* Fri Apr 14 2023 jkowalczyk@suse.com
- Build subpackage go1.x-libstd compiled shared object libstd.so
only on Tumbleweed at this time.
Refs jsc#PED-1962
* Fri Apr 14 2023 jkowalczyk@suse.com
- Add subpackage go1.x-libstd for compiled shared object libstd.so.
Refs jsc#PED-1962
* Main go1.x package included libstd.so in previous versions
* Split libstd.so into subpackage that can be installed standalone
* Continues the slimming down of main go1.x package by 40 Mb
* Experimental and not recommended for general use, Go currently has no ABI
* Upstream Go has not committed to support buildmode=shared long-term
* Do not use in packaging, build static single binaries (the default)
* Upstream Go go1.x binary releases do not include libstd.so
* go1.x Suggests go1.x-libstd so not installed by default Recommends
* go1.x-libstd does not Require: go1.x so can install standalone
* Provides go-libstd unversioned package name
* Fix build step -buildmode=shared std to omit -linkshared
- Packaging improvements:
* go1.x Suggests go1.x-doc so not installed by default Recommends
* Use Group: Development/Languages/Go instead of Other
* Fri Apr 14 2023 jkowalczyk@suse.com
- Improvements to go1.x packaging spec:
* On Tumbleweed bootstrap with current default gcc13 and gccgo118
* On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
using go1.x package (%bcond_without gccgo). This is no longer
needed on current SLE-12:Update and removing will consolidate
the build configurations used.
* Change source URLs to go.dev as per Go upstream
* Thu Apr 13 2023 mliska@suse.cz
- Use gcc13 compiler for Tumbleweed.
* Tue Aug 23 2022 schwab@suse.de
- Don't build with shared on riscv64 for < go1.18
* Mon Aug 22 2022 jkowalczyk@suse.com
- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere
* Thu Aug 18 2022 dmueller@suse.com
- Bootstrap using go1.16 on SLE-15 and newer. go1.16 is
bootstrapped using gcc-go 11 or 12. This allows dropping older
versions of Go from Factory.
* Mon Aug 01 2022 jkowalczyk@suse.com
- go1.17.13 (released 2022-08-01) includes security fixes to the
encoding/gob and math/big packages, as well as bug fixes to the
compiler and the runtime.
Refs boo#1190649 go1.17 release tracking
CVE-2022-32189
* boo#1202035 CVE-2022-32189 go#53871
* go#54094 math/big: index out of range in Float.GobDecode
* go#53846 runtime: modified timer results in extreme cpu load
* go#53617 cmd/compile: condition in for loop body is incorrectly optimised away
* go#53111 runtime: gentraceback() dead loop on arm64 casued the process hang
* go#52960 cmd/compile: miscompilation in pointer operations
* Tue Jul 12 2022 jkowalczyk@suse.com
- go1.17.12 (released 2022-07-12) includes security fixes to the
compress/gzip, encoding/gob, encoding/xml, go/parser, io/fs,
net/http, and path/filepath packages, as well as bug fixes to the
compiler, the go command, the runtime, and the runtime/metrics
package.
Refs boo#1190649 go1.17 release tracking
CVE-2022-1705 CVE-2022-32148 CVE-2022-30631 CVE-2022-30633 CVE-2022-28131 CVE-2022-30635 CVE-2022-30632 CVE-2022-30630 CVE-2022-1962
* boo#1201434 CVE-2022-1705 go#53188
* go#53432 net/http: improper sanitization of Transfer-Encoding header
* boo#1201436 CVE-2022-32148 go#53423
* go#53620 net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
* boo#1201437 CVE-2022-30631 go#53168
* go#53717 compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
* boo#1201440 CVE-2022-30633 go#53611
* go#53715 encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
* boo#1201443 CVE-2022-28131 go#53614
* go#53711 encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
* boo#1201444 CVE-2022-30635 go#53615
* go#53709 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
* boo#1201445 CVE-2022-30632 go#53416
* go#53713 path/filepath: stack exhaustion in Glob (CVE-2022-30632)
* boo#1201447 CVE-2022-30630 go#53415
* go#53719 io/fs: stack exhaustion in Glob (CVE-2022-30630)
* boo#1201448 CVE-2022-1962 go#53616
* go#53707 go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* go#53612 syscall: NewCallback triggers data race on Windows when used from different goroutine
* go#53589 runtime/metrics: data race detected in Read
* go#53470 cmd/compile: internal compiler error: width not calculated: int128
* go#53050 misc/cgo/test: failure with gcc 10
* go#52688 runtime: total allocation stats are managed in a uintptr which can quickly wrap around on 32-bit architectures
* go#51351 cmd/go: "v1.x.y is not a tag" when .gitconfig sets log.decorate to full
* Wed Jun 01 2022 jkowalczyk@suse.com
- go1.17.11 (released 2022-06-01) includes security fixes to the
crypto/rand, crypto/tls, os/exec, and path/filepath packages, as
well as bug fixes to the crypto/tls package.
Refs boo#1190649 go1.17 release tracking
CVE-2022-30634 CVE-2022-30629 CVE-2022-30580 CVE-2022-29804
* boo#1200134 go#52561 CVE-2022-30634
* go#52932 crypto/rand: Read hangs when passed buffer larger than 1<<32 - 1
* boo#1200135 go#52814 CVE-2022-30629
* go#52832 crypto/tls: randomly generate ticket_age_add
* boo#1200136 go#52574 CVE-2022-30580
* go#53056 os/exec: Cmd.{Run,Start} should fail if Cmd.Path is unset
* boo#1200137 go#52476 CVE-2022-29804
* go#52478 path/filepath: Clean(.\c:) returns c: on Windows
* go#52790 crypto/tls: 500% increase in allocations from (*tls.Conn).Read in go 1.17
* go#52826 runtime: TestGcSys is still flaky
* go#53042 misc/cgo/testsanitizers: occasional hangs in TestTSAN/tsan12
* go#53049 runtime: TestGdbBacktrace failures due to GDB "internal-error: wait returned unexpected status 0x0"
* go#53114 misc/cgo/testsanitizers: deadlock in TestTSAN/tsan11
* Tue May 10 2022 jkowalczyk@suse.com
- go1.17.10 (released 2022-05-10) includes security fixes to the
syscall package, as well as bug fixes to the compiler, runtime,
and the crypto/x509 and net/http/httptest packages.
Refs boo#1190649 go1.17 release tracking
CVE-2022-29526
* boo#1199413 go#52313 CVE-2022-29526
* go#52439 syscall: Faccessat checks wrong group
* go#51858 crypto/x509: x509 certificate with issuerUniqueID and/or subjectUniqueID parse error
* go#52095 cmd/compile: fails to compile very long files starting go1.17
* go#52148 syscall: TestGroupCleanupUserNamespace failure on linux-s390x-ibm
* go#52306 sync: TestWaitGroupMisuse2 is flaky
* go#52374 runtime: executable compiled under Go 1.17.7 will occasionally wedge
* go#52455 net/http/httptest: race in Close
* go#52705 net: TestDialCancel is not compatible with new macOS ARM64 builders
* Mon May 02 2022 mliska@suse.cz
- Remove remaining use of gold linker when bootstrapping with
gccgo. The binutils-gold package will be removed in the future.
* History: go1.8.3 2017-06-18 added conditional if gccgo defined
BuildRequires: binutils-gold for arches other than s390x
* No information available why binutils-gold was used initially
* Unrelated to upstream recent hardcoded gold dependency for ARM
* Tue Apr 12 2022 jkowalczyk@suse.com
- go1.17.9 (released 2022-04-12) includes security fixes to the
crypto/elliptic and encoding/pem packages, as well as bug fixes
to the linker and runtime.
Refs boo#1190649 go1.17 release tracking
CVE-2022-24675 CVE-2022-28327
* boo#1198423 go#51853 CVE-2022-24675
* go#52036 encoding/pem: stack overflow
* boo#1198424 go#52075 CVE-2022-28327
* go#52076 crypto/elliptic: generic P-256 panic when scalar has too many leading zeroes
* go#51736 plugin: tls handshake panic: unreachable method called. linker bug?
* go#51696 runtime: some tests fails on Windows with CGO_ENABLED=0
* go#51458 runtime: finalizer call has wrong frame size
* go#50611 internal/poll: deadlock in Read on arm64 when an FD is closed
* Thu Apr 07 2022 jkowalczyk@suse.com
- Template gcc-go.patch to substitute gcc_go_version and eliminate
multiple similar patches each with hardcoded gcc go binary name.
gcc-go.patch inserts gcc-go binary name e.g. go-8 to compensate
for current lack of gcc-go update-alternatives usage.
* add gcc-go.patch
* drop gcc6-go.patch
* drop gcc7-go.patch
* Thu Apr 07 2022 jkowalczyk@suse.com
- For SLE-12 set gcc_go_version to 8 to bootstrap using gcc8-go.
gcc6-go and gcc7-go no longer successfully bootstrap go1.17 or
go1.18 on SLE-12 aarch64 ppc64le or s390x.
* gcc6-go fails with errors e.g. libnoder.a(_go_.o):(.toc+0x0):
undefined reference to `__go_pimt__I4_DiagFrN4_boolee3
* Fri Mar 11 2022 jkowalczyk@suse.com
- Add %define go_label as a configurable Go toolchain directory
* go_label can be used to package multiple Go toolchains with
the same go_api
* go_label should be defined as go_api with an optional suffix
e.g. %{go_api} or %{go_api}-foo
* Default go_label = go_api makes no changes to package layout
* Wed Mar 09 2022 dmueller@suse.com
- add dont-force-gold-on-arm64.patch (bsc#1183043)
- drop binutils-gold dependency
* Thu Mar 03 2022 jkowalczyk@suse.com
- go1.17.8 (released 2022-03-03) includes a security fix to the
regexp/syntax package, as well as bug fixes to the compiler,
runtime, the go command, and the crypto/x509, and net packages.
Refs boo#1190649 go1.17 release tracking
CVE-2022-24921
* boo#1196732 go#51112 CVE-2022-24921
* go#51118 regexp: stack overflow (process exit) handling deeply nested regexp
* go#51332 cmd/go/internal/modfetch: erroneously resolves a v2+incompatible version when a v2/go.mod file exists
* go#51199 cmd/compile: "runtime: bad pointer in frame" in riscv64 with complier optimizations
* go#51162 net: use EDNS to increase DNS packet size [freeze exception]
* go#50734 runtime/metrics: time histogram sub-bucket ranges are off by a factor of two
* go#51000 crypto/x509: invalid RDNSequence: invalid attribute value: unsupported string type: 18
* Fri Feb 18 2022 jkowalczyk@suse.com
- Add missing .bin binary test data to packaging.
* Existing test data files added to packaging with mode 644:
src/compress/bzip2/testdata/pass-random2.bin
src/compress/bzip2/testdata/pass-random1.bin
src/debug/dwarf/testdata/line-gcc-win.bin
* Thu Feb 10 2022 jkowalczyk@suse.com
- go1.17.7 (released 2022-02-10) includes security fixes to the
crypto/elliptic, math/big packages and to the go command, as well
as bug fixes to the compiler, linker, runtime, the go command,
and the debug/macho, debug/pe, and net/http/httptest packages.
Refs boo#1190649 go1.17 release tracking
CVE-2022-23806 CVE-2022-23772 CVE-2022-23773
* boo#1195838 go#50974 CVE-2022-23806
* go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements
* boo#1195835 go#50699 CVE-2022-23772
* go#50701 math/big: Rat.SetString may consume large amount of RAM and crash
* boo#1195834 go#35671 CVE-2022-23773
* go#50687 cmd/go: do not treat branches with semantic-version names as releases
* go#50942 cmd/asm: "compile: loop" compiler bug?
* go#50867 cmd/compile: incorrect use of CMN on arm64
* go#50812 cmd/go: remove bitbucket VCS probing
* go#50781 runtime: incorrect frame information in traceback traversal may hang the process.
* go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
* go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
* go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
* go#50297 cmd/link: does not set section type of .init_array correctly
* go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of "plugin" Package