Includes fix for CVE-2023-29406 (net/http: insufficient sanitization of
Host header).
This also updates the copyright information for various Go packaging
files.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Includes fixes for:
* 1.20.1:
* CVE-2022-41722: path/filepath: path traversal in filepath.Clean on
Windows
* CVE-2022-41723: net/http: avoid quadratic complexity in HPACK
decoding
* CVE-2022-41724: crypto/tls: large handshake records may cause panics
* CVE-2022-41725: net/http, mime/multipart: denial of service from
excessive resource consumption
* 1.20.2:
* CVE-2023-24532: crypto/elliptic: specific unreduced P-256 scalars
produce incorrect results
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This adds support to compile host and target Go as position-independent
executables.
Host Go will have PIE enabled if Go supports PIE on the host platform.
Target Go will have PIE enabled if Go supports PIE on the target
platform and CONFIG_PKG_ASLR_PIE is selected.
Go 1.13 supports PIE for x86 and arm targets; mips support is in
progress[1].
[1]: https://github.com/golang/go/issues/21222#issuecomment-542064462
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
From golang.org:
The Go programming language is an open source project to make
programmers more productive.
This commit consists of two "parts":
* golang/host: Main Go compiler for host (installed to
STAGING_DIR_HOST/lib/go-cross), used to cross-compile Go programs to
be packaged.
* golang (and golang-src/golang-doc): Main Go compiler for on-target
development. These packages are quite large, but I would expect only
developers to install these.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
