- go1.19.6 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the go command, the linker, the runtime,
and the crypto/x509, net/http, and time packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
* go#57275 boo#1208269 security: fix CVE-2022-41722
* go#58355 boo#1208270 security: fix CVE-2022-41723
* go#58358 boo#1208271 security: fix CVE-2022-41724
* go#58362 boo#1208272 security: fix CVE-2022-41725
* go#56154 net/http: bad handling of HEAD requests with a body
* go#57635 crypto/x509: TestBoringAllowCert failures
* go#57812 runtime: performance regression due to bad instruction used in morestack_noctxt for ppc64 in CL 425396
* go#58118 time: update zoneinfo_abbrs on Windows
* go#58223 cmd/link: .go.buildinfo is gc'ed by --gc-sections
* go#58449 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing (forwarded request 1066110 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1066111
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=10
- go1.19.6 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the go command, the linker, the runtime,
and the crypto/x509, net/http, and time packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
* go#57275 boo#1208269 security: fix CVE-2022-41722
* go#58355 boo#1208270 security: fix CVE-2022-41723
* go#58358 boo#1208271 security: fix CVE-2022-41724
* go#58362 boo#1208272 security: fix CVE-2022-41725
* go#56154 net/http: bad handling of HEAD requests with a body
* go#57635 crypto/x509: TestBoringAllowCert failures
* go#57812 runtime: performance regression due to bad instruction used in morestack_noctxt for ppc64 in CL 425396
* go#58118 time: update zoneinfo_abbrs on Windows
* go#58223 cmd/link: .go.buildinfo is gc'ed by --gc-sections
* go#58449 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing
OBS-URL: https://build.opensuse.org/request/show/1066110
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=20
- go1.19.5 (released 2023-01-10) includes fixes to the compiler,
the linker, and the crypto/x509, net/http, sync/atomic, and
syscall packages.
Refs boo#1200441 go1.19 release tracking
* go#57706 Misc/cgo: backport needed for dlltool fix
* go#57556 crypto/x509: re-allow duplicate attributes in CSRs
* go#57444 cmd/link: need to handle new-style LoongArch relocs
* go#57427 crypto/x509: Verify on macOS does not return typed errors
* go#57345 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
* go#57339 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
* go#57214 os: TestLstat failure on Linux Aarch64
* go#57212 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
* go#57124 sync/atomic: allow linked lists of atomic.Pointer
* go#57100 cmd/compile: non-retpoline-compatible errors
* go#57058 cmd/go: remove test dependency on gopkg.in service
* go#57055 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
* go#56983 runtime: failure in TestRaiseException on windows-amd64-2012
* go#56834 cmd/link/internal/ppc64: too-far trampoline is reused
* go#56770 cmd/compile: walkConvInterface produces broken IR
* go#56744 cmd/compile: internal compiler error: missing typecheck
* go#56712 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
* go#56154 net/http: bad handling of HEAD requests with a body (forwarded request 1057692 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1057694
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=9
- go1.19.5 (released 2023-01-10) includes fixes to the compiler,
the linker, and the crypto/x509, net/http, sync/atomic, and
syscall packages.
Refs boo#1200441 go1.19 release tracking
* go#57706 Misc/cgo: backport needed for dlltool fix
* go#57556 crypto/x509: re-allow duplicate attributes in CSRs
* go#57444 cmd/link: need to handle new-style LoongArch relocs
* go#57427 crypto/x509: Verify on macOS does not return typed errors
* go#57345 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
* go#57339 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
* go#57214 os: TestLstat failure on Linux Aarch64
* go#57212 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
* go#57124 sync/atomic: allow linked lists of atomic.Pointer
* go#57100 cmd/compile: non-retpoline-compatible errors
* go#57058 cmd/go: remove test dependency on gopkg.in service
* go#57055 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
* go#56983 runtime: failure in TestRaiseException on windows-amd64-2012
* go#56834 cmd/link/internal/ppc64: too-far trampoline is reused
* go#56770 cmd/compile: walkConvInterface produces broken IR
* go#56744 cmd/compile: internal compiler error: missing typecheck
* go#56712 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
* go#56154 net/http: bad handling of HEAD requests with a body
OBS-URL: https://build.opensuse.org/request/show/1057692
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=18
- go1.19.4 (released 2022-12-06) includes security fixes to the
net/http and os packages, as well as bug fixes to the compiler,
the runtime, and the crypto/x509, os/exec, and sync/atomic
packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41717 CVE-2022-41720
* go#57009 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries
* go#57006 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
* go#56752 runtime,cmd/compile: apparent memory corruption in compress/flate
* go#56710 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com
* go#56672 crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072
* go#56638 sync/atomic: atomic.Pointer[T] can be misused with type conversions.
* go#56636 runtime: traceback stuck in runtime.systemstack
* go#56557 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable"
* go#56551 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8)
* go#56438 crypto/x509: respect GODEBUG changes during program lifetime
* go#56397 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter
* go#56360 cmd/compile: panic: offset too large (forwarded request 1041233 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1041235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=8
- go1.19.4 (released 2022-12-06) includes security fixes to the
net/http and os packages, as well as bug fixes to the compiler,
the runtime, and the crypto/x509, os/exec, and sync/atomic
packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41717 CVE-2022-41720
* go#57009 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries
* go#57006 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
* go#56752 runtime,cmd/compile: apparent memory corruption in compress/flate
* go#56710 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com
* go#56672 crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072
* go#56638 sync/atomic: atomic.Pointer[T] can be misused with type conversions.
* go#56636 runtime: traceback stuck in runtime.systemstack
* go#56557 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable"
* go#56551 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8)
* go#56438 crypto/x509: respect GODEBUG changes during program lifetime
* go#56397 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter
* go#56360 cmd/compile: panic: offset too large
OBS-URL: https://build.opensuse.org/request/show/1041233
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=16
- go1.19.2 (released 2022-10-04) includes security fixes to the
archive/tar, net/http/httputil, and regexp packages, as well as
bug fixes to the compiler, the linker, the runtime, and the
go/types package.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41715 CVE-2022-2879 CVE-2022-2880
* go#55951 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
* go#55926 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers
* go#55843 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters
* go#55270 cmd/compile: internal compiler error: method Len on *uint8 not found
* go#55152 cmd/compile: typebits.Set: invalid initial alignment: type Peer has alignment 8, but offset is 4
* go#55149 go/types: no way to construct the signature of append(s, "string"...) via the API
* go#55124 fatal error: bulkBarrierPreWrite: unaligned arguments (go 1.19.1, looks like regression)
* go#55114 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation
* go#54917 cmd/compile: Value live at entry
* go#54764 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel (regression in 1.19 when building for i686) (forwarded request 1008076 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1008078
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=6
- go1.19.2 (released 2022-10-04) includes security fixes to the
archive/tar, net/http/httputil, and regexp packages, as well as
bug fixes to the compiler, the linker, the runtime, and the
go/types package.
Refs boo#1200441 go1.19 release tracking
CVE-2022-41715 CVE-2022-2879 CVE-2022-2880
* go#55951 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
* go#55926 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers
* go#55843 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters
* go#55270 cmd/compile: internal compiler error: method Len on *uint8 not found
* go#55152 cmd/compile: typebits.Set: invalid initial alignment: type Peer has alignment 8, but offset is 4
* go#55149 go/types: no way to construct the signature of append(s, "string"...) via the API
* go#55124 fatal error: bulkBarrierPreWrite: unaligned arguments (go 1.19.1, looks like regression)
* go#55114 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation
* go#54917 cmd/compile: Value live at entry
* go#54764 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel (regression in 1.19 when building for i686)
OBS-URL: https://build.opensuse.org/request/show/1008076
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=12
- go1.19.1 (released 2022-09-06) includes security fixes to the
net/http and net/url packages, as well as bug fixes to the
compiler, the go command, the pprof command, the linker, the
runtime, and the crypto/tls and crypto/x509 packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-27664 CVE-2022-32190
* go#54376 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY
* go#54635 bsc#1203186 CVE-2022-32190 net/url: JoinPath doesn't strip relative path components in all circumstances
* go#54736 cmd/go: cannot find package when importing dependencies with the unix build constraint
* go#54734 cmd/go: git fetch errors dropped when producing pseudo-versions for commits
* go#54726 cmd/compile: compile failed with "Value live at entry"
* go#54697 cmd/compile: ICE at composite literal assignment with alignment > PtrSize
* go#54675 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert
* go#54665 runtime: segfault running ppc64/linux binaries with kernel 5.18
* go#54660 cmd/go: go test -race does not set implicit race build tag
* go#54643 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension
* go#54637 cmd/go: data race in TestScript
* go#54633 cmd/go/internal/modfetch/codehost: racing writes to Origin fields
* go#54629 cmd/compile: miscompilation of partially-overlapping array assignments
* go#54420 cmd/pprof: graphviz node names are funny with generics
* go#54406 cmd/link: trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64
* go#54309 cmd/compile: internal compiler error: panic: runtime error: invalid memory address or nil pointer dereference
* go#54295 crypto/x509: panics on invalid curve instead of returning error
* go#54243 cmd/compile: internal compiler error when compiling code with unbound method of generic type
* go#54239 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT
* go#54235 cmd/compile: internal compiler error of atomic type and offsetof (forwarded request 1001532 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1001534
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=5
- go1.19.1 (released 2022-09-06) includes security fixes to the
net/http and net/url packages, as well as bug fixes to the
compiler, the go command, the pprof command, the linker, the
runtime, and the crypto/tls and crypto/x509 packages.
Refs boo#1200441 go1.19 release tracking
CVE-2022-27664 CVE-2022-32190
* go#54376 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY
* go#54635 bsc#1203186 CVE-2022-32190 net/url: JoinPath doesn't strip relative path components in all circumstances
* go#54736 cmd/go: cannot find package when importing dependencies with the unix build constraint
* go#54734 cmd/go: git fetch errors dropped when producing pseudo-versions for commits
* go#54726 cmd/compile: compile failed with "Value live at entry"
* go#54697 cmd/compile: ICE at composite literal assignment with alignment > PtrSize
* go#54675 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert
* go#54665 runtime: segfault running ppc64/linux binaries with kernel 5.18
* go#54660 cmd/go: go test -race does not set implicit race build tag
* go#54643 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension
* go#54637 cmd/go: data race in TestScript
* go#54633 cmd/go/internal/modfetch/codehost: racing writes to Origin fields
* go#54629 cmd/compile: miscompilation of partially-overlapping array assignments
* go#54420 cmd/pprof: graphviz node names are funny with generics
* go#54406 cmd/link: trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64
* go#54309 cmd/compile: internal compiler error: panic: runtime error: invalid memory address or nil pointer dereference
* go#54295 crypto/x509: panics on invalid curve instead of returning error
* go#54243 cmd/compile: internal compiler error when compiling code with unbound method of generic type
* go#54239 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT
* go#54235 cmd/compile: internal compiler error of atomic type and offsetof
OBS-URL: https://build.opensuse.org/request/show/1001532
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=10
- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere
- Add _constraints for worker disk space 5G needed by SLE-15 x86_64
- SLE-12 s390x use bcond_without gccgo to bootstrap using gcc11go
* Workaround for SLE-12 s390x build error while writing linker data:
bad carrier sym for symbol crypto/internal/nistec.p256OrdMul.args_stackmap
created by cmd/link/internal/ld.writeBlocks
/usr/lib64/go/1.19/src/cmd/link/internal/ld/data.go:958 (forwarded request 998733 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/998736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.19?expand=0&rev=4
- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere
- Add _constraints for worker disk space 5G needed by SLE-15 x86_64
- SLE-12 s390x use bcond_without gccgo to bootstrap using gcc11go
* Workaround for SLE-12 s390x build error while writing linker data:
bad carrier sym for symbol crypto/internal/nistec.p256OrdMul.args_stackmap
created by cmd/link/internal/ld.writeBlocks
/usr/lib64/go/1.19/src/cmd/link/internal/ld/data.go:958
OBS-URL: https://build.opensuse.org/request/show/998733
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.19?expand=0&rev=8
