OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build 2019-03-25T18:00:22+00:00 2019-03-25T18:00:22+00:00 Christian Stewart christian@paral.in 2019-03-12T05:41:14+00:00 urn:sha1:af99ecabd504c8f0237d37ac0e050dbad7ceffac Set the GOCACHE environment variable properly. It was previously unset, and defaults to $HOME/.cache/go-build. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3909423f1ccf186bd064e225ecb064ca1ece0310) Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-03-03T21:15:24+00:00 Christian Stewart christian@paral.in 2019-01-26T10:23:55+00:00 urn:sha1:f7a2870dd1fef9ee41e78ea1bcbb2ec61e82eb67 Go "modules" refers to the dependency fetching, verification (hashing), and version control system built into Go as of 1.11. It is not desirable to have Go modules enabled in Buildroot in the normal case, as Buildroot manages downloading the sources, and third party dependency managers are typically not used. In the absence of the GO111MODULE environment variable, the Go compiler will correctly compile using the "vendor" version of dependencies downloaded by Buildroot during the compilation process for Go-based packages. However, if the user sets the GO111MODULE=on environment variable, the Go compiler will download the Go dependencies for Buildroot packages, using the modules system. This is potentially unintended behavior from user environment variables. This commit sets the GO111MODULE=off variable in the Go target and host compilation environments, disabling Go modules support for Buildroot mainline packages. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-01-24T09:46:22+00:00 Christian Stewart christian@paral.in 2019-01-24T08:16:33+00:00 urn:sha1:0ab3cb7a9752b9d5418f883f6287ba766eea0c0b Go 1.11.5 addresses a reported security issue, CVE-2019-6486. Signed-off-by: Christian Stewart <christian@paral.in> Acked-by: Anisse Astier <anisse@astier.eu> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-12-16T11:17:47+00:00 Peter Korsgaard peter@korsgaard.com 2018-12-15T15:50:10+00:00 urn:sha1:d810fee306e9a3b9c2408e2927288c1bc4c8d699 go 1.11.3 fixes the following security issues: cmd/go: remote command execution during "go get -u" The issue is CVE-2018-16873 and Go issue golang.org/issue/29230. See the Go issue for details. Thanks to Etienne Stalmans from the Heroku platform security team for discovering and reporting this issue. cmd/go: directory traversal in "go get" via curly braces in import paths The issue is CVE-2018-16874 and Go issue golang.org/issue/29231. See the Go issue for details. Thanks to ztz of Tencent Security Platform for discovering and reporting this issue. crypto/x509: CPU denial of service in chain validation The issue is CVE-2018-16875 and Go issue golang.org/issue/29233. See the Go issue for details. Thanks to Netflix for discovering and reporting this issue. go 1.11.4 fixes issues, including regressions introduced by 1.11.3: 1.11.4 includes fixes to cgo, the compiler, linker, runtime, documentation, go command, and the net/http and go/types packages. It includes a fix to a bug introduced in Go 1.11.3 that broke go get for import path patterns containing "...". Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-11-29T20:22:45+00:00 Yann E. MORIN yann.morin.1998@free.fr 2018-11-25T09:19:50+00:00 urn:sha1:bcb8ef0fdcea6f60fefba8368b4c93048e837141 Fixes: http://autobuild.buildroot.org/results/020/02039969b16534d4020ecd4574bae71b91c1e6b8/ (flannel) http://autobuild.buildroot.org/results/e95/e9528b06b350ef84c1e2cb59fba87b4db77b4660/ (docker-engine) [...] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2018-11-08T20:02:06+00:00 Christian Stewart christian@paral.in 2018-11-06T22:28:10+00:00 urn:sha1:b869212d0ce85d1a1f05b2407c1eb16a8db5e48e Bumps Golang host-go compiler to 1.11.2 release. Add hash for LICENSE. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-10-31T09:25:35+00:00 Christian Stewart christian@paral.in 2018-10-29T16:54:22+00:00 urn:sha1:67190f763560612a7e8393d2e2af9f8c5695197c Bumps Golang host-go compiler to 1.11.1 release. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-09-13T18:49:41+00:00 Christian Stewart christian@paral.in 2018-09-13T04:23:36+00:00 urn:sha1:f99efd731c2e4f8f64ce312d535b55f1025eb593 Signed-off-by: Christian Stewart <christian@paral.in> Reviewed-by: Anisse Astier <anisse@astier.eu> Tested-by: Anisse Astier <anisse@astier.eu> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-05-11T21:10:27+00:00 Anisse Astier anisse@astier.eu 2018-05-11T20:50:37+00:00 urn:sha1:81815b85a20d09b8346322ad025c2bb430d17ed3 This bump contains many bug fixes, as well as the following security issue, patched in Go 1.10.1: CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. Signed-off-by: Anisse Astier <anisse@astier.eu> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 2018-05-11T21:05:32+00:00 Anisse Astier anisse@astier.eu 2018-05-11T20:50:36+00:00 urn:sha1:486334dd819b15943b6f9e93868a354be0b8ab20 Signed-off-by: Anisse Astier <anisse@astier.eu> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>