From 280719ba7f10a43ee7a59c4ad89746841fb39ca1 Mon Sep 17 00:00:00 2001 From: Christian Stewart Date: Fri, 10 Sep 2021 02:44:14 -0700 Subject: [PATCH] package/go: security bump to 1.17.1 The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is CVE-2021-39293. https://golang.org/doc/devel/release.html#go1.16.minor Signed-off-by: Christian Stewart Signed-off-by: Peter Korsgaard --- package/go/go.hash | 2 +- package/go/go.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/go/go.hash b/package/go/go.hash index d35d6ed572..9560eae30b 100644 --- a/package/go/go.hash +++ b/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 3a70e5055509f347c0fb831ca07a2bf3b531068f349b14a3c652e9b5b67beb5d go1.17.src.tar.gz +sha256 49dc08339770acd5613312db8c141eaf61779995577b89d93b541ef83067e5b1 go1.17.1.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/package/go/go.mk b/package/go/go.mk index 09d9f60cd4..8e68dc3711 100644 --- a/package/go/go.mk +++ b/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.17 +GO_VERSION = 1.17.1 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz -- 2.30.2