- Packaging improvements:
* Refs bsc#1245292 go1.16 unresolveable on SLFO:Main. Recommended
mitigation for SLFO:Main is to bootstrap go1.21 with gccgo and
delete go1.16 through go1.20, all of which are EOL.
* Update %bcond_with gccgo_go121 to a version unique name from
%bcond_with gccgo. OBS prjconf does not support a conditional
%_with configuration to match just one package. Use a unique
name that is defined only in go1.21 packaging. Bootstrap
go1.21 with gcc-go by adding the following to prjconf:
Macros:
%_with_gccgo_go121 1
:Macros
* Update to %define gcc_go_version from 11 to 13 for SLE. gcc13
provides go1.18 needed for bootstrapping go1.21. (forwarded request 1294843 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1294844
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=21
- Packaging improvements:
* Refs bsc#1245292 go1.16 unresolveable on SLFO:Main. Recommended
mitigation for SLFO:Main is to bootstrap go1.21 with gccgo and
delete go1.16 through go1.20, all of which are EOL.
* Update %bcond_with gccgo_go121 to a version unique name from
%bcond_with gccgo. OBS prjconf does not support a conditional
%_with configuration to match just one package. Use a unique
name that is defined only in go1.21 packaging. Bootstrap
go1.21 with gcc-go by adding the following to prjconf:
Macros:
%_with_gccgo_go121 1
:Macros
* Update to %define gcc_go_version from 11 to 13 for SLE. gcc13
provides go1.18 needed for bootstrapping go1.21.
OBS-URL: https://build.opensuse.org/request/show/1294843
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=44
- go1.21.13 (released 2024-08-06) includes fixes to the go command,
the covdata command, and the bytes package.
Refs boo#1212475 go1.21 release tracking
* go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68221 cmd/go: list with -export and -covermode=atomic fails to build (forwarded request 1192310 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1192313
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=19
- go1.21.13 (released 2024-08-06) includes fixes to the go command,
the covdata command, and the bytes package.
Refs boo#1212475 go1.21 release tracking
* go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68221 cmd/go: list with -export and -covermode=atomic fails to build
OBS-URL: https://build.opensuse.org/request/show/1192310
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=39
- go1.21.12 (released 2024-07-02) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the go
command, the runtime, and the crypto/x509, net/http, net/netip,
and os packages.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24791
* go#68199 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
* go#67426 cmd/link: need to handle new-style loong64 relocs
* go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67933 net: go DNS resolver fails to connect to local DNS server
* go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N) (forwarded request 1184951 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1184953
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=18
- go1.21.12 (released 2024-07-02) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the go
command, the runtime, and the crypto/x509, net/http, net/netip,
and os packages.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24791
* go#68199 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
* go#67426 cmd/link: need to handle new-style loong64 relocs
* go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67933 net: go DNS resolver fails to connect to local DNS server
* go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
OBS-URL: https://build.opensuse.org/request/show/1184951
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=37
- go1.21.11 (released 2024-06-04) includes security fixes to the
archive/zip and net/netip packages, as well as bug fixes to the
compiler, the go command, the runtime, and the os package.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24789 CVE-2024-24790
* go#67553 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67681 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
* go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67695 os: RemoveAll susceptible to symlink race (forwarded request 1178638 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1178640
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=17
- go1.21.11 (released 2024-06-04) includes security fixes to the
archive/zip and net/netip packages, as well as bug fixes to the
compiler, the go command, the runtime, and the os package.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24789 CVE-2024-24790
* go#67553 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67681 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
* go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67695 os: RemoveAll susceptible to symlink race
OBS-URL: https://build.opensuse.org/request/show/1178638
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=35
- go1.21.10 (released 2024-05-07) includes security fixes to the go
command, as well as bug fixes to the net/http package.
Refs boo#1212475 go1.21 release tracking
CVE-2024-24787
* go#67121 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
* go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 (forwarded request 1172533 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1172535
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=16
- go1.21.9 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the linker, and the
go/types and net/http packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45288
* go#65387 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
* go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le (forwarded request 1164435 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1164437
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=15
- go1.21.9 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the linker, and the
go/types and net/http packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45288
* go#65387 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
* go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le
OBS-URL: https://build.opensuse.org/request/show/1164435
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=31
- go1.21.8 (released 2024-03-05) includes security fixes to the
crypto/x509, html/template, net/http, net/http/cookiejar, and
net/mail packages, as well as bug fixes to the go command and the
runtime.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
* go#65385 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65389 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65392 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65848 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65968 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65472 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65475 internal/testenv: support LUCI mobile builders in testenv tests
* go#65478 runtime: don't let the tests leave core files behind
* go#65640 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65851 cmd/go: "missing ziphash" error with go.work
* go#65882 internal/poll: invalid uintptr conversion in call to windows.SetFileInformationByHandle (forwarded request 1155400 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1155402
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=14
- go1.21.8 (released 2024-03-05) includes security fixes to the
crypto/x509, html/template, net/http, net/http/cookiejar, and
net/mail packages, as well as bug fixes to the go command and the
runtime.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
* go#65385 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65389 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65392 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65848 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65968 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65472 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65475 internal/testenv: support LUCI mobile builders in testenv tests
* go#65478 runtime: don't let the tests leave core files behind
* go#65640 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65851 cmd/go: "missing ziphash" error with go.work
* go#65882 internal/poll: invalid uintptr conversion in call to windows.SetFileInformationByHandle
OBS-URL: https://build.opensuse.org/request/show/1155400
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=29
- go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
Refs boo#1212475 go1.21 release tracking
* go#63209 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21
* go#63768 runtime: pinner.Pin doesn't panic when it says it will
* go#64497 cmd/go: flag modcacherw does not take effect in the target package
* go#64761 staticlockranking builders failing on release branches on LUCI
* go#64935 runtime: "traceback: unexpected SPWRITE function runtime.systemstack"
* go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
* go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
* go#65323 crypto: rollback BoringCrypto fips-20220613 update
* go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
* go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption (forwarded request 1144736 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1144738
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=11
- go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
Refs boo#1212475 go1.21 release tracking
* go#63209 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21
* go#63768 runtime: pinner.Pin doesn't panic when it says it will
* go#64497 cmd/go: flag modcacherw does not take effect in the target package
* go#64761 staticlockranking builders failing on release branches on LUCI
* go#64935 runtime: "traceback: unexpected SPWRITE function runtime.systemstack"
* go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
* go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
* go#65323 crypto: rollback BoringCrypto fips-20220613 update
* go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
* go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption
OBS-URL: https://build.opensuse.org/request/show/1144736
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=23
- go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof
packages.
Refs boo#1212475 go1.21 release tracking
* go#63911 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
* go#64410 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
* go#64472 cmd/compile: linux/s390x: inlining bug in s390x
* go#64475 maps: maps.Clone reference semantics when cloning a map with large value types
* go#64561 runtime: excessive memory use between 1.21.0 -> 1.21.1
* go#64567 cmd/compile: max/min builtin broken when used with string(byte) conversions
* go#64609 runtime/pprof: incorrect function names for generics functions
* go#64719 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
* go#64757 runtime: race condition raised with parallel tests, panic(nil) and -race (forwarded request 1137838 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1137841
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=10
- go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof
packages.
Refs boo#1212475 go1.21 release tracking
* go#63911 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
* go#64410 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
* go#64472 cmd/compile: linux/s390x: inlining bug in s390x
* go#64475 maps: maps.Clone reference semantics when cloning a map with large value types
* go#64561 runtime: excessive memory use between 1.21.0 -> 1.21.1
* go#64567 cmd/compile: max/min builtin broken when used with string(byte) conversions
* go#64609 runtime/pprof: incorrect function names for generics functions
* go#64719 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
* go#64757 runtime: race condition raised with parallel tests, panic(nil) and -race
OBS-URL: https://build.opensuse.org/request/show/1137838
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=21
- go1.21.5 (released 2023-12-05) includes security fixes to the go
command, and the net/http and path/filepath packages, as well as
bug fixes to the compiler, the go command, the runtime, and the
crypto/rand, net, os, and syscall packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
* go#63973 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
* go#64041 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
* go#64435 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
* go#62055 cmd/go: go mod download needs to support toolchain upgrades
* go#63743 cmd/compile: invalid pointer found on stack when compiled with -race
* go#63764 os: NTFS deduped file changed from regular to irregular
* go#63801 net: TCPConn.ReadFrom hangs when io.Reader is TCPConn or UnixConn, Linux kernel < 5.1
* go#63984 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
* go#63994 syscall: TestOpenFileLimit unintentionally runs on non-Unix platforms
* go#64073 runtime: self-deadlock on mheap_.lock
* go#64413 crypto/rand: Legacy RtlGenRandom use on Windows (forwarded request 1131273 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1131275
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=9
- go1.21.5 (released 2023-12-05) includes security fixes to the go
command, and the net/http and path/filepath packages, as well as
bug fixes to the compiler, the go command, the runtime, and the
crypto/rand, net, os, and syscall packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
* go#63973 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
* go#64041 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
* go#64435 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
* go#62055 cmd/go: go mod download needs to support toolchain upgrades
* go#63743 cmd/compile: invalid pointer found on stack when compiled with -race
* go#63764 os: NTFS deduped file changed from regular to irregular
* go#63801 net: TCPConn.ReadFrom hangs when io.Reader is TCPConn or UnixConn, Linux kernel < 5.1
* go#63984 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
* go#63994 syscall: TestOpenFileLimit unintentionally runs on non-Unix platforms
* go#64073 runtime: self-deadlock on mheap_.lock
* go#64413 crypto/rand: Legacy RtlGenRandom use on Windows
OBS-URL: https://build.opensuse.org/request/show/1131273
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=19
- go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45283 CVE-2023-45284
* go#63715 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
* go#62207 spec: update unification rules
* go#62545 cmd/compile: internal compiler error: expected struct value to have type struct
* go#63317 cmd/link: split text sections for arm 32-bit
* go#63335 runtime: MADV_COLLAPSE causes production performance issues on Linux
* go#63339 go/types, x/tools/go/ssa: panic: type param without replacement encountered
* go#63509 cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* go#63560 net/http: http2 page fails on firefox/safari if pushing resources (forwarded request 1124117 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1124119
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=8
- go1.21.4 (released 2023-11-07) includes security fixes to the
path/filepath package, as well as bug fixes to the linker, the
runtime, the compiler, and the go/types, net/http, and
runtime/cgo packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-45283 CVE-2023-45284
* go#63715 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
* go#62207 spec: update unification rules
* go#62545 cmd/compile: internal compiler error: expected struct value to have type struct
* go#63317 cmd/link: split text sections for arm 32-bit
* go#63335 runtime: MADV_COLLAPSE causes production performance issues on Linux
* go#63339 go/types, x/tools/go/ssa: panic: type param without replacement encountered
* go#63509 cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
* go#63560 net/http: http2 page fails on firefox/safari if pushing resources
OBS-URL: https://build.opensuse.org/request/show/1124117
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=17
- go1.21.2 (released 2023-10-05) includes one security fixes to the
cmd/go package, as well as bug fixes to the compiler, the go
command, the linker, the runtime, and the runtime/metrics
package.
Refs boo#1212475 go1.21 release tracking
CVE-2023-39323
* go#63214 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
* go#62464 runtime: "traceback did not unwind completely"
* go#62478 runtime/metrics: /gc/scan* metrics return zero
* go#62505 plugin: variable not initialized properly
* go#62506 cmd/compile: internal compiler error: InvertFlags should never make it to codegen v100 = InvertFlags v123
* go#62509 runtime: scheduler change causes Delve's function call injection to fail intermittently
* go#62537 runtime: "fatal: morestack on g0" with PGO enabled on arm64
* go#62598 cmd/link: issues with Apple's new linker in Xcode 15 beta
* go#62668 cmd/compile: slow to compile 17,000 line switch statement?
* go#62711 cmd/go: TestScript/gotoolchain_path fails if golang.org/dl/go1.21.1 is installed in the user's $PATH (forwarded request 1115932 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1115934
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=6
- go1.21.2 (released 2023-10-05) includes one security fixes to the
cmd/go package, as well as bug fixes to the compiler, the go
command, the linker, the runtime, and the runtime/metrics
package.
Refs boo#1212475 go1.21 release tracking
CVE-2023-39323
* go#63214 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
* go#62464 runtime: "traceback did not unwind completely"
* go#62478 runtime/metrics: /gc/scan* metrics return zero
* go#62505 plugin: variable not initialized properly
* go#62506 cmd/compile: internal compiler error: InvertFlags should never make it to codegen v100 = InvertFlags v123
* go#62509 runtime: scheduler change causes Delve's function call injection to fail intermittently
* go#62537 runtime: "fatal: morestack on g0" with PGO enabled on arm64
* go#62598 cmd/link: issues with Apple's new linker in Xcode 15 beta
* go#62668 cmd/compile: slow to compile 17,000 line switch statement?
* go#62711 cmd/go: TestScript/gotoolchain_path fails if golang.org/dl/go1.21.1 is installed in the user's $PATH
OBS-URL: https://build.opensuse.org/request/show/1115932
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=13
- go1.21.1 (released 2023-09-06) includes four security fixes to
the cmd/go, crypto/tls, and html/template packages, as well as
bug fixes to the compiler, the go command, the linker, the
runtime, and the context, crypto/tls, encoding/gob, encoding/xml,
go/types, net/http, os, and path/filepath packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322
- Add missing directory pprof html asset directory to package.
Refs boo#1215090
* src/cmd/vendor/github.com/google/pprof/internal/driver/html/
dir containing html assets is present in upstream Go
distribution but missing from SUSE go1.x packages
* Go programs importing runtime/pprof may fail with error:
/usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
pattern html: no matching files found
* Reformat adjacent commment in spec file (forwarded request 1109619 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1109622
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.21?expand=0&rev=5
- go1.21.1 (released 2023-09-06) includes four security fixes to
the cmd/go, crypto/tls, and html/template packages, as well as
bug fixes to the compiler, the go command, the linker, the
runtime, and the context, crypto/tls, encoding/gob, encoding/xml,
go/types, net/http, os, and path/filepath packages.
Refs boo#1212475 go1.21 release tracking
CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322
- Add missing directory pprof html asset directory to package.
Refs boo#1215090
* src/cmd/vendor/github.com/google/pprof/internal/driver/html/
dir containing html assets is present in upstream Go
distribution but missing from SUSE go1.x packages
* Go programs importing runtime/pprof may fail with error:
/usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
pattern html: no matching files found
* Reformat adjacent commment in spec file
OBS-URL: https://build.opensuse.org/request/show/1109619
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.21?expand=0&rev=11
