24532
* go#58720 go#58647 boo#1209030 security: fix CVE-2023-24532 crypto/elliptic: specific unreduced P-256 scalars produce incorrect results
* go#58427 cmd/covdata: short read on string table when merging coverage counters
* go#58442 runtime: some linkname signatures do not match
* go#58444 cmd/compile: inline static init cause compile time error
* go#58467 cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry
* go#58498 crypto/ecdh: ECDH method doesn't check curve
* go#58503 cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
* go#58505 crypto/internal/bigmod: flag amd64 assembly as noescape
* go#58531 runtime: endless traceback when panic in generics funtion
* go#58536 runtime: long latency of sweep assists
* go#58624 syscall.Faccessat and os.LookPath regression in Go 1.20
* go#58627 os: cmd/go gets error "copy_file_range: function not implemented"
* go#58717 net: TestTCPSelfConnect failures due to unexpected connections
* go#58774 syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
* go#58776 cmd/compile: ICE on method value involving imported anonymous interface
* go#58793 crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey
* go#58811 crypto/x509: TestSystemVerify consistently failing
OBS-URL: https://build.opensuse.org/request/show/1070081
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.20?expand=0&rev=10
