- Packaging improvements:
  * Use %patch -P N instead of deprecated %patchN (forwarded request 1151996 from jfkw)

• Files Changed
• Browse Source

- Packaging improvements:
  * boo#1219988 ensure VERSION file is present in GOROOT
    as required by go tool dist and go tool distpack (forwarded request 1147331 from jfkw)

• Files Changed
• Browse Source

- go1.20.14 (released 2024-02-06) includes fixes to the crypto/x509
  package.
  Refs boo#1206346 go1.20 release tracking
  * go#64760 staticlockranking builders failing on release branches on LUCI
  * go#65322 crypto: rollback BoringCrypto fips-20220613 update
  * go#65379 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder (forwarded request 1144758 from jfkw)

• Files Changed
• Browse Source

- go1.20.13 (released 2024-01-09) includes fixes to the runtime and
  the crypto/tls package.
  Refs boo#1206346 go1.20 release tracking
  * go#63910 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
  * go#64409 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
  * go#64718 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3 (forwarded request 1137839 from jfkw)

• Files Changed
• Browse Source

- go1.20.12 (released 2023-12-05) includes security fixes to the go
  command, and the net/http and path/filepath packages, as well as
  bug fixes to the compiler and the go command.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
  * go#63972 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
  * go#64040 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
  * go#64434 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
  * go#63983 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
  * go#63988 cmd/go: TestScript/mod_get_direct fails with "Filename too long" on Windows (forwarded request 1131272 from jfkw)

• Files Changed
• Browse Source

- go1.20.11 (released 2023-11-07) includes security fixes to the
  path/filepath package, as well as bug fixes to the linker and the
  net/http package.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-45283 CVE-2023-45284
  * go#63714 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
  * go#63316 cmd/link: split text sections for arm 32-bit
  * go#63740 net/http: http2 page fails on firefox/safari if pushing resources (forwarded request 1124116 from jfkw)

• Files Changed
• Browse Source

- go1.20.10 (released 2023-10-10) includes a security fix to the
  net/http package.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-39325 CVE-2023-44487
  * go#63426 go#63417 boo#1216109 security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (forwarded request 1116740 from jfkw)

• Files Changed
• Browse Source

- go1.20.9 (released 2023-10-05) includes one security fixes to the
  cmd/go package, as well as bug fixes to the go command and the
  linker.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-39323
  * go#63213 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
  * go#62597 cmd/link: issues with Apple's new linker in Xcode 15 beta (forwarded request 1115931 from jfkw)

• Files Changed
• Browse Source

- go1.20.8 (released 2023-09-06) includes two security fixes to the
  html/template package, as well as bug fixes to the compiler, the
  go command, the runtime, and the crypto/tls, go/types, net/http,
  and path/filepath packages.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-39318 CVE-2023-39319
  * go#62395 go#62196 boo#1215084 security: fix CVE-2023-39318 html/template: improper handling of HTML-like comments within script contexts
  * go#62397 go#62197 boo#1215085 security: fix CVE-2023-39319 html/template: improper handling of special tags within script contexts
  * go#61198 cmd/go: extended forwards compatibility for Go
  * go#61744 go/types: interface.Complete panics for interfaces with duplicate methods
  * go#61826 net/http: go 1.20.6 host validation breaks setting Host to a unix socket address
  * go#61867 path/filepath: Clean on some invalid Windows paths can lose .. components
  * go#61873 cmd/go: using a module path without dot fails to build after toolchain selection
  * go#61966 crypto/tls: add GODEBUG to control max RSA key size
  * go#62018 runtime: execution halts with goroutines stuck in runtime.gopark (protocol error E08 during memory read for packet)
  * go#62056 cmd/compile: internal compiler error: 'F': func F, startMem[b1] has different values
  * go#62070 cmd/api: make non-importable

- Add missing directory pprof html asset directory to package.
  Refs boo#1215090
  * src/cmd/vendor/github.com/google/pprof/internal/driver/html/
    dir containing html assets is present in upstream Go
    distribution but missing from SUSE go1.x packages
  * Go programs importing runtime/pprof may fail with error:
    /usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
    pattern html: no matching files found
  * Reformat adjacent commment in spec file (forwarded request 1109618 from jfkw)

• Files Changed
• Browse Source

- go1.20.7 (released 2023-08-01) includes a security fix to the
  crypto/tls package, as well as bug fixes to the assembler and the
  compiler.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-29409
  * go#61580 go#61460 boo#1213880 security: fix CVE-2023-29409 crypto/tls: restrict RSA keys in certificates to <= 8192 bits
  * go#61320 cmd/compile: ppc64le: sign extension issue in go 1.21rc2
  * go#61449 net: TestInterfaceArrivalAndDepartureZoneCache is broken on linux-arm64
  * go#61471 cmd/compile: failed to make Go on riscv64 CPU with numa (forwarded request 1101871 from jfkw)

• Files Changed
• Browse Source

- go1.20.6 (released 2023-07-11) includes a security fix to the
  net/http package, as well as bug fixes to the compiler, cgo, the
  cover tool, the go command, the runtime, and the crypto/ecdsa,
  go/build, go/printer, net/mail, and text/template packages.
  Refs boo#1206346 go1.20 release tracking.
  CVE-2023-29406
  * go#61076 go#60374 boo#1213229 security: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
  * go#60352 cmd/go: go mod tidy introduces ambiguous imports in pruned modules
  * go#60535 runtime: TLS slot index over 64 and crash
  * go#60675 cmd/compile: internal compiler error: out of range for go.shape.int64
  * go#60698 cmd/go: go list fails with submodules which have test-only dependencies
  * go#60744 crypto/ecdsa: P521 ecdsa.Verify panics with malformed message
  * go#60754 cmd/go: panic: LoadImport called with empty package path when listing GOROOT/test/*.go
  * go#60760 runtime: checkdead fires due to suspected race in the Go runtime when GOMAXPROCS=1 on AWS
  * go#60802 text/template: key/value assignment is reversed within range loop
  * go#60845 runtime: SIGSEGV in race + coverage mode
  * go#60849 cmd/go: go test deadlocked without enforcing timeouts when killed with ^C
  * go#60874 net/mail: mail.ReadMessage in 1.20 cannot parse mbox headers
  * go#60875 net/mail: characters allowed in RFC 5322 are invalid while parsing email header
  * go#60927 x/tools/go/analysis/unitchecker: TestVetStdlib failures
  * go#60947 crypto/x509: TestSystemVerify/EKULeafValid fails on LUCI
  * go#60949 runtime: goroutines that stop after calling runtime.RaceDisable break race detector
  * go#61055 runtime: TestWindowsStackMemory flakes on windows-386-2016

• Files Changed
• Browse Source

- go1.20.5 (released 2023-06-06) includes four security fixes to
  the cmd/go and runtime packages, as well as bug fixes to the
  compiler, the go command, the runtime, and the crypto/rsa, net,
  and os packages.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405
  * go#60516 go#60167 boo#1212073 security: fix CVE-2023-29402 cmd/go: cgo code injection
  * go#60518 go#60272 boo#1212074 security: fix CVE-2023-29403 runtime: unexpected behavior of setuid/setgid binaries
  * go#60512 go#60305 boo#1212075 security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS
  * go#60514 go#60306 boo#1212076 security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS
  * go#58927 crypto/rsa: 4096 bit keys are not generated with BoringCrypto
  * go#59975 cmd/compile: multiple memories live at block start
  * go#60001 cmd/go: missing checksums for dependencies of go get arguments and tests of external dependencies
  * go#60217 os: Read of a device driver fails only with Go 1.20
  * go#60458 cmd/go: document GOROOT/bin/go PATH entry for go test and go generate (forwarded request 1091158 from jfkw)

• Files Changed
• Browse Source

- go1.20.4 (released 2023-05-02) includes three security fixes to
  the html/template package, as well as bug fixes to the compiler,
  the runtime, and the crypto/subtle, crypto/tls, net/http, and
  syscall packages.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-29400 CVE-2023-24540 CVE-2023-24539

- Packaging revert go1.x Suggests go1.x-race boo#1210963
  * Upstream go binary distributions do include race detector .syso
  * Default Recommends for subpackages is best suited in this case

- Revise changelog formatting of recent CVEs for readability (forwarded request 1084133 from jfkw)

• Files Changed
• Browse Source

- Packaging improvements:
* Re-enable binary stripping and debuginfo boo#1210938
* go1.x Suggests go1.x-race do not install by default boo#1210963
* Use Group: Development/Languages/Go instead of Other (forwarded request 1083590 from jfkw)

• Files Changed
• Browse Source

- go1.20.3 (released 2023-04-04) includes security fixes to the
  go/parser, html/template, mime/multipart, net/http, and
  net/textproto packages, as well as bug fixes to the compiler, the
  linker, the runtime, and the time package.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
  * go#59268 go#58975 boo#1210127 security: net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534)
  * go#59270 go#59153 boo#1210128 security: net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
  * go#59274 go#59180 boo#1210129 security: go/parser: infinite loop in parsing (CVE-2023-24537)
  * go#59272 go#59234 boo#1210130 security: html/template: backticks not treated as string delimiters (CVE-2023-24538)
  * go#58920 x/text: building as a plugin failure on darwin/arm64
  * go#58938 cmd/go: timeout on darwin-amd64-race builder
  * go#58942 internal/testpty: fails on some Linux machines due to incorrect error handling
  * go#58954 cmd/link: Incorrect symbol linked in darwin/arm64
  * go#59051 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
  * go#59059 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
  * go#59075 time: time zone lookup using extend string makes wrong start time for non-DST zones
  * go#59220 runtime: crash on linux-ppc64le
  * go#59236 cmd/compile: crypto/elliptic build error under -linkshared mode
  * go#59296 cmd/compile: unsafe.SliceData incoherent resuilt with nil argument

- Build subpackage go1.20-libstd compiled shared object libstd.so
  only on Tumbleweed at this time.
  Refs jsc#PED-1962 (forwarded request 1077383 from jfkw)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- go1.20.2 (released 2023-03-07) includes a security fix to the
  crypto/elliptic package, as well as bug fixes to the compiler,
  the covdata command, the linker, the runtime, and the
  crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages.
  Refs boo#1206346 go1.20 release tracking
  CVE-2023-24532
  * go#58720 go#58647 boo#1209030 security: fix CVE-2023-24532 crypto/elliptic: specific unreduced P-256 scalars produce incorrect results
  * go#58427 cmd/covdata: short read on string table when merging coverage counters
  * go#58442 runtime: some linkname signatures do not match
  * go#58444 cmd/compile: inline static init cause compile time error
  * go#58467 cmd/compile: internal compiler error: '(*Tree[go.shape.int]).RemoveParent.func1': value .dict (nil) incorrectly live at entry
  * go#58498 crypto/ecdh: ECDH method doesn't check curve
  * go#58503 cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
  * go#58505 crypto/internal/bigmod: flag amd64 assembly as noescape
  * go#58531 runtime: endless traceback when panic in generics funtion
  * go#58536 runtime: long latency of sweep assists
  * go#58624 syscall.Faccessat and os.LookPath regression in Go 1.20
  * go#58627 os: cmd/go gets error "copy_file_range: function not implemented"
  * go#58717 net: TestTCPSelfConnect failures due to unexpected connections
  * go#58774 syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
  * go#58776 cmd/compile: ICE on method value involving imported anonymous interface
  * go#58793 crypto/x509: Incorrect documentation for ParsePKCS8PrivateKey
  * go#58811 crypto/x509: TestSystemVerify consistently failing (forwarded request 1070081 from jfkw)

• Files Changed
• Browse Source

New package go1.20 version 1.20.1 containing security fixes.

• Browse Source