Fix for CVE-2019-16276

Resolves: BZ#1755970
Rebase to 1.11.13
2019-10-05 10:08:49 +02:00 · 2019-08-26 16:08:45 +02:00 · 2019-07-10 13:10:29 +02:00 · 2019-06-13 10:37:15 +02:00 · 2019-05-16 13:41:31 +02:00 · 2019-04-08 13:30:59 +02:00
5 changed files with 163 additions and 339 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,36 +62,10 @@
 /go1.11.1.src.tar.gz
 /go1.11.2.src.tar.gz
 /go1.11.4.src.tar.gz
-/go1.12beta2.src.tar.gz
-/go1.12rc1.src.tar.gz
-/go1.12.src.tar.gz
-/go1.12.1.src.tar.gz
-/go1.12.2.src.tar.gz
-/go1.12.5.src.tar.gz
-/go1.12.6.src.tar.gz
-/go1.12.7.src.tar.gz
-/go1.13beta1.src.tar.gz
-/go1.13rc1.src.tar.gz
-/go1.13rc2.src.tar.gz
-/go1.13.src.tar.gz
-/go1.13.1.src.tar.gz
-/go1.13.3.src.tar.gz
-/go1.13.4.src.tar.gz
-/go1.13.5.src.tar.gz
-/go1.13.6.src.tar.gz
-/go1.14beta1.src.tar.gz
-/go1.14rc1.src.tar.gz
-/go1.14.src.tar.gz
-/go1.14.2.src.tar.gz
-/go1.14.3.src.tar.gz
-/go1.14.4.src.tar.gz
-/go1.14.6.src.tar.gz
-/go1.15beta1.src.tar.gz
-/go1.15rc1.src.tar.gz
-/go1.15rc2.src.tar.gz
-/go1.15.src.tar.gz
-/go1.15.1.src.tar.gz
-/go1.15.2.src.tar.gz
-/go1.15.3.src.tar.gz
-/go1.15.4.src.tar.gz
-/go1.15.5.src.tar.gz
+/go1.11.5.src.tar.gz
+/go1.11.6.src.tar.gz
+/go1.11.7.src.tar.gz
+/go1.11.10.src.tar.gz
+/go1.11.11.src.tar.gz
+/go1.11.12.src.tar.gz
+/go1.11.13.src.tar.gz
--- a/0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
+++ b/0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
@ -1,54 +0,0 @@
-From b38cd2374c2395f5a77802ef8ea3d7ac5b8a86ad Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
-Date: Mon, 27 May 2019 15:12:53 +0200
-Subject: [PATCH 3/3] cmd/go: disable Google's proxy and sumdb
-
---
- src/cmd/go/internal/cfg/cfg.go                  | 10 +++++-----
- src/cmd/go/testdata/script/mod_sumdb_golang.txt |  6 +++---
- 2 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/src/cmd/go/internal/cfg/cfg.go b/src/cmd/go/internal/cfg/cfg.go
-index 61dc6bdda6..e8658dc56c 100644
--- a/src/cmd/go/internal/cfg/cfg.go
-+++ b/src/cmd/go/internal/cfg/cfg.go
-@@ -245,11 +245,11 @@ var (
- 	GOPPC64  = envOr("GOPPC64", fmt.Sprintf("%s%d", "power", objabi.GOPPC64))
- 	GOWASM   = envOr("GOWASM", fmt.Sprint(objabi.GOWASM))
- 
-	GOPROXY    = envOr("GOPROXY", "https://proxy.golang.org,direct")
-	GOSUMDB    = envOr("GOSUMDB", "sum.golang.org")
-	GOPRIVATE  = Getenv("GOPRIVATE")
-	GONOPROXY  = envOr("GONOPROXY", GOPRIVATE)
-	GONOSUMDB  = envOr("GONOSUMDB", GOPRIVATE)
-+	GOPROXY   = envOr("GOPROXY", "direct")
-+	GOSUMDB   = envOr("GOSUMDB", "off")
-+	GOPRIVATE = Getenv("GOPRIVATE")
-+	GONOPROXY = envOr("GONOPROXY", GOPRIVATE)
-+	GONOSUMDB = envOr("GONOSUMDB", GOPRIVATE)
- 	GOINSECURE = Getenv("GOINSECURE")
- )
- 
-diff --git a/src/cmd/go/testdata/script/mod_sumdb_golang.txt b/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-index 40a07fc7e9..50436e32d7 100644
--- a/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-+++ b/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-@@ -2,12 +2,12 @@
- env GOPROXY=
- env GOSUMDB=
- go env GOPROXY
-stdout '^https://proxy.golang.org,direct$'
-+stdout '^direct$'
- go env GOSUMDB
-stdout '^sum.golang.org$'
-+stdout '^off$'
- env GOPROXY=https://proxy.golang.org
- go env GOSUMDB
-stdout '^sum.golang.org$'
-+stdout '^off$'
- 
- # download direct from github
- [!net] skip
-- 
-2.21.0
-
--- a/CVE-2019-16276.patch
+++ b/CVE-2019-16276.patch
@ -0,0 +1,103 @@
+diff -up ./go/src/net/http/serve_test.go ./go/src/net/http/serve_test.go
+--- ./go/src/net/http/serve_test.go	2019-08-13 18:50:13.000000000 +0200
+++ ./go/src/net/http/serve_test.go	2019-10-05 05:35:33.018025762 +0200
+@@ -4725,6 +4725,10 @@ func TestServerValidatesHeaders(t *testi
+ 		{"foo\xffbar: foo\r\n", 400},                         // binary in header
+ 		{"foo\x00bar: foo\r\n", 400},                         // binary in header
+ 		{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
+		// Spaces between the header key and colon are not allowed.
+		// See RFC 7230, Section 3.2.4.
+		{"Foo : bar\r\n", 400},
+		{"Foo\t: bar\r\n", 400},
+ 
+ 		{"foo: foo foo\r\n", 200},    // LWS space is okay
+ 		{"foo: foo\tfoo\r\n", 200},   // LWS tab is okay
+diff -up ./go/src/net/http/transport_test.go ./go/src/net/http/transport_test.go
+--- ./go/src/net/http/transport_test.go	2019-10-05 05:35:33.019025756 +0200
+++ ./go/src/net/http/transport_test.go	2019-10-05 05:39:12.037927288 +0200
+@@ -4838,3 +4838,30 @@ func TestClientTimeoutKillsConn_AfterHea
+ 		t.Fatal("timeout")
+ 	}
+ }
+
+func TestInvalidHeaderResponse(t *testing.T) {
+	setParallel(t)
+	defer afterTest(t)
+	cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+		conn, buf, _ := w.(Hijacker).Hijack()
+		buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
+			"Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
+			"Content-Type: text/html; charset=utf-8\r\n" +
+			"Content-Length: 0\r\n" +
+			"Foo : bar\r\n\r\n"))
+		buf.Flush()
+		conn.Close()
+	}))
+	defer cst.close()
+	res, err := cst.c.Get(cst.ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	if v := res.Header.Get("Foo"); v != "" {
+		t.Errorf(`unexpected "Foo" header: %q`, v)
+	}
+	if v := res.Header.Get("Foo "); v != "bar" {
+		t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
+	}
+}
+diff -up ./go/src/net/textproto/reader.go ./go/src/net/textproto/reader.go
+--- ./go/src/net/textproto/reader.go	2019-08-13 18:50:13.000000000 +0200
+++ ./go/src/net/textproto/reader.go	2019-10-05 05:35:33.019025756 +0200
+@@ -492,18 +492,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEH
+ 			return m, err
+ 		}
+ 
+-		// Key ends at first colon; should not have trailing spaces
+-		// but they appear in the wild, violating specs, so we remove
+-		// them if present.
+		// Key ends at first colon.
+ 		i := bytes.IndexByte(kv, ':')
+ 		if i < 0 {
+ 			return m, ProtocolError("malformed MIME header line: " + string(kv))
+ 		}
+-		endKey := i
+-		for endKey > 0 && kv[endKey-1] == ' ' {
+-			endKey--
+-		}
+-		key := canonicalMIMEHeaderKey(kv[:endKey])
+		key := canonicalMIMEHeaderKey(kv[:i])
+ 
+ 		// As per RFC 7230 field-name is a token, tokens consist of one or more chars.
+ 		// We could return a ProtocolError here, but better to be liberal in what we
+diff -up ./go/src/net/textproto/reader_test.go ./go/src/net/textproto/reader_test.go
+--- ./go/src/net/textproto/reader_test.go	2019-08-13 18:50:13.000000000 +0200
+++ ./go/src/net/textproto/reader_test.go	2019-10-05 05:43:58.156469247 +0200
+@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.
+ 	}
+ }
+ 
+-// Test that we read slightly-bogus MIME headers seen in the wild,
+-// with spaces before colons, and spaces in keys.
+// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
+// with spaces before colons, and accept spaces in keys.
+ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
+-	// Invalid HTTP response header as sent by an Axis security
+-	// camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
+	// These invalid headers will be rejected by net/http according to RFC 7230.
+ 	r := reader("Foo: bar\r\n" +
+ 		"Content-Language: en\r\n" +
+ 		"SID : 0\r\n" +
+@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *t
+ 	want := MIMEHeader{
+ 		"Foo":              {"bar"},
+ 		"Content-Language": {"en"},
+-		"Sid":              {"0"},
+-		"Audio Mode":       {"None"},
+-		"Privilege":        {"127"},
+		"SID ":             {"0"},
+		"Audio Mode ":      {"None"},
+		"Privilege ":       {"127"},
+ 	}
+ 	if !reflect.DeepEqual(m, want) || err != nil {
+ 		t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)
--- a/golang.spec
+++ b/golang.spec
@ -1,7 +1,6 @@
 %bcond_with bootstrap
 # temporalily ignore test failures
-# due to https://github.com/golang/go/issues/39466
-%ifarch aarch64
+%ifarch %{ix86} aarch64 %{arm}
 %bcond_without ignore_tests
 %else
 %bcond_with ignore_tests
@ -33,9 +32,6 @@

 %global golibdir %{_libdir}/golang

-# This macro may not always be defined, ensure it is
-%{!?gopath: %global gopath %{_datadir}/gocode}
-
 # Golang build options.

 # Build golang using external/internal(close to cgo disabled) linking.
@ -105,12 +101,12 @@
 %global gohostarch  s390x
 %endif

-%global go_api 1.15
-%global go_version 1.15.5
+%global go_api 1.11
+%global go_version 1.11.13

 Name:           golang
-Version:        1.15.5
-Release:        1%{?dist}
+Version:        1.11.13
+Release:        2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@ -137,23 +133,23 @@ Provides:       go = %{version}-%{release}

 # Bundled/Vendored provides generated by
 # go list -f {{.ImportPath}} ./src/vendor/... | sed "s:_$PWD/src/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):" && go list -f {{.ImportPath}} ./src/cmd/vendor/... | sed "s:_$PWD/src/cmd/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):"
-Provides: bundled(golang(golang.org/x/crypto/chacha20))
 Provides: bundled(golang(golang.org/x/crypto/chacha20poly1305))
 Provides: bundled(golang(golang.org/x/crypto/cryptobyte))
 Provides: bundled(golang(golang.org/x/crypto/cryptobyte/asn1))
 Provides: bundled(golang(golang.org/x/crypto/curve25519))
-Provides: bundled(golang(golang.org/x/crypto/hkdf))
-Provides: bundled(golang(golang.org/x/crypto/internal/subtle))
+Provides: bundled(golang(golang.org/x/crypto/internal/chacha20))
 Provides: bundled(golang(golang.org/x/crypto/poly1305))
 Provides: bundled(golang(golang.org/x/net/dns/dnsmessage))
 Provides: bundled(golang(golang.org/x/net/http/httpguts))
 Provides: bundled(golang(golang.org/x/net/http/httpproxy))
 Provides: bundled(golang(golang.org/x/net/http2/hpack))
 Provides: bundled(golang(golang.org/x/net/idna))
+Provides: bundled(golang(golang.org/x/net/internal/nettest))
 Provides: bundled(golang(golang.org/x/net/nettest))
-Provides: bundled(golang(golang.org/x/sys/cpu))
+Provides: bundled(golang(golang.org/x/text/secure))
 Provides: bundled(golang(golang.org/x/text/secure/bidirule))
 Provides: bundled(golang(golang.org/x/text/transform))
+Provides: bundled(golang(golang.org/x/text/unicode))
 Provides: bundled(golang(golang.org/x/text/unicode/bidi))
 Provides: bundled(golang(golang.org/x/text/unicode/norm))
 Provides: bundled(golang(github.com/google/pprof/driver))
@ -163,10 +159,10 @@ Provides: bundled(golang(github.com/google/pprof/internal/elfexec))
 Provides: bundled(golang(github.com/google/pprof/internal/graph))
 Provides: bundled(golang(github.com/google/pprof/internal/measurement))
 Provides: bundled(golang(github.com/google/pprof/internal/plugin))
+Provides: bundled(golang(github.com/google/pprof/internal/proftest))
 Provides: bundled(golang(github.com/google/pprof/internal/report))
 Provides: bundled(golang(github.com/google/pprof/internal/symbolizer))
 Provides: bundled(golang(github.com/google/pprof/internal/symbolz))
-Provides: bundled(golang(github.com/google/pprof/internal/transport))
 Provides: bundled(golang(github.com/google/pprof/profile))
 Provides: bundled(golang(github.com/google/pprof/third.party/d3))
 Provides: bundled(golang(github.com/google/pprof/third.party/d3flamegraph))
@ -176,59 +172,10 @@ Provides: bundled(golang(golang.org/x/arch/arm/armasm))
 Provides: bundled(golang(golang.org/x/arch/arm64/arm64asm))
 Provides: bundled(golang(golang.org/x/arch/ppc64/ppc64asm))
 Provides: bundled(golang(golang.org/x/arch/x86/x86asm))
-Provides: bundled(golang(golang.org/x/crypto/ed25519))
-Provides: bundled(golang(golang.org/x/crypto/ed25519/internal/edwards25519))
 Provides: bundled(golang(golang.org/x/crypto/ssh/terminal))
-Provides: bundled(golang(golang.org/x/mod/internal/lazyregexp))
-Provides: bundled(golang(golang.org/x/mod/modfile))
-Provides: bundled(golang(golang.org/x/mod/module))
-Provides: bundled(golang(golang.org/x/mod/semver))
-Provides: bundled(golang(golang.org/x/mod/sumdb))
-Provides: bundled(golang(golang.org/x/mod/sumdb/dirhash))
-Provides: bundled(golang(golang.org/x/mod/sumdb/note))
-Provides: bundled(golang(golang.org/x/mod/sumdb/tlog))
-Provides: bundled(golang(golang.org/x/mod/zip))
-Provides: bundled(golang(golang.org/x/sys/internal/unsafeheader))
 Provides: bundled(golang(golang.org/x/sys/unix))
-Provides: bundled(golang(golang.org/x/tools/go/analysis))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/internal/analysisflags))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/internal/facts))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/asmdecl))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/assign))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/atomic))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/bools))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/buildtag))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/cgocall))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/composite))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/copylock))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/ctrlflow))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/errorsas))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/httpresponse))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/ifaceassert))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/inspect))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/internal/analysisutil))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/loopclosure))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/lostcancel))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/nilfunc))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/printf))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/shift))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/stdmethods))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/stringintconv))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/structtag))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/tests))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/unmarshal))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/unreachable))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/unsafeptr))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/passes/unusedresult))
-Provides: bundled(golang(golang.org/x/tools/go/analysis/unitchecker))
-Provides: bundled(golang(golang.org/x/tools/go/ast/astutil))
-Provides: bundled(golang(golang.org/x/tools/go/ast/inspector))
-Provides: bundled(golang(golang.org/x/tools/go/cfg))
-Provides: bundled(golang(golang.org/x/tools/go/types/objectpath))
-Provides: bundled(golang(golang.org/x/tools/go/types/typeutil))
-Provides: bundled(golang(golang.org/x/tools/internal/analysisinternal))
-Provides: bundled(golang(golang.org/x/xerrors))
-Provides: bundled(golang(golang.org/x/xerrors/internal))
+Provides: bundled(golang(golang.org/x/sys/windows))
+Provides: bundled(golang(golang.org/x/sys/windows/registry))

 Requires:       %{name}-bin = %{version}-%{release}
 Requires:       %{name}-src = %{version}-%{release}
@ -236,7 +183,8 @@ Requires:       go-srpm-macros

 Patch1:       0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
 Patch2:       0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
-Patch3:       0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
+# Backport of https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8
+Patch3:       CVE-2019-16276.patch

 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@ -289,8 +237,6 @@ BuildArch:      noarch

 %package        bin
 Summary:        Golang core compiler tools
-# Some distributions refer to this package by this name
-Provides:       %{name}-go = %{version}-%{release}
 Requires:       go = %{version}-%{release}
 # Pre-go1.5, all arches had to be bootstrapped individually, before usable, and
 # env variables to compile for the target os-arch.
@ -327,11 +273,7 @@ Requires(preun): %{_sbindir}/update-alternatives
 # This is an odd issue, still looking for a better fix.
 Requires:       glibc
 Requires:       gcc
-%if 0%{?rhel} && 0%{?rhel} < 8
-Requires:       git, subversion, mercurial
-%else
 Recommends:     git, subversion, mercurial
-%endif
 %description    bin
 %{summary}

@ -364,7 +306,11 @@ Requires:       %{name} = %{version}-%{release}
 %endif

 %prep
-%autosetup -p1 -n go
+%setup -q -n go
+
+%patch1 -p1
+%patch2 -p1
+%patch3 -p2

 cp %{SOURCE1} ./src/runtime/

@ -528,12 +474,6 @@ export GO_LDFLAGS="-linkmode internal"
 %if !%{cgo_enabled} || !%{external_linker}
 export CGO_ENABLED=0
 %endif
-# workaround for https://github.com/golang/go/issues/39466 until it gests fixed
-# Commented until the patch is ready, this work around suggested in the link avobe
-# doesn't work properly
-#ifarch aarch64
-#export CGO_CFLAGS="-mno-outline-atomics"
-#endif

 # make sure to not timeout
 export GO_TEST_TIMEOUT_SCALE=2
@ -558,18 +498,21 @@ fi


 %files
-%license LICENSE PATENTS
-%doc AUTHORS CONTRIBUTORS
+%doc AUTHORS CONTRIBUTORS LICENSE PATENTS
 # VERSION has to be present in the GOROOT, for `go install std` to work
 %doc %{goroot}/VERSION
 %dir %{goroot}/doc
+%doc %{goroot}/doc/*

 # go files
 %dir %{goroot}
-%{goroot}/api/
-%{goroot}/lib/time/
-%{goroot}/favicon.ico
-%{goroot}/robots.txt
+%exclude %{goroot}/bin/
+%exclude %{goroot}/pkg/
+%exclude %{goroot}/src/
+%exclude %{goroot}/doc/
+%exclude %{goroot}/misc/
+%exclude %{goroot}/test/
+%{goroot}/*

 # ensure directory ownership, so they are cleaned up if empty
 %dir %{gopath}
@ -585,202 +528,60 @@ fi
 # gdbinit (for gdb debugging)
 %{_sysconfdir}/gdbinit.d

-%files src -f go-src.list
+%files -f go-src.list src

-%files docs -f go-docs.list
+%files -f go-docs.list docs

-%files misc -f go-misc.list
+%files -f go-misc.list misc

-%files tests -f go-tests.list
+%files -f go-tests.list tests

-%files bin -f go-pkg.list
+%files -f go-pkg.list bin
 %{_bindir}/go
 %{_bindir}/gofmt
-%{goroot}/bin/linux_%{gohostarch}/go
-%{goroot}/bin/linux_%{gohostarch}/gofmt

 %if %{shared}
-%files shared -f go-shared.list
+%files -f go-shared.list shared
 %endif

 %if %{race}
-%files race -f go-race.list
+%files -f go-race.list race
 %endif

 %changelog
-* Fri Nov 13 2020 Jakub Čajka <jcajka@redhat.com> - 1.15.5-1
- Rebase to go1.15.5
- Security fix for CVE-2020-28362, CVE-2020-28367 and CVE-2020-28366
- Resolves: BZ#1897342, BZ#1897636, BZ#1897644, BZ#1897647
-
-* Fri Nov 06 2020 Jakub Čajka <jcajka@redhat.com> - 1.15.4-1
- Rebase to go1.15.4
- Resolves: BZ#1895189
-
-* Thu Oct 15 2020 Jakub Čajka <jcajka@redhat.com> - 1.15.3-1
- Rebase to go1.15.3
- Resolves: BZ#1888443
-
-* Thu Sep 10 2020 Jakub Čajka <jcajka@redhat.com> - 1.15.2-1
- Rebase to go1.15.2
- Resolves: BZ#1877565
-
-* Thu Sep 03 2020 Jakub Čajka <jcajka@redhat.com> - 1.15.1-1
- Rebase to go1.15.1
- Security fix for CVE-2020-24553
- Resolves: BZ#1874858, BZ#1866892
-
-* Wed Aug 12 2020 Jakub Čajka <jcajka@redhat.com> - 1.15-1
- Rebase to go1.15 proper
- Resolves: BZ#1859241, BZ#1866892
-
-* Mon Aug 10 2020 Jakub Čajka <jcajka@redhat.com> - 1.15-0.rc2.0
- Rebase to go1.15rc1
- Security fix for CVE-2020-16845
- Resolves: BZ#1867101
- Related: BZ#1859241
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.15-0.rc1.0.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Jul 27 2020 Jakub Čajka <jcajka@redhat.com> - 1.15-0.rc1.0
- Rebase to go1.15rc1
- Related: BZ#1859241
-
-* Mon Jul 20 2020 Jakub Čajka <jcajka@redhat.com> - 1.15-0.beta1.0
- Rebase to go1.15beta1
-
-* Mon Jul 20 2020 Jakub Čajka <jcajka@redhat.com> - 1.14.6-1
- Rebase to go1.14.6
- Security fix for CVE-2020-14040 and CVE-2020-15586
- Resolves: BZ#1842708, BZ#1856957, BZ#1853653
-
-* Tue Jun 30 2020 Alejandro Sáez <asm@redhat.com> - 1.14.4-1
- Rebase to go1.14.4
- Add patch that fixes: https://golang.org/issue/39991
- Related: BZ#1842708
-
-* Mon May 18 2020 Álex Sáez <asm@redhat.com> - 1.14.3-1
- Rebase to go1.14.3
- Resolves: BZ#1836015
-
-* Mon Apr 20 2020 Jakub Čajka <jcajka@redhat.com> - 1.14.2-1
- Rebase to go1.14.2
- Resolves: BZ#1815282
-
-* Wed Feb 26 2020 Jakub Čajka <jcajka@redhat.com> - 1.14-1
- Rebase to go1.14 proper
- Resolves: BZ#1792475
-
-* Thu Feb 06 2020 Jakub Čajka <jcajka@redhat.com> - 1.14-0.rc1.0
- Rebase to go1.14.rc1
- Related: BZ#1792475
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.14-0.beta1.0.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 20 2020 Jakub Čajka <jcajka@redhat.com> - 1.14-0.beta1.0
- Rebase to go1.14beta1
- Resolves: BZ#1792475
-
-* Mon Jan 13 2020 Jakub Čajka <jcajka@redhat.com> - 1.13.6-1
- Rebase to go1.13.6
-
-* Thu Dec 05 2019 Jakub Čajka <jcajka@redhat.com> - 1.13.5-1
- Rebase to go1.13.5
-
-* Tue Nov 26 2019 Neal Gompa <ngompa@datto.com> - 1.13.4-2
- Small fixes to the spec and tighten up the file list
-
-* Fri Nov 01 2019 Jakub Čajka <jcajka@redhat.com> - 1.13.4-1
- Rebase to go1.13.4
- Resolves BZ#1767673
-
-* Sat Oct 19 2019 Jakub Čajka <jcajka@redhat.com> - 1.13.3-1
- Rebase to go1.13.3
- Fix for CVE-2019-17596
- Resolves: BZ#1755639, BZ#1763312
-
-* Fri Sep 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.13.1-1
- Rebase to go1.13.1
+* Sat Oct 5 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-2
 - Fix for CVE-2019-16276
 - Resolves: BZ#1755970

-* Thu Sep 05 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-2
- Back to go1.13 tls1.3 behavior
-
-* Wed Sep 04 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-1
- Rebase to go1.13
-
-* Fri Aug 30 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc2.1
- Rebase to go1.13rc2
- Do not enable tls1.3 by default
- Related: BZ#1737471
-
-* Wed Aug 28 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc1.2
- Actually fix CVE-2019-9514 and CVE-2019-9512
- Related: BZ#1741816, BZ#1741827
-
-* Mon Aug 26 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.rc1.1
- Rebase to 1.13rc1
+* Mon Aug 26 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.13-1
+- Rebase to 1.11.13
 - Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512
 - Resolves: BZ#1741816, BZ#1741827 and BZ#1743131

-* Thu Aug 01 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.beta1.2.2
- Fix ICE affecting aarch64
- Resolves: BZ#1735290
+* Wed Jul 10 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.12-1
+- Rebase to 1.11.12

-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.13-0.beta1.2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+* Thu Jun 13 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.11-1
+- Rebase to 1.11.11

-* Wed Jul 24 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.beta1.2
- De-configure sumdb and go proxy
+* Thu May 16 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.10-1
+- Rebase to 1.11.10

-* Wed Jul 24 2019 Jakub Čajka <jcajka@redhat.com> - 1.13-0.beta1.1
- Rebase to 1.13beta1
- Related: BZ#1732118
+* Mon Apr 8 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.7-1
+- Rebase to 1.11.7

-* Tue Jul 09 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.7-1
- Rebase to 1.12.7
- Resolves: BZ#1728056
-
-* Wed Jun 12 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.6-1
- Rebase to 1.12.6
- Resolves: BZ#1719483
-
-* Tue May 07 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.5-1
- Rebase to 1.12.5
- Resolves: BZ#1707187
-
-* Mon Apr 08 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.2-1
- Rebase to 1.12.2
- Resolves: BZ#1688996
-
-* Mon Apr 01 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.1-2
- Fix up change log, respective CVE has been fixed in go1.12rc1
-
-* Fri Mar 15 2019 Jakub Čajka <jcajka@redhat.com> - 1.12.1-1
- Rebase to 1.12.1
+* Fri Mar 15 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.6-1
+- Rebase to 1.11.6
+- Fix CVE-2019-9741
 - Fix requirement for %%preun (instead of %%postun) scriptlet thanks to Tim Landscheidt
 - Use weak deps for SCM deps
+- Resolves: BZ#1688233

-* Wed Feb 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-1
- Rebase to go1.12 proper
- Resolves:  BZ#1680040
-
-* Mon Feb 18 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-0.rc1.1
- Rebase to go1.12rc1
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.12-0.beta2.2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Sun Jan 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-0.beta2.2
+* Sun Jan 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.5-1
+- Rebase to go1.11.5
 - Fix for CVE-2019-6486
 - Resolves: BZ#1668973

-* Fri Jan 11 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-0.beta2.1
- Rebase to go1.12beta2
-
 * Wed Jan 02 2019 Jakub Čajka <jcajka@redhat.com> - 1.11.4-1
 - Rebase to go1.11.4
 - Fix for CVE-2018-16875, CVE-2018-16874 and CVE-2018-16873
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (go1.15.5.src.tar.gz) = 8e1d71f628d364b949b1e124af8950a563bbe9d9ae73b94c66af6ce029f67c26e2654556c0c118d0bc8566af52a7e9ed736b4667bbef7ccdab2bd338c43e6eb4
+SHA512 (go1.11.13.src.tar.gz) = a5dc8ec2bdad226e2498fdfb3560d6e7e19a84711cc1adb91675a8563a0b1fd153513397ca2a2b8cf266d718a6964ad143dfa588313dcf7fe350dd4a24efc3e9
Author	SHA1	Message	Date
Jakub Čajka	f9db95a6c9	Fix for CVE-2019-16276 Resolves: BZ#1755970	2019-10-05 10:08:49 +02:00
Jakub Čajka	82082d4314	Rebase to 1.11.13 Fix for CVE-2019-14809, CVE-2019-9514 and CVE-2019-9512 Resolves: BZ#1741816, BZ#1741827 and BZ#1743131	2019-08-26 16:08:45 +02:00
Jakub Čajka	c3b72c1a47	Rebase to 1.11.12	2019-07-10 13:10:29 +02:00
Jakub Čajka	3b89fed2fe	Rebase to 1.11.11	2019-06-13 10:37:15 +02:00
Jakub Čajka	9ad1b634ea	Rebase to go1.11.10	2019-05-16 13:41:31 +02:00
Jakub Čajka	0301e6483a	Rebase to 1.11.7	2019-04-08 13:30:59 +02:00
Jakub Čajka	7d97257830	Rebase to 1.11.6 Fix CVE-2019-9741 Fix requirement for %preun (instead of %postun) scriptlet thanks to Tim Landscheidt Use weak deps for SCM deps Resolves: BZ#1688233	2019-04-01 13:41:56 +02:00
Jakub Čajka	d0a2453060	Rebase to go1.11.5 Fix for CVE-2019-6486	2019-01-27 12:54:28 +01:00