[Buildroot] [PATCH v2] packago/go: security bump to version 1.15.7

Peter Korsgaard peter at korsgaard.com
Thu Jan 21 16:02:53 UTC 2021


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > - cmd/go: packages using cgo can cause arbitrary code execution at build time

 >   The go command may execute arbitrary code at build time when cgo is in use
 >   on Windows.  This may occur when running “go get”, or any other command
 >   that builds code.  Only users who build untrusted code (and don’t execute
 >   it) are affected.

 >   In addition to Windows users, this can also affect Unix users who have “.”
 >   listed explicitly in their PATH and are running “go get” or build commands
 >   outside of a module or with module mode disabled.

 >   Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.

 >   This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.

 > - crypto/elliptic: incorrect operations on the P-224 curve

 >   The P224() Curve implementation can in rare circumstances generate
 >   incorrect outputs, including returning invalid points from ScalarMult.

 >   The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
 >   support P-224 ECDSA keys, but they are not supported by publicly trusted
 >   certificate authorities.  No other standard library or golang.org/x/crypto
 >   package supports or uses the P-224 curve.

 >   The incorrect output was found by the elliptic-curve-differential-fuzzer
 >   project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).

 >   This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list