lang/go and lang/go14 security issues: http://seclists.org/oss-sec/2015/q3/237 Fixed upstream in the following: https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9 https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f head: lang/go - fixed lang/go14 - pended upstream 1.4.3 release (http://seclists.org/oss-sec/2015/q3/337) 2015Q3: lang/go - vulnerable lang/go14 - N/A, does not exist at this time
Created attachment 160318 [details] security/vuxml entry for go Document multiple security advisories for go and go14 PR: 202633 Security: CVE-2015-5739 Security: CVE-2015-5740 Security: CVE-2015-5741 Security: 4464212e-4acd-11e5-934b-002590263bf5 Approved by: feld|delphij|pgollucci (mentor)
A commit references this bug: Author: junovitch Date: Tue Aug 25 22:46:49 UTC 2015 New revision: 395321 URL: https://svnweb.freebsd.org/changeset/ports/395321 Log: Document multiple security advisories for go and go14 PR: 202633 Security: CVE-2015-5739 Security: CVE-2015-5740 Security: CVE-2015-5741 Security: 4464212e-4acd-11e5-934b-002590263bf5 Approved by: delphij (mentor) Changes: head/security/vuxml/vuln.xml
jlaffaye@, How do you think we should handle it? The issues don't sound that severe and are only in the net/textproto and net/http modules. I think we can wait for the 1.4.3 update for lang/go14 and then perhaps just update 2015Q3's lang/go to 1.4.3. I don't know if 1.5 breaks any compatibility and if the go/go14 transition is worth pulling over to 2015Q3 but I'll defer to your expertise with that. Any thoughts on a good way ahead?
"The latest Go release, version 1.5, is a significant release, including major architectural changes to the implementation. Despite that, we expect almost all Go programs to continue to compile and run as before, because the release still maintains the Go 1 promise of compatibility. " I vote for MFH lang/go to latest. Go is a newer language moving at a fast pace. I'd not expect anyone to demand the ability to stay on a specific branch long term at this point.
(In reply to Mark Felder from comment #4) Makes sense. It looks like we'll need to MFH the following: r395390 - Set empty GOBIN in GO_ENV r395014 - INDEX unbreak r394911 - lang/go 1.5 update r394910 - lang/go -> lang/go14 copy That should cover down security for most users, particularly if lang/go14 is just being used to bootstrap the build of lang/go. Whenever 1.4.3 is released, we can update go14 and call this 100% done when that happens.
It looks like there are at least a couple ports that break with Go 1.5. https://svnweb.FreeBSD.org/changeset/ports/395626 https://svnweb.FreeBSD.org/changeset/ports/395627 https://svnweb.FreeBSD.org/changeset/ports/395629
Tag depends on bug 203387. Go 1.4.3 finally was released. That took longer than I would have expected based off the original mailing list discussions noted earlier. https://groups.google.com/forum/#!topic/golang-announce/iSIyW4lM4hY
Created attachment 161468 [details] lang/go: patch against 2015Q3 MFH: r398046 (partially) - Update to 1.4.3, fix vulnerabilities - Improve clang detection [1] PR: 202624 [1]
Created attachment 161469 [details] Poudriere testport log from 10.1-RELEASE jail
With 1.4.3 taking longer than expected I vote at this point we just MFH the 1.4.3 update and call it good. "Approved by: ports-secteam" for the attached patch for 2015Q3/lang/go? Note there are some QA issues noted by Poudriere that lang/go14 on head also has.
Approved by: ports-secteam (feld)
2015Q3 fixed in: https://svnweb.FreeBSD.org/changeset/ports/398150 HEAD fixed by jlaffaye in: https://svnweb.FreeBSD.org/changeset/ports/398046 VuXML already covered everything earlier. Nothing further needed for this PR.