commit 36fcde1676a0d3863cb5f295eed6938cd782fcbb [browse]
Author: Andrew Bonventre
Date: 2020-07-14 09:28:45 -04:00

[release-branch.go1.14-security] go1.14.5

Change-Id: Ic2fb9041f6610dd5ce54185e674ab4b62fabf3b5
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/794130
Reviewed-by: Katie Hockman <katiehockman@google.com>

commit 9c0a6cec5b8413ae837e8eeb5743ea1de2d819fc [browse]
Author: Filippo Valsorda
Date: 2020-06-18 22:45:52 -04:00

[release-branch.go1.14-security] crypto/x509: respect VerifyOptions.KeyUsages on Windows

When using the platform verifier on Windows (because Roots is nil) we
were always enforcing server auth EKUs if DNSName was set, and none
otherwise. If an application was setting KeyUsages, they were not being
respected.

Started correctly surfacing IncompatibleUsage errors from the system
verifier, as those are the ones applications will see if they are
affected by this change.

Also refactored verify_test.go to make it easier to add tests for this,
and replaced the EKULeaf chain with a new one that doesn't have a SHA-1
signature.

Thanks to Niall Newman for reporting this.

Fixes #39360
Fixes CVE-2020-14039

Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793511
Reviewed-by: Filippo Valsorda <valsorda@google.com>

commit f3529ca9610be93ac4bb6fedc65429f7984227b6 [browse]
Author: Russ Cox
Date: 2020-07-13 13:27:22 -04:00

[release-branch.go1.14-security] net/http: synchronize "100 Continue" write and Handler writes

The expectContinueReader writes to the connection on the first
Request.Body read. Since a Handler might be doing a read in parallel or
before a write, expectContinueReader needs to synchronize with the
ResponseWriter, and abort if a response already went out.

The tests will land in a separate CL.

Fixes #34902
Fixes CVE-2020-15586

Change-Id: Icdd8dd539f45e8863762bd378194bb4741e875fc
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793350
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit b5e504f4a07c572744b228fa1b10e3989c4c44f3)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793500

commit 83b181c68bf332ac7948f145f33d128377a09c42 [browse]
Author: Dmitri Shuralyov
Date: 2020-06-01 13:18:20 -04:00

[release-branch.go1.14] go1.14.4

Change-Id: I0daa397bee2ad754fc4860e1365c982de232f171
Reviewed-on: https://go-review.googlesource.com/c/go/+/235919
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Bonventre <andybons@golang.org>

commit a68b7d324ccbc379be5a05d2033189c9b545cb39 [browse]
Author: Ivan Trubach
Date: 2019-12-12 13:33:42 Z

[release-branch.go1.14] cmd/doc: fix merging comments in -src mode

These changes fix go doc -src mode that vomits comments from random files if
filesystem does not sort files by name. The issue was with parse.ParseDir
using the Readdir order of files, which varies between platforms and filesystem
implementations. Another option is to merge comments using token.FileSet.Iterate
order in cmd/doc, but since ParseDir is mostly used in go doc, I’ve opted for
smaller change because it’s unlikely to break other uses or cause any perfomance
issues.

Example (macOS APFS): `go doc -src net.ListenPacket`

Fixes #38993

Change-Id: I7f9f368c7d9ccd9a2cbc48665f2cb9798c7b3a3f
GitHub-Last-Rev: 654fb450421266a0bb64518016944db22bd681e3
GitHub-Pull-Request: golang/go#36104
Reviewed-on: https://go-review.googlesource.com/c/go/+/210999
Run-TryBot: Rob Pike <r@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
(cherry picked from commit 585e31df63f6879c03b285711de6f9dcba1f2cb0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/235579
Run-TryBot: Andrew Bonventre <andybons@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>