gostls13.git log

commit 0ebf6ce087388cdd501a02ff92f2f8cafc3e1378 [browse]
Author: Chris Broadfoot
Date: 2016-07-18 08:19:17 -07:00

[release-branch.go1.7] go1.7rc2

Change-Id: I5473071f672f8352fbd3352e158d5be12823b58a
Reviewed-on: https://go-review.googlesource.com/25017
Run-TryBot: Chris Broadfoot <cbro@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit cad4e97af8f2e0b9f09b97f67fb3a89ced2e9021 [browse]
Author: Brad Fitzpatrick
Date: 2016-07-18 06:05:24 Z

[release-branch.go1.7] net/http, net/http/cgi: fix for CGI + HTTP_PROXY security issue

Because,

* The CGI spec defines that incoming request header "Foo: Bar" maps to
  environment variable HTTP_FOO == "Bar". (see RFC 3875 4.1.18)

* The HTTP_PROXY environment variable is conventionally used to configure
  the HTTP proxy for HTTP clients (and is respected by default for
  Go's net/http.Client and Transport)

That means Go programs running in a CGI environment (as a child
process under a CGI host) are vulnerable to an incoming request
containing "Proxy: attacker.com:1234", setting HTTP_PROXY, and
changing where Go by default proxies all outbound HTTP requests.

This is CVE-2016-5386, aka https://httpoxy.org/

Fixes #16405

Change-Id: I6f68ade85421b4807785799f6d98a8b077e871f0
Reviewed-on: https://go-review.googlesource.com/25010
Run-TryBot: Chris Broadfoot <cbro@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Chris Broadfoot <cbro@golang.org>
Reviewed-on: https://go-review.googlesource.com/25013

commit 53da5fd4d431881bb3583c9790db7735a6530a1b [browse]
Author: Ian Lance Taylor
Date: 2016-07-07 16:41:29 -07:00

[release-branch.go1.7] runtime: fix nanotime for macOS Sierra

In the beta version of the macOS Sierra (10.12) release, the
gettimeofday system call changed on x86. Previously it always returned
the time in the AX/DX registers. Now, if AX is returned as 0, it means
that the system call has stored the values into the memory pointed to by
the first argument, just as the libc gettimeofday function does. The
libc function handles both cases, and we need to do so as well.

Fixes #16272.

Change-Id: Ibe5ad50a2c5b125e92b5a4e787db4b5179f6b723
Reviewed-on: https://go-review.googlesource.com/24812
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-on: https://go-review.googlesource.com/24755
Reviewed-by: Chris Broadfoot <cbro@golang.org>

commit a91416e7abf2236909f99aea85accfe98a9ba1fd [browse]
Author: Chris Broadfoot
Date: 2016-07-07 19:32:35 -07:00

[release-branch.go1.7] go1.7rc1

Change-Id: Ifbf1c13ce740428add68d68133c7f10876bad404
Reviewed-on: https://go-review.googlesource.com/24816
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>

commit 84bb9e62f06dbb62279241fa0bd7a6c8846271ac [browse]
Author: Ian Lance Taylor
Date: 2016-07-07 17:43:08 -07:00

runtime: handle selects with duplicate channels in shrinkstack

The shrinkstack code locks all the channels a goroutine is waiting for,
but didn't handle the case of the same channel appearing in the list
multiple times. This led to a deadlock. The channels are sorted so it's
easy to avoid locking the same channel twice.

Fixes #16286.

Change-Id: Ie514805d0532f61c942e85af5b7b8ac405e2ff65
Reviewed-on: https://go-review.googlesource.com/24815
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Austin Clements <austin@google.com>

clone the repository to get more history