Bug 202633
| Summary: | lang/go {14}: security/vuxml: multiple vulnerabilties (CVE-2015-5739, CVE-2015-5740, CVE-2015-5741) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||||||
| Component: | Individual Port(s) | Assignee: | Jason Unovitch <junovitch> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Some People | CC: | feld, jlaffaye, ports-secteam | ||||||||
| Priority: | --- | Keywords: | security | ||||||||
| Version: | Latest | ||||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Bug Depends on: | 203387 | ||||||||||
| Bug Blocks: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Jason Unovitch
2015-08-25 02:23:44 UTC
Created attachment 160318 [details]
security/vuxml entry for go
Document multiple security advisories for go and go14
PR: 202633
Security: CVE-2015-5739
Security: CVE-2015-5740
Security: CVE-2015-5741
Security: 4464212e-4acd-11e5-934b-002590263bf5
Approved by: feld|delphij|pgollucci (mentor)
A commit references this bug: Author: junovitch Date: Tue Aug 25 22:46:49 UTC 2015 New revision: 395321 URL: https://svnweb.freebsd.org/changeset/ports/395321 Log: Document multiple security advisories for go and go14 PR: 202633 Security: CVE-2015-5739 Security: CVE-2015-5740 Security: CVE-2015-5741 Security: 4464212e-4acd-11e5-934b-002590263bf5 Approved by: delphij (mentor) Changes: head/security/vuxml/vuln.xml jlaffaye@, How do you think we should handle it? The issues don't sound that severe and are only in the net/textproto and net/http modules. I think we can wait for the 1.4.3 update for lang/go14 and then perhaps just update 2015Q3's lang/go to 1.4.3. I don't know if 1.5 breaks any compatibility and if the go/go14 transition is worth pulling over to 2015Q3 but I'll defer to your expertise with that. Any thoughts on a good way ahead? "The latest Go release, version 1.5, is a significant release, including major architectural changes to the implementation. Despite that, we expect almost all Go programs to continue to compile and run as before, because the release still maintains the Go 1 promise of compatibility. " I vote for MFH lang/go to latest. Go is a newer language moving at a fast pace. I'd not expect anyone to demand the ability to stay on a specific branch long term at this point. (In reply to Mark Felder from comment #4) Makes sense. It looks like we'll need to MFH the following: r395390 - Set empty GOBIN in GO_ENV r395014 - INDEX unbreak r394911 - lang/go 1.5 update r394910 - lang/go -> lang/go14 copy That should cover down security for most users, particularly if lang/go14 is just being used to bootstrap the build of lang/go. Whenever 1.4.3 is released, we can update go14 and call this 100% done when that happens. It looks like there are at least a couple ports that break with Go 1.5. https://svnweb.FreeBSD.org/changeset/ports/395626 https://svnweb.FreeBSD.org/changeset/ports/395627 https://svnweb.FreeBSD.org/changeset/ports/395629 Tag depends on bug 203387. Go 1.4.3 finally was released. That took longer than I would have expected based off the original mailing list discussions noted earlier. https://groups.google.com/forum/#!topic/golang-announce/iSIyW4lM4hY Created attachment 161468 [details]
lang/go: patch against 2015Q3
MFH: r398046 (partially)
- Update to 1.4.3, fix vulnerabilities
- Improve clang detection [1]
PR: 202624 [1]
Created attachment 161469 [details]
Poudriere testport log from 10.1-RELEASE jail
With 1.4.3 taking longer than expected I vote at this point we just MFH the 1.4.3 update and call it good. "Approved by: ports-secteam" for the attached patch for 2015Q3/lang/go? Note there are some QA issues noted by Poudriere that lang/go14 on head also has. Approved by: ports-secteam (feld) 2015Q3 fixed in: https://svnweb.FreeBSD.org/changeset/ports/398150 HEAD fixed by jlaffaye in: https://svnweb.FreeBSD.org/changeset/ports/398046 VuXML already covered everything earlier. Nothing further needed for this PR. |