[Buildroot] [PATCH v2] packago/go: security bump to version 1.15.7
Peter Korsgaard
peter at korsgaard.com
Thu Jan 21 16:02:53 UTC 2021
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> - cmd/go: packages using cgo can cause arbitrary code execution at build time
> The go command may execute arbitrary code at build time when cgo is in use
> on Windows. This may occur when running “go get”, or any other command
> that builds code. Only users who build untrusted code (and don’t execute
> it) are affected.
> In addition to Windows users, this can also affect Unix users who have “.”
> listed explicitly in their PATH and are running “go get” or build commands
> outside of a module or with module mode disabled.
> Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
> This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.
> - crypto/elliptic: incorrect operations on the P-224 curve
> The P224() Curve implementation can in rare circumstances generate
> incorrect outputs, including returning invalid points from ScalarMult.
> The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
> support P-224 ECDSA keys, but they are not supported by publicly trusted
> certificate authorities. No other standard library or golang.org/x/crypto
> package supports or uses the P-224 curve.
> The incorrect output was found by the elliptic-curve-differential-fuzzer
> project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
> This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list