gostls13.git log

commit da6b9ec7bf1722fa00196e1eadc10a29156b6b28 [browse]
Author: Chris Broadfoot
Date: 2016-07-18 08:18:11 -07:00

[release-branch.go1.6] go1.6.3

Change-Id: Ib8cc2acc44c94ef0f85be001c5914f29606dd80b
Reviewed-on: https://go-review.googlesource.com/25016
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit 4c510e7de630687d0ecca586fae96b2c2a7a265c [browse]
Author: Chris Broadfoot
Date: 2016-07-17 23:30:19 -07:00

[release-branch.go1.6] doc: document go1.6.3

Change-Id: Ib33d7fb529aafcaf8ca7d43b2c9480f30d5c28cc
Reviewed-on: https://go-review.googlesource.com/25011
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/25015
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit a357d15e9ee36a1232ae071d9968c4cf10a672b4 [browse]
Author: Brad Fitzpatrick
Date: 2016-07-18 06:05:24 Z

[release-branch.go1.6] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25012

commit 5164532ae0e9c3e87084638913029392ecc1af42 [browse]
Author: Ian Lance Taylor
Date: 2016-07-07 16:41:29 -07:00

[release-branch.go1.6] runtime: fix nanotime for macOS Sierra

In the beta version of the macOS Sierra (10.12) release, the
gettimeofday system call changed on x86. Previously it always returned
the time in the AX/DX registers. Now, if AX is returned as 0, it means
that the system call has stored the values into the memory pointed to by
the first argument, just as the libc gettimeofday function does. The
libc function handles both cases, and we need to do so as well.

Fixes #16272.
Fixes #16354.

Change-Id: Ibe5ad50a2c5b125e92b5a4e787db4b5179f6b723
Reviewed-on: https://go-review.googlesource.com/24812
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/24967

commit 57e459e02b4b01567f92542f92cd9afde209e193 [browse]
Author: Andrew Gerrand
Date: 2016-04-20 09:11:35 +10:00

[release-branch.go1.6] go1.6.2

Change-Id: Ifc545faaed438b72bfa63beb74cde2d3a67ef0e7
Reviewed-on: https://go-review.googlesource.com/22252
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

clone the repository to get more history