From: Christian Stewart Date: Thu, 29 Jul 2021 22:49:49 +0000 (-0700) Subject: package/go: security bump version to 1.16.6 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=806b26950d51de22ffbbed0c975e7317982eeb30;p=buildroot.git package/go: security bump version to 1.16.6 These minor releases include a security fix according to the new security policy (#44918). crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected. The panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected. This is CVE-2021-34558. View the release notes for more information: https://golang.org/doc/devel/release.html#go1.16.minor Signed-off-by: Christian Stewart Signed-off-by: Thomas Petazzoni --- diff --git a/package/go/go.hash b/package/go/go.hash index bc6147bb52..cd7f2b3813 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 7bfa7e5908c7cc9e75da5ddf3066d7cbcf3fd9fa51945851325eebc17f50ba80 go1.16.5.src.tar.gz +sha256 a3a5d4bc401b51db065e4f93b523347a4d343ae0c0b08a65c3423b05a138037d go1.16.6.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 4252691343..7d6355df92 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.16.5 +GO_VERSION = 1.16.6 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz