commit 752b009010df021c45f620e683ec062d22b552bf [browse]
Author: Gopher Robot
Date: 2024-05-07 15:35:22 Z
[release-branch.go1.21] go1.21.10
Change-Id: I655ab537d86a2ec71634a2f4ca5d520834de9fda
Reviewed-on: https://go-review.googlesource.com/c/go/+/583857
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
commit a79ea27e36a1c56ae48dc36ce48549c9787ca4b7 [browse]
Author: Roland Shoemaker
Date: 2024-04-25 13:09:54 -07:00
[release-branch.go1.21] cmd/go: disallow -lto_library in LDFLAGS
The darwin linker allows setting the LTO library with the -lto_library
flag. This wasn't caught by our "safe linker flags" check because it
was covered by the -lx flag used for linking libraries. This change
adds a specific check for excluded flags which otherwise satisfy our
existing checks.
Loading a mallicious LTO library would allow an attacker to cause the
linker to execute abritrary code when "go build" was called.
Thanks to Juho Forsén of Mattermost for reporting this issue.
Fixes #67119
Fixes #67121
Fixes CVE-2024-24787
Change-Id: I77ac8585efbdbdfd5f39c39ed623b9408a0f9eaf
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1380
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 9a79141fbbca1105e5c786f15e38741ca7843290)
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1401
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/583795
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
commit 78d89b2b67e26f1e56357f37cdaefe5a2207b4d3 [browse]
Author: Cherry Mui
Date: 2024-05-06 20:18:00 Z
[release-branch.go1.21] Revert "cmd/compile: don't combine loads in generated equality functions"
This reverts CL 583303.
Reason for revert: release branch is currently frozen.
Change-Id: Icbdb73b5b40690a875497dd0dc57ca84c728ef6f
Reviewed-on: https://go-review.googlesource.com/c/go/+/582961
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
commit 58e77ad9b9e2b3323c1d8c1cb5e701412e206368 [browse]
Author: khr@golang.org
Date: 2024-05-03 12:55:34 -07:00
[release-branch.go1.21] cmd/compile: don't combine loads in generated equality functions
... if the architecture can't do unaligned loads.
We already handle this in a few places, but this particular place
was added in CL 399542 and missed this additional restriction.
Fixes #67164
Change-Id: I45988f11ff3ed45df1c4da3f0931ab1fdb22dbfe
Reviewed-on: https://go-review.googlesource.com/c/go/+/583175
Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Auto-Submit: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Derek Parker <parkerderek86@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
(cherry picked from commit 3c72dd513c30df60c0624360e98a77c4ae7ca7c8)
Reviewed-on: https://go-review.googlesource.com/c/go/+/583303
commit 891ac91e5c395087bfa28ba5194e1ab95ee732ba [browse]
Author: Dmitri Shuralyov
Date: 2024-04-12 15:46:59 -04:00
[release-branch.go1.21] net/http: update bundled golang.org/x/net/http2
Pull in CL 578336:
ef58d90f http2: send correct LastStreamID in stream-caused GOAWAY
For #66668.
Fixes #66697.
Change-Id: I91fc8a67f21fadcb1801ff29d5e2b0453db89617
Reviewed-on: https://go-review.googlesource.com/c/go/+/578357
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
clone the repository to get more history