diff --git a/0003-cmd-go-use-local-proxy-and-sumdb.patch b/0002-cmd-go-use-local-proxy-and-sumdb.patch similarity index 100% rename from 0003-cmd-go-use-local-proxy-and-sumdb.patch rename to 0002-cmd-go-use-local-proxy-and-sumdb.patch diff --git a/0002-release-branch.go1.19-net-http-validate-Host-header-.patch b/0002-release-branch.go1.19-net-http-validate-Host-header-.patch deleted file mode 100644 index 38d756e3069f2e530047e79b7816beb82f440578..0000000000000000000000000000000000000000 --- a/0002-release-branch.go1.19-net-http-validate-Host-header-.patch +++ /dev/null @@ -1,211 +0,0 @@ -From 312920c00aac9897b2a0693e752390b5b0711a5a Mon Sep 17 00:00:00 2001 -From: Damien Neil -Date: Wed, 28 Jun 2023 13:20:08 -0700 -Subject: [PATCH 1/4] [release-branch.go1.20] net/http: validate Host header - before sending - -Verify that the Host header we send is valid. -Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" -adding an X-Evil header to HTTP/1 requests. - -Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to -header injection in the way HTTP/1 is, but x/net/http2 doesn't validate -the header and will go into a retry loop when the server rejects it. -CL 506995 adds the necessary validation to x/net/http2. - -For #60374 -Fixes #61076 -For CVE-2023-29406 - -Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 -Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 -Reviewed-by: Tatiana Bradley -TryBot-Result: Gopher Robot -Run-TryBot: Damien Neil -(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2) -Reviewed-on: https://go-review.googlesource.com/c/go/+/507357 -Reviewed-by: Damien Neil -Run-TryBot: Tatiana Bradley -Reviewed-by: Roland Shoemaker ---- - src/net/http/http_test.go | 29 --------------------- - src/net/http/request.go | 47 ++++++++-------------------------- - src/net/http/request_test.go | 11 ++------ - src/net/http/transport_test.go | 19 ++++++++++++++ - 4 files changed, 31 insertions(+), 75 deletions(-) - -diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go -index 0d92fe5f96..f03272ab91 100644 ---- a/src/net/http/http_test.go -+++ b/src/net/http/http_test.go -@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) { - } - } - --func TestCleanHost(t *testing.T) { -- tests := []struct { -- in, want string -- }{ -- {"www.google.com", "www.google.com"}, -- {"www.google.com foo", "www.google.com"}, -- {"www.google.com/foo", "www.google.com"}, -- {" first character is a space", ""}, -- {"[1::6]:8080", "[1::6]:8080"}, -- -- // Punycode: -- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"}, -- {"bücher.de", "xn--bcher-kva.de"}, -- {"bücher.de:8080", "xn--bcher-kva.de:8080"}, -- // Verify we convert to lowercase before punycode: -- {"BÜCHER.de", "xn--bcher-kva.de"}, -- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"}, -- // Verify we normalize to NFC before punycode: -- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed -- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input -- } -- for _, tt := range tests { -- got := cleanHost(tt.in) -- if tt.want != got { -- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want) -- } -- } --} -- - // Test that cmd/go doesn't link in the HTTP server. - // - // This catches accidental dependencies between the HTTP transport and -diff --git a/src/net/http/request.go b/src/net/http/request.go -index a45c9e3d18..9c888b3768 100644 ---- a/src/net/http/request.go -+++ b/src/net/http/request.go -@@ -17,7 +17,6 @@ import ( - "io" - "mime" - "mime/multipart" -- "net" - "net/http/httptrace" - "net/http/internal/ascii" - "net/textproto" -@@ -27,6 +26,7 @@ import ( - "strings" - "sync" - -+ "golang.org/x/net/http/httpguts" - "golang.org/x/net/idna" - ) - -@@ -575,12 +575,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF - // is not given, use the host from the request URL. - // - // Clean the host, in case it arrives with unexpected stuff in it. -- host := cleanHost(r.Host) -+ host := r.Host - if host == "" { - if r.URL == nil { - return errMissingHost - } -- host = cleanHost(r.URL.Host) -+ host = r.URL.Host -+ } -+ host, err = httpguts.PunycodeHostPort(host) -+ if err != nil { -+ return err -+ } -+ if !httpguts.ValidHostHeader(host) { -+ return errors.New("http: invalid Host header") - } - - // According to RFC 6874, an HTTP client, proxy, or other -@@ -737,40 +744,6 @@ func idnaASCII(v string) (string, error) { - return idna.Lookup.ToASCII(v) - } - --// cleanHost cleans up the host sent in request's Host header. --// --// It both strips anything after '/' or ' ', and puts the value --// into Punycode form, if necessary. --// --// Ideally we'd clean the Host header according to the spec: --// --// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]") --// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host) --// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host) --// --// But practically, what we are trying to avoid is the situation in --// issue 11206, where a malformed Host header used in the proxy context --// would create a bad request. So it is enough to just truncate at the --// first offending character. --func cleanHost(in string) string { -- if i := strings.IndexAny(in, " /"); i != -1 { -- in = in[:i] -- } -- host, port, err := net.SplitHostPort(in) -- if err != nil { // input was just a host -- a, err := idnaASCII(in) -- if err != nil { -- return in // garbage in, garbage out -- } -- return a -- } -- a, err := idnaASCII(host) -- if err != nil { -- return in // garbage in, garbage out -- } -- return net.JoinHostPort(a, port) --} -- - // removeZone removes IPv6 zone identifier from host. - // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080" - func removeZone(host string) string { -diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go -index 23e49d6b8e..86c68e470e 100644 ---- a/src/net/http/request_test.go -+++ b/src/net/http/request_test.go -@@ -774,15 +774,8 @@ func TestRequestBadHost(t *testing.T) { - } - req.Host = "foo.com with spaces" - req.URL.Host = "foo.com with spaces" -- req.Write(logWrites{t, &got}) -- want := []string{ -- "GET /after HTTP/1.1\r\n", -- "Host: foo.com\r\n", -- "User-Agent: " + DefaultUserAgent + "\r\n", -- "\r\n", -- } -- if !reflect.DeepEqual(got, want) { -- t.Errorf("Writes = %q\n Want = %q", got, want) -+ if err := req.Write(logWrites{t, &got}); err == nil { -+ t.Errorf("Writing request with invalid Host: succeded, want error") - } - } - -diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go -index 245f73bc9f..f4896c5026 100644 ---- a/src/net/http/transport_test.go -+++ b/src/net/http/transport_test.go -@@ -6654,3 +6654,22 @@ func testHandlerAbortRacesBodyRead(t *testing.T, mode testMode) { - } - wg.Wait() - } -+ -+func TestRequestSanitization(t *testing.T) { run(t, testRequestSanitization) } -+func testRequestSanitization(t *testing.T, mode testMode) { -+ if mode == http2Mode { -+ // Remove this after updating x/net. -+ t.Skip("https://go.dev/issue/60374 test fails when run with HTTP/2") -+ } -+ ts := newClientServerTest(t, mode, HandlerFunc(func(rw ResponseWriter, req *Request) { -+ if h, ok := req.Header["X-Evil"]; ok { -+ t.Errorf("request has X-Evil header: %q", h) -+ } -+ })).ts -+ req, _ := NewRequest("GET", ts.URL, nil) -+ req.Host = "go.dev\r\nX-Evil:evil" -+ resp, _ := ts.Client().Do(req) -+ if resp != nil { -+ resp.Body.Close() -+ } -+} --- -2.33.0 - diff --git a/go1.20.5.src.tar.gz b/go1.20.7.src.tar.gz similarity index 72% rename from go1.20.5.src.tar.gz rename to go1.20.7.src.tar.gz index 28a749f42d77029a10726fbb54bf09adea6ff5e8..c7be112d7c84e12f68861e2126392ed06503dd8a 100644 Binary files a/go1.20.5.src.tar.gz and b/go1.20.7.src.tar.gz differ diff --git a/golang.spec b/golang.spec index 19cec82400bd6cb9767e1ee8e57f295de83b2328..4f3534da8e739b041e8799e6eed26cd915ee7013 100644 --- a/golang.spec +++ b/golang.spec @@ -59,8 +59,8 @@ %endif Name: golang -Version: 1.20.5 -Release: 3 +Version: 1.20.7 +Release: 1 Summary: The Go Programming Language License: BSD and Public Domain URL: https://golang.org/ @@ -91,51 +91,19 @@ Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives Recommends: glibc gcc git subversion -# generated by: -# go list -f {{.ImportPath}} ./src/vendor/... | sed "s:_$PWD/src/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):" && go list -f {{.ImportPath}} ./src/cmd/vendor/... | sed "s:_$PWD/src/cmd/vendor/::g;s:_:.:;s:.*:Provides\: bundled(golang(&)):" -Provides: bundled(golang(golang.org/x/crypto/chacha20poly1305)) -Provides: bundled(golang(golang.org/x/crypto/cryptobyte)) -Provides: bundled(golang(golang.org/x/crypto/cryptobyte/asn1)) -Provides: bundled(golang(golang.org/x/crypto/curve25519)) -Provides: bundled(golang(golang.org/x/crypto/internal/chacha20)) -Provides: bundled(golang(golang.org/x/crypto/poly1305)) -Provides: bundled(golang(golang.org/x/net/dns/dnsmessage)) -Provides: bundled(golang(golang.org/x/net/http/httpguts)) -Provides: bundled(golang(golang.org/x/net/http/httpproxy)) -Provides: bundled(golang(golang.org/x/net/http2/hpack)) -Provides: bundled(golang(golang.org/x/net/idna)) -Provides: bundled(golang(golang.org/x/net/internal/nettest)) -Provides: bundled(golang(golang.org/x/net/nettest)) -Provides: bundled(golang(golang.org/x/text/secure)) -Provides: bundled(golang(golang.org/x/text/secure/bidirule)) -Provides: bundled(golang(golang.org/x/text/transform)) -Provides: bundled(golang(golang.org/x/text/unicode)) -Provides: bundled(golang(golang.org/x/text/unicode/bidi)) -Provides: bundled(golang(golang.org/x/text/unicode/norm)) -Provides: bundled(golang(github.com/google/pprof/driver)) -Provides: bundled(golang(github.com/google/pprof/internal/binutils)) -Provides: bundled(golang(github.com/google/pprof/internal/driver)) -Provides: bundled(golang(github.com/google/pprof/internal/elfexec)) -Provides: bundled(golang(github.com/google/pprof/internal/graph)) -Provides: bundled(golang(github.com/google/pprof/internal/measurement)) -Provides: bundled(golang(github.com/google/pprof/internal/plugin)) -Provides: bundled(golang(github.com/google/pprof/internal/proftest)) -Provides: bundled(golang(github.com/google/pprof/internal/report)) -Provides: bundled(golang(github.com/google/pprof/internal/symbolizer)) -Provides: bundled(golang(github.com/google/pprof/internal/symbolz)) -Provides: bundled(golang(github.com/google/pprof/profile)) -Provides: bundled(golang(github.com/google/pprof/third.party/d3)) -Provides: bundled(golang(github.com/google/pprof/third.party/d3flamegraph)) -Provides: bundled(golang(github.com/google/pprof/third.party/svgpan)) -Provides: bundled(golang(github.com/ianlancetaylor/demangle)) -Provides: bundled(golang(golang.org/x/arch/arm/armasm)) -Provides: bundled(golang(golang.org/x/arch/arm64/arm64asm)) -Provides: bundled(golang(golang.org/x/arch/ppc64/ppc64asm)) -Provides: bundled(golang(golang.org/x/arch/x86/x86asm)) -Provides: bundled(golang(golang.org/x/crypto/ssh/terminal)) -Provides: bundled(golang(golang.org/x/sys/unix)) -Provides: bundled(golang(golang.org/x/sys/windows)) -Provides: bundled(golang(golang.org/x/sys/windows/registry)) +# Bundled/Vendored provides generated by bundled-deps.sh based on the in tree module data +# - in version filed substituted with . per versioning guidelines +Provides: bundled(golang(github.com/google/pprof)) = 0.0.0.20221118152302.e6195bd50e26 +Provides: bundled(golang(github.com/ianlancetaylor/demangle)) = 0.0.0.20220319035150.800ac71e25c2 +Provides: bundled(golang(golang.org/x/arch)) = 0.1.1.0.20221116201807.1bb480fc256a +Provides: bundled(golang(golang.org/x/crypto)) = 0.3.1.0.20221117191849.2c476679df9a +Provides: bundled(golang(golang.org/x/mod)) = 0.7.0 +Provides: bundled(golang(golang.org/x/net)) = 0.4.1.0.20230214201333.88ed8ca3307d +Provides: bundled(golang(golang.org/x/sync)) = 0.1.0 +Provides: bundled(golang(golang.org/x/sys)) = 0.3.0 +Provides: bundled(golang(golang.org/x/term)) = 0.2.0 +Provides: bundled(golang(golang.org/x/text)) = 0.5.0 +Provides: bundled(golang(golang.org/x/tools)) = 0.3.1.0.20230118190848.070db2996ebe Provides: %{name}-bin = %{version}-%{release} Obsoletes: %{name}-bin @@ -147,8 +115,7 @@ Obsoletes: emacs-%{name} < 1.4 Requires: %{vendor}-rpm-config Patch6001: 0001-Enable-go-plugin-support-for-riscv64-based-on-work-b.patch -Patch6002: 0002-release-branch.go1.19-net-http-validate-Host-header-.patch -Patch6003: 0003-cmd-go-use-local-proxy-and-sumdb.patch +Patch6002: 0002-cmd-go-use-local-proxy-and-sumdb.patch ExclusiveArch: %{golang_arches} %description @@ -159,9 +126,9 @@ Summary: Golang compiler helps and manual docs Requires: %{name} = %{version}-%{release} BuildArch: noarch Provides: %{name}-docs = %{version}-%{release} -Obsoletes: %{name}-docs +Obsoletes: %{name}-docs < %{version}-%{release} Provides: %{name}-shared = %{version}-%{release} -Obsoletes: %{name}-shared +Obsoletes: %{name}-shared < %{version}-%{release} %description help %{summary}. @@ -171,11 +138,11 @@ Summary: Golang compiler devel BuildArch: noarch Requires: %{name} = %{version}-%{release} Provides: %{name}-src = %{version}-%{release} -Obsoletes: %{name}-src +Obsoletes: %{name}-src < %{version}-%{release} Provides: %{name}-tests = %{version}-%{release} -Obsoletes: %{name}-tests +Obsoletes: %{name}-tests < %{version}-%{release} Provides: %{name}-misc = %{version}-%{release} -Obsoletes: %{name}-misc +Obsoletes: %{name}-misc < %{version}-%{release} Obsoletes: %{name}-race = %{version}-%{release} %description devel @@ -386,6 +353,9 @@ fi %files devel -f go-tests.list -f go-misc.list -f go-src.list %changelog +* Mon Aug 7 2023 Funda Wang - 1.20.7-1 +- New version 1.20.7 + * Sun Jul 30 2023 Funda Wang - 1.20.5-3 - Use local proxy and sumdb for speed up