gostls13.git log

commit 1f8859c22ccdeb969b252c8139bf4b1aae5c4909 [browse]
Author: Andrew Bonventre
Date: 2020-07-14 09:15:35 -04:00

[release-branch.go1.13-security] go1.13.13

Change-Id: I65f5d9cc1363d369ced4496c1d6d3d7f9144f1b8
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/794127
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 4a4c8d3d971fa77e4346d2874220ff736047f13c [browse]
Author: Filippo Valsorda
Date: 2020-06-18 22:45:52 -04:00

[release-branch.go1.13-security] crypto/x509: respect VerifyOptions.KeyUsages on Windows

When using the platform verifier on Windows (because Roots is nil) we
were always enforcing server auth EKUs if DNSName was set, and none
otherwise. If an application was setting KeyUsages, they were not being
respected.

Started correctly surfacing IncompatibleUsage errors from the system
verifier, as those are the ones applications will see if they are
affected by this change.

Also refactored verify_test.go to make it easier to add tests for this,
and replaced the EKULeaf chain with a new one that doesn't have a SHA-1
signature.

Thanks to Niall Newman for reporting this.

Fixes #39360
Fixes CVE-2020-14039

Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793509
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit e434185ec16b3783629bcb364b9a350706df7c1e [browse]
Author: Russ Cox
Date: 2020-07-13 13:27:22 -04:00

[release-branch.go1.13-security] net/http: synchronize "100 Continue" write and Handler writes

The expectContinueReader writes to the connection on the first
Request.Body read. Since a Handler might be doing a read in parallel or
before a write, expectContinueReader needs to synchronize with the
ResponseWriter, and abort if a response already went out.

The tests will land in a separate CL.

Fixes #34902
Fixes CVE-2020-15586

Change-Id: Icdd8dd539f45e8863762bd378194bb4741e875fc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793350
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit b5e504f4a07c572744b228fa1b10e3989c4c44f3)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793499

commit 6be4a5eb4898c7b5e7557dda061cc09ba310698b [browse]
Author: Dmitri Shuralyov
Date: 2020-06-01 13:15:51 -04:00

[release-branch.go1.13] go1.13.12

Change-Id: I1989d7cab0bf75c4e42d1c48146be9131d2c105c
Reviewed-on: https://go-review.googlesource.com/c/go/+/235918
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>

commit 90fe4a73fff10394097e21085a9c0c369c61b09a [browse]
Author: Robert Griesemer
Date: 2019-10-23 16:44:51 -07:00

[release-branch.go1.13] math/big: make Rat.Denom side-effect free

A Rat is represented via a quotient a/b where a and b are Int values.
To make it possible to use an uninitialized Rat value (with a and b
uninitialized and thus == 0), the implementation treats a 0 denominator
as 1.

Rat.Num and Rat.Denom return pointers to these values a and b. Because
b may be 0, Rat.Denom used to first initialize it to 1 and thus produce
an undesirable side-effect (by changing the Rat's denominator).

This CL changes Denom to return a new (not shared) *Int with value 1
in the rare case where the Rat was not initialized. This eliminates
the side effect and returns the correct denominator value.

While this is changing behavior of the API, the impact should now be
minor because together with (prior) CL https://golang.org/cl/202997,
which initializes Rats ASAP, Denom is unlikely used to access the
denominator of an uninitialized (and thus 0) Rat. Any operation that
will somehow set a Rat value will ensure that the denominator is not 0.

Fixes #36689.
For #33792.
For #3521.

Change-Id: I0bf15ac60513cf52162bfb62440817ba36f0c3fc
Reviewed-on: https://go-review.googlesource.com/c/go/+/203059
Run-TryBot: Robert Griesemer <gri@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/233323
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>

clone the repository to get more history