Prepare for RPM 4.20 (forwarded request 1152225 from dimstar)

• Files Changed
• Browse Source

- go1.19.13 (released 2023-09-06) includes fixes to the go command,
  and the crypto/tls and net/http packages.
  Refs boo#1200441 go1.19 release tracking
  * go#61197 cmd/go: extended forwards compatibility for Go
  * go#61825 net/http: go 1.20.6 host validation breaks setting Host to a unix socket address
  * go#61968 crypto/tls: add GODEBUG to control max RSA key size

- Add missing directory pprof html asset directory to package.
  Refs boo#1215090
  * src/cmd/vendor/github.com/google/pprof/internal/driver/html/
    dir containing html assets is present in upstream Go
    distribution but missing from SUSE go1.x packages
  * Go programs importing runtime/pprof may fail with error:
    /usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
    pattern html: no matching files found
  * Reformat adjacent commment in spec file (forwarded request 1109611 from jfkw)

• Files Changed
• Browse Source

- go1.19.12 (released 2023-08-01) includes a security fix to the
  crypto/tls package, as well as bug fixes to the assembler and the
  compiler.
  Refs boo#1200441 go1.19 release tracking
  CVE-2023-29409
  * go#61579 go#61460 boo#1213880 security: fix CVE-2023-29409 crypto/tls: restrict RSA keys in certificates to <= 8192 bits
  * go#61319 cmd/compile: ppc64le: sign extension issue in go 1.21rc2
  * go#61448 net: TestInterfaceArrivalAndDepartureZoneCache is broken on linux-arm64
  * go#61470 cmd/compile: failed to make Go on riscv64 CPU with numa (forwarded request 1101870 from jfkw)

• Files Changed
• Browse Source

- go1.19.11 (released 2023-07-11) includes a security fix to the
  net/http package, as well as bug fixes to cgo, the cover tool,
  the go command, the runtime, and the go/printer package.
  Refs boo#1200441 go1.19 release tracking
  CVE-2023-29406
  * go#61075 go#60374 boo#1213229 security: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
  * go#60351 cmd/go: go mod tidy introduces ambiguous imports in pruned modules
  * go#60637 cmd/pprof: skip TestDisasm flaky failures on linux/arm64
  * go#60697 cmd/go: go list fails with submodules which have test-only dependencies
  * go#60710 cmd/go: go list -export -e outputs errors to stderr and has non-zero exit code
  * go#60844 runtime: SIGSEGV in race + coverage mode
  * go#60948 runtime: goroutines that stop after calling runtime.RaceDisable break race detector
  * go#61054 runtime: TestWindowsStackMemory flakes on windows-386-2016

• Files Changed
• Browse Source

- go1.19.10 (released 2023-06-06) includes four security fixes to
  the cmd/go and runtime packages, as well as bug fixes to the
  compiler, the go command, and the runtime.
  Refs boo#1200441 go1.19 release tracking
  CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405
  * go#60515 go#60167 boo#1212073 security: fix CVE-2023-29402 cmd/go: cgo code injection
  * go#60517 go#60272 boo#1212074 security: fix CVE-2023-29403 runtime: unexpected behavior of setuid/setgid binaries
  * go#60511 go#60305 boo#1212075 security: fix CVE-2023-29404 cmd/go: improper sanitization of LDFLAGS
  * go#60513 go#60306 boo#1212076 security: fix CVE-2023-29405 cmd/go: improper sanitization of LDFLAGS
  * go#59974 cmd/compile: multiple memories live at block start
  * go#60000 cmd/go: missing checksums for dependencies of go get arguments and tests of external dependencies
  * go#60457 cmd/go: document GOROOT/bin/go PATH entry for go test and go generate (forwarded request 1091157 from jfkw)

• Files Changed
• Browse Source

- Revert re-enable binary stripping and debuginfo boo#1210938.
  go1.19 and earlier store pre-compiled packages in $GOROOT/pkg as
  Go .a files which are not ar archives. These .a are incorrectly
  passed to strip by brp-15-strip-debug. strip incorrectly modifies
  Go .a files rendering them invalid. Some Go applications fail to
  build with "reference to nonexistent package" errors.
  Refs boo#1210938 boo#1211073
  * go1.19 and earlier store pre-compiled packages for the standard
    library as .a files under pkg/GOARCH[_{dynlink,race}].
  * Go emitted .a files are a Go specific format, not ar archives.
  * go1.10+ stores recently built packages in build cache GOCACHE.
    These are separate from the installed packages in $GOROOT/pkg.
  * Go build cache objects use a different file format than Go .a.
  * go1.20+ switches to the GOCACHE for both recently built
    packages and the installed packages in $GOROOT/pkg.
  * Current versions of readelf detect Go .a files correctly, e.g.:
    readelf -d /usr/lib64/go/1.19/pkg/linux_amd64/bytes.a
    File: /usr/lib64/go/1.19/pkg/linux_amd64/bytes.a(__.PKGDEF       )
    readelf: Error: This is a GO binary file - try using 'go tool objdump' or 'go tool nm'
  * binutils strip as of 2.40 detects Go .a files correctly, but
    incorrectly modifies the .a files altering path resulting in
    "reference to nonexistent package" errors.
  * brp_check_suse/brp-15-strip-debug passes files to strip based
    primarily on the file extension including .a. (forwarded request 1084541 from jfkw)

• Files Changed
• Browse Source

- Add subpackage go1.x-libstd for compiled shared object libstd.so.
  only on Tumbleweed at this time.
  * Main go1.x package included libstd.so in previous versions
  * Split libstd.so into subpackage that can be installed standalone
  * Continues the slimming down of main go1.x package by 40 Mb
  * Experimental and not recommended for general use, Go currently has no ABI
  * Upstream Go has not committed to support buildmode=shared long-term
  * Do not use in packaging, build static single binaries (the default)
  * Upstream Go go1.x binary releases do not include libstd.so
  * go1.x Suggests go1.x-libstd so not installed by default Recommends
  * go1.x-libstd does not Require: go1.x so can install standalone
  * Provides go-libstd unversioned package name
  * Fix build step -buildmode=shared std to omit -linkshared
- Packaging improvements:
  * go1.x Suggests go1.x-doc so not installed by default Recommends
  * Use Group: Development/Languages/Go instead of Other
  * On Tumbleweed bootstrap with current default gcc13 and gccgo118
  * On SLE-12 aarch64 ppc64le ppc64 remove overrides to bootstrap
    using go1.x package (%bcond_without gccgo). This is no longer
    needed on current SLE-12:Update and removing will consolidate
    the build configurations used.
  * Change source URLs to go.dev as per Go upstream
  * On x86_64 export GOAMD64=v1 as per the current baseline.
    At this time forgo GOAMD64=v3 option for x86_64_v3 support.
  * On x86_64 %define go_amd64=v1 as current instruction baseline (forwarded request 1079836 from jfkw)

• Files Changed
• Browse Source

- Use gcc13 compiler for Tumbleweed.
- Format one recent changelog entry for better visibility of CVEs (forwarded request 1079524 from jfkw)

• Files Changed
• Browse Source

- go1.19.8 (released 2023-04-04) includes security fixes to the
  go/parser, html/template, mime/multipart, net/http, and
  net/textproto packages, as well as bug fixes to the linker, the
  runtime, and the time package.
  Refs boo#1200441 go1.19 release tracking
  CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538
  * go#59267 go#58975 boo#1210127 net/http, net/textproto: denial of service from excessive memory allocation ​(CVE-2023-24534)
  * go#59269 go#59153 boo#1210128 net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption (CVE-2023-24536)
  * go#59273 go#59180 boo#1210129 go/parser: infinite loop in parsing (CVE-2023-24537)
  * go#59271 go#59234 boo#1210130 html/template: backticks not treated as string delimiters (CVE-2023-24538)
  * go#58937 cmd/go: timeout on darwin-amd64-race builder
  * go#58939 runtime/pprof: TestLabelSystemstack due to sample with no location
  * go#58941 internal/testpty: fails on some Linux machines due to incorrect error handling
  * go#59050 cmd/link: linker fails on linux/amd64 when gcc's lto options are used
  * go#59058 cmd/link/internal/arm: off-by-one error in trampoline phase call reachability calculation
  * go#59074 time: time zone lookup using extend string makes wrong start time for non-DST zones
  * go#59219 runtime: crash on linux-ppc64le (forwarded request 1077382 from jfkw)

• Files Changed
• Browse Source

- go1.19.7 (released 2023-03-07) includes a security fix to the
  crypto/elliptic package, as well as bug fixes to the linker, the
  runtime, and the crypto/x509 and syscall packages.
  Refs boo#1200441 go1.19 release tracking
  CVE-2023-24532
  * go#58719 go#58647 boo#1209030 security: fix CVE-2023-24532 crypto/elliptic: specific unreduced P-256 scalars produce incorrect results
  * go#58441 runtime: some linkname signatures do not match
  * go#58502 cmd/link: relocation truncated to fit: R_ARM_CALL against `runtime.duffcopy'
  * go#58535 runtime: long latency of sweep assists
  * go#58716 net: TestTCPSelfConnect failures due to unexpected connections
  * go#58773 syscall: Environ uses an invalid unsafe.Pointer conversion on Windows
  * go#58810 crypto/x509: TestSystemVerify consistently failing (forwarded request 1070080 from jfkw)

• Files Changed
• Browse Source

- go1.19.6 (released 2023-02-14) includes security fixes to the
  crypto/tls, mime/multipart, net/http, and path/filepath packages,
  as well as bug fixes to the go command, the linker, the runtime,
  and the crypto/x509, net/http, and time packages.
  Refs boo#1200441 go1.19 release tracking
  CVE-2022-41722 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
  * go#57275 boo#1208269 security: fix CVE-2022-41722
  * go#58355 boo#1208270 security: fix CVE-2022-41723
  * go#58358 boo#1208271 security: fix CVE-2022-41724
  * go#58362 boo#1208272 security: fix CVE-2022-41725
  * go#56154 net/http: bad handling of HEAD requests with a body
  * go#57635 crypto/x509: TestBoringAllowCert failures
  * go#57812 runtime: performance regression due to bad instruction used in morestack_noctxt for ppc64 in CL 425396
  * go#58118 time: update zoneinfo_abbrs on Windows
  * go#58223 cmd/link: .go.buildinfo is gc'ed by --gc-sections
  * go#58449 cmd/go/internal/modfetch: TestCodeRepo/gopkg.in_natefinch_lumberjack.v2/latest failing (forwarded request 1066110 from jfkw)

• Files Changed
• Browse Source

- go1.19.5 (released 2023-01-10) includes fixes to the compiler,
  the linker, and the crypto/x509, net/http, sync/atomic, and
  syscall packages.
  Refs boo#1200441 go1.19 release tracking
  * go#57706 Misc/cgo: backport needed for dlltool fix
  * go#57556 crypto/x509: re-allow duplicate attributes in CSRs
  * go#57444 cmd/link: need to handle new-style LoongArch relocs
  * go#57427 crypto/x509: Verify on macOS does not return typed errors
  * go#57345 cmd/compile: the loong64 intrinsic for CompareAndSwapUint32 function needs to sign extend its "old" argument.
  * go#57339 syscall, internal/poll: accept4-to-accept fallback removal broke Go code on Synology DSM 6.2 ARM devices
  * go#57214 os: TestLstat failure on Linux Aarch64
  * go#57212 reflect: sort.SliceStable sorts incorrectly on arm64 with less function created with reflect.MakeFunc and slice of sufficient length
  * go#57124 sync/atomic: allow linked lists of atomic.Pointer
  * go#57100 cmd/compile: non-retpoline-compatible errors
  * go#57058 cmd/go: remove test dependency on gopkg.in service
  * go#57055 cmd/go: TestScript/version_buildvcs_git_gpg (if enabled) fails on linux longtest builders
  * go#56983 runtime: failure in TestRaiseException on windows-amd64-2012
  * go#56834 cmd/link/internal/ppc64: too-far trampoline is reused
  * go#56770 cmd/compile: walkConvInterface produces broken IR
  * go#56744 cmd/compile: internal compiler error: missing typecheck
  * go#56712 net: reenable TestLookupDotsWithRemoteSource and TestLookupGoogleSRV with a different target
  * go#56154 net/http: bad handling of HEAD requests with a body (forwarded request 1057692 from jfkw)

• Files Changed
• Browse Source

- go1.19.4 (released 2022-12-06) includes security fixes to the
  net/http and os packages, as well as bug fixes to the compiler,
  the runtime, and the crypto/x509, os/exec, and sync/atomic
  packages.
  Refs boo#1200441 go1.19 release tracking
  CVE-2022-41717 CVE-2022-41720
  * go#57009 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries
  * go#57006 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
  * go#56752 runtime,cmd/compile: apparent memory corruption in compress/flate
  * go#56710 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com
  * go#56672 crypto/tls: boringcrypto restricts RSA key sizes to 2048 and 3072
  * go#56638 sync/atomic: atomic.Pointer[T] can be misused with type conversions.
  * go#56636 runtime: traceback stuck in runtime.systemstack
  * go#56557 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable"
  * go#56551 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8)
  * go#56438 crypto/x509: respect GODEBUG changes during program lifetime
  * go#56397 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter
  * go#56360 cmd/compile: panic: offset too large (forwarded request 1041233 from jfkw)

• Files Changed
• Browse Source

- go1.19.3 (released 2022-11-01) includes security fixes to the
  os/exec and syscall packages, as well as bug fixes to the
  compiler and the runtime.
  Refs boo#1200441 go1.19 release tracking
  CVE-2022-41716
  * go#56328 boo#1204941 security: fix CVE-2022-41716 syscall, os/exec: unsanitized NUL in environment variables
  * go#56309 runtime: "runtime·lock: lock count" fatal error when cgo is enabled
  * go#56168 cmd/compile: libFuzzer instrumentation fakePC overflow on 386 arch
  * go#56106 internal/fuzz: array literal initialization causes ICE "unhandled stmt ASOP" while fuzzing (forwarded request 1032742 from jfkw)

• Files Changed
• Browse Source

- go1.19.2 (released 2022-10-04) includes security fixes to the
  archive/tar, net/http/httputil, and regexp packages, as well as
  bug fixes to the compiler, the linker, the runtime, and the
  go/types package.
  Refs boo#1200441 go1.19 release tracking
  CVE-2022-41715 CVE-2022-2879 CVE-2022-2880
  * go#55951 boo#1204023 security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps
  * go#55926 boo#1204024 security: fix CVE-2022-2879 archive/tar: unbounded memory consumption when reading headers
  * go#55843 boo#1204025 security: fix CVE-2022-2880 net/http/httputil: ReverseProxy should not forward unparseable query parameters
  * go#55270 cmd/compile: internal compiler error: method Len on *uint8 not found
  * go#55152 cmd/compile: typebits.Set: invalid initial alignment: type Peer has alignment 8, but offset is 4
  * go#55149 go/types: no way to construct the signature of append(s, "string"...) via the API
  * go#55124 fatal error: bulkBarrierPreWrite: unaligned arguments (go 1.19.1, looks like regression)
  * go#55114 cmd/link: new darwin linker warning on -pagezero_size and -no_pie deprecation
  * go#54917 cmd/compile: Value live at entry
  * go#54764 runtime/cgo(.text): unknown symbol __stack_chk_fail_local in pcrel (regression in 1.19 when building for i686) (forwarded request 1008076 from jfkw)

• Files Changed
• Browse Source

- go1.19.1 (released 2022-09-06) includes security fixes to the
  net/http and net/url packages, as well as bug fixes to the
  compiler, the go command, the pprof command, the linker, the
  runtime, and the crypto/tls and crypto/x509 packages.
  Refs boo#1200441 go1.19 release tracking
  CVE-2022-27664 CVE-2022-32190
  * go#54376 bsc#1203185 CVE-2022-27664 net/http: handle server errors after sending GOAWAY
  * go#54635 bsc#1203186 CVE-2022-32190 net/url: JoinPath doesn't strip relative path components in all circumstances
  * go#54736 cmd/go: cannot find package when importing dependencies with the unix build constraint
  * go#54734 cmd/go: git fetch errors dropped when producing pseudo-versions for commits
  * go#54726 cmd/compile: compile failed with "Value live at entry"
  * go#54697 cmd/compile: ICE at composite literal assignment with alignment > PtrSize
  * go#54675 runtime: morestack_noctxt missing SPWRITE, causes "traceback stuck" assert
  * go#54665 runtime: segfault running ppc64/linux binaries with kernel 5.18
  * go#54660 cmd/go: go test -race does not set implicit race build tag
  * go#54643 crypto/tls: support ECDHE key exchanges when ec_point_formats is missing in ClientHello extension
  * go#54637 cmd/go: data race in TestScript
  * go#54633 cmd/go/internal/modfetch/codehost: racing writes to Origin fields
  * go#54629 cmd/compile: miscompilation of partially-overlapping array assignments
  * go#54420 cmd/pprof: graphviz node names are funny with generics
  * go#54406 cmd/link: trampoline insertion breaks DWARF Line Program Table output on Darwin/ARM64
  * go#54309 cmd/compile: internal compiler error: panic: runtime error: invalid memory address or nil pointer dereference
  * go#54295 crypto/x509: panics on invalid curve instead of returning error
  * go#54243 cmd/compile: internal compiler error when compiling code with unbound method of generic type
  * go#54239 misc/cgo: TestSignalForwardingExternal sometimes fails with wrong signal SIGINT
  * go#54235 cmd/compile: internal compiler error of atomic type and offsetof (forwarded request 1001532 from jfkw)

• Files Changed
• Browse Source

- Define go_bootstrap_version go1.16 without suse_version checks
- Simplify conditional gcc_go_version 12 on Tumbleweed, 11 elsewhere
- Add _constraints for worker disk space 5G needed by SLE-15 x86_64
- SLE-12 s390x use bcond_without gccgo to bootstrap using gcc11go
  * Workaround for SLE-12 s390x build error while writing linker data:
    bad carrier sym for symbol crypto/internal/nistec.p256OrdMul.args_stackmap
    created by cmd/link/internal/ld.writeBlocks
	/usr/lib64/go/1.19/src/cmd/link/internal/ld/data.go:958 (forwarded request 998733 from jfkw)

• Files Changed
• Browse Source

- Rebase gcc-go.patch onto upstream changes in go/src/make.bash and
  go/src/make.rc. Used for SLE-12 go bootstrap builds with gcc8. (forwarded request 994190 from jfkw)

• Files Changed
• Browse Source

- go1.19 (released 2022-08-02) is a major release of Go.
  go1.19.x minor releases will be provided through August 2023. (forwarded request 993859 from jfkw)

• Files Changed
• Browse Source

- go1.19beta1 (released 2022-06-10) is a beta version of go1.19 cut from the master branch at the revision tagged go1.19beta1.

• Browse Source