Compare commits
8 Commits
Author | SHA1 | Date |
---|---|---|
Jakub Čajka | f9db95a6c9 | |
Jakub Čajka | 82082d4314 | |
Jakub Čajka | c3b72c1a47 | |
Jakub Čajka | 3b89fed2fe | |
Jakub Čajka | 9ad1b634ea | |
Jakub Čajka | 0301e6483a | |
Jakub Čajka | 7d97257830 | |
Jakub Čajka | d0a2453060 |
|
@ -62,3 +62,10 @@
|
|||
/go1.11.1.src.tar.gz
|
||||
/go1.11.2.src.tar.gz
|
||||
/go1.11.4.src.tar.gz
|
||||
/go1.11.5.src.tar.gz
|
||||
/go1.11.6.src.tar.gz
|
||||
/go1.11.7.src.tar.gz
|
||||
/go1.11.10.src.tar.gz
|
||||
/go1.11.11.src.tar.gz
|
||||
/go1.11.12.src.tar.gz
|
||||
/go1.11.13.src.tar.gz
|
||||
|
|
|
@ -0,0 +1,103 @@
|
|||
diff -up ./go/src/net/http/serve_test.go ./go/src/net/http/serve_test.go
|
||||
--- ./go/src/net/http/serve_test.go 2019-08-13 18:50:13.000000000 +0200
|
||||
+++ ./go/src/net/http/serve_test.go 2019-10-05 05:35:33.018025762 +0200
|
||||
@@ -4725,6 +4725,10 @@ func TestServerValidatesHeaders(t *testi
|
||||
{"foo\xffbar: foo\r\n", 400}, // binary in header
|
||||
{"foo\x00bar: foo\r\n", 400}, // binary in header
|
||||
{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
|
||||
+ // Spaces between the header key and colon are not allowed.
|
||||
+ // See RFC 7230, Section 3.2.4.
|
||||
+ {"Foo : bar\r\n", 400},
|
||||
+ {"Foo\t: bar\r\n", 400},
|
||||
|
||||
{"foo: foo foo\r\n", 200}, // LWS space is okay
|
||||
{"foo: foo\tfoo\r\n", 200}, // LWS tab is okay
|
||||
diff -up ./go/src/net/http/transport_test.go ./go/src/net/http/transport_test.go
|
||||
--- ./go/src/net/http/transport_test.go 2019-10-05 05:35:33.019025756 +0200
|
||||
+++ ./go/src/net/http/transport_test.go 2019-10-05 05:39:12.037927288 +0200
|
||||
@@ -4838,3 +4838,30 @@ func TestClientTimeoutKillsConn_AfterHea
|
||||
t.Fatal("timeout")
|
||||
}
|
||||
}
|
||||
+
|
||||
+func TestInvalidHeaderResponse(t *testing.T) {
|
||||
+ setParallel(t)
|
||||
+ defer afterTest(t)
|
||||
+ cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
|
||||
+ conn, buf, _ := w.(Hijacker).Hijack()
|
||||
+ buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
|
||||
+ "Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
|
||||
+ "Content-Type: text/html; charset=utf-8\r\n" +
|
||||
+ "Content-Length: 0\r\n" +
|
||||
+ "Foo : bar\r\n\r\n"))
|
||||
+ buf.Flush()
|
||||
+ conn.Close()
|
||||
+ }))
|
||||
+ defer cst.close()
|
||||
+ res, err := cst.c.Get(cst.ts.URL)
|
||||
+ if err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ defer res.Body.Close()
|
||||
+ if v := res.Header.Get("Foo"); v != "" {
|
||||
+ t.Errorf(`unexpected "Foo" header: %q`, v)
|
||||
+ }
|
||||
+ if v := res.Header.Get("Foo "); v != "bar" {
|
||||
+ t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
|
||||
+ }
|
||||
+}
|
||||
diff -up ./go/src/net/textproto/reader.go ./go/src/net/textproto/reader.go
|
||||
--- ./go/src/net/textproto/reader.go 2019-08-13 18:50:13.000000000 +0200
|
||||
+++ ./go/src/net/textproto/reader.go 2019-10-05 05:35:33.019025756 +0200
|
||||
@@ -492,18 +492,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEH
|
||||
return m, err
|
||||
}
|
||||
|
||||
- // Key ends at first colon; should not have trailing spaces
|
||||
- // but they appear in the wild, violating specs, so we remove
|
||||
- // them if present.
|
||||
+ // Key ends at first colon.
|
||||
i := bytes.IndexByte(kv, ':')
|
||||
if i < 0 {
|
||||
return m, ProtocolError("malformed MIME header line: " + string(kv))
|
||||
}
|
||||
- endKey := i
|
||||
- for endKey > 0 && kv[endKey-1] == ' ' {
|
||||
- endKey--
|
||||
- }
|
||||
- key := canonicalMIMEHeaderKey(kv[:endKey])
|
||||
+ key := canonicalMIMEHeaderKey(kv[:i])
|
||||
|
||||
// As per RFC 7230 field-name is a token, tokens consist of one or more chars.
|
||||
// We could return a ProtocolError here, but better to be liberal in what we
|
||||
diff -up ./go/src/net/textproto/reader_test.go ./go/src/net/textproto/reader_test.go
|
||||
--- ./go/src/net/textproto/reader_test.go 2019-08-13 18:50:13.000000000 +0200
|
||||
+++ ./go/src/net/textproto/reader_test.go 2019-10-05 05:43:58.156469247 +0200
|
||||
@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.
|
||||
}
|
||||
}
|
||||
|
||||
-// Test that we read slightly-bogus MIME headers seen in the wild,
|
||||
-// with spaces before colons, and spaces in keys.
|
||||
+// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
|
||||
+// with spaces before colons, and accept spaces in keys.
|
||||
func TestReadMIMEHeaderNonCompliant(t *testing.T) {
|
||||
- // Invalid HTTP response header as sent by an Axis security
|
||||
- // camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
|
||||
+ // These invalid headers will be rejected by net/http according to RFC 7230.
|
||||
r := reader("Foo: bar\r\n" +
|
||||
"Content-Language: en\r\n" +
|
||||
"SID : 0\r\n" +
|
||||
@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *t
|
||||
want := MIMEHeader{
|
||||
"Foo": {"bar"},
|
||||
"Content-Language": {"en"},
|
||||
- "Sid": {"0"},
|
||||
- "Audio Mode": {"None"},
|
||||
- "Privilege": {"127"},
|
||||
+ "SID ": {"0"},
|
||||
+ "Audio Mode ": {"None"},
|
||||
+ "Privilege ": {"127"},
|
||||
}
|
||||
if !reflect.DeepEqual(m, want) || err != nil {
|
||||
t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)
|
50
golang.spec
50
golang.spec
|
@ -102,11 +102,11 @@
|
|||
%endif
|
||||
|
||||
%global go_api 1.11
|
||||
%global go_version 1.11.4
|
||||
%global go_version 1.11.13
|
||||
|
||||
Name: golang
|
||||
Version: 1.11.4
|
||||
Release: 1%{?dist}
|
||||
Version: 1.11.13
|
||||
Release: 2%{?dist}
|
||||
Summary: The Go Programming Language
|
||||
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
|
||||
License: BSD and Public Domain
|
||||
|
@ -183,6 +183,8 @@ Requires: go-srpm-macros
|
|||
|
||||
Patch1: 0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
|
||||
Patch2: 0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
|
||||
# Backport of https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
|
||||
Patch3: CVE-2019-16276.patch
|
||||
|
||||
# Having documentation separate was broken
|
||||
Obsoletes: %{name}-docs < 1.1-4
|
||||
|
@ -265,13 +267,13 @@ Obsoletes: golang-vet < 0-12.1
|
|||
Obsoletes: golang-cover < 0-12.1
|
||||
|
||||
Requires(post): %{_sbindir}/update-alternatives
|
||||
Requires(postun): %{_sbindir}/update-alternatives
|
||||
Requires(preun): %{_sbindir}/update-alternatives
|
||||
|
||||
# We strip the meta dependency, but go does require glibc.
|
||||
# This is an odd issue, still looking for a better fix.
|
||||
Requires: glibc
|
||||
Requires: gcc
|
||||
Requires: git, subversion, mercurial
|
||||
Recommends: git, subversion, mercurial
|
||||
%description bin
|
||||
%{summary}
|
||||
|
||||
|
@ -308,6 +310,7 @@ Requires: %{name} = %{version}-%{release}
|
|||
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p2
|
||||
|
||||
cp %{SOURCE1} ./src/runtime/
|
||||
|
||||
|
@ -412,8 +415,8 @@ pushd $RPM_BUILD_ROOT%{goroot}
|
|||
echo "%%{golibdir}/$(basename $file)" >> $shared_list
|
||||
done
|
||||
|
||||
find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
|
||||
find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
|
||||
find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
|
||||
find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
|
||||
%endif
|
||||
|
||||
%if %{race}
|
||||
|
@ -546,6 +549,39 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Oct 5 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-2
|
||||
- Fix for CVE-2019-16276
|
||||
- Resolves: BZ#1755970
|
||||
|
||||
* Mon Aug 26 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-1
|
||||
- Rebase to 1.11.13
|
||||
- Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512
|
||||
- Resolves: BZ#1741816, BZ#1741827 and BZ#1743131
|
||||
|
||||
* Wed Jul 10 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.12-1
|
||||
- Rebase to 1.11.12
|
||||
|
||||
* Thu Jun 13 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.11-1
|
||||
- Rebase to 1.11.11
|
||||
|
||||
* Thu May 16 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.10-1
|
||||
- Rebase to 1.11.10
|
||||
|
||||
* Mon Apr 8 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.7-1
|
||||
- Rebase to 1.11.7
|
||||
|
||||
* Fri Mar 15 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.6-1
|
||||
- Rebase to 1.11.6
|
||||
- Fix CVE-2019-9741
|
||||
- Fix requirement for %%preun (instead of %%postun) scriptlet thanks to Tim Landscheidt
|
||||
- Use weak deps for SCM deps
|
||||
- Resolves: BZ#1688233
|
||||
|
||||
* Sun Jan 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.5-1
|
||||
- Rebase to go1.11.5
|
||||
- Fix for CVE-2019-6486
|
||||
- Resolves: BZ#1668973
|
||||
|
||||
* Wed Jan 02 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.4-1
|
||||
- Rebase to go1.11.4
|
||||
- Fix for CVE-2018-16875, CVE-2018-16874 and CVE-2018-16873
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (go1.11.4.src.tar.gz) = 9aa2e1800807841ec0432289b672c1607bdcb295f29c02d38adfaf1e3bf043040c9f916e4cb170875d92fe168c5ba6baef2b3d1f824a56ff9138ca2cdcc646e0
|
||||
SHA512 (go1.11.13.src.tar.gz) = a5dc8ec2bdad226e2498fdfb3560d6e7e19a84711cc1adb91675a8563a0b1fd153513397ca2a2b8cf266d718a6964ad143dfa588313dcf7fe350dd4a24efc3e9
|
||||
|
|
Loading…
Reference in New Issue