diff --git a/0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch b/0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch deleted file mode 100644 index 422ca2b..0000000 --- a/0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch +++ /dev/null @@ -1,88 +0,0 @@ -From edce31a2904846ae74e3c011f2cf5fddc963459e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jakub=20=C4=8Cajka?= -Date: Thu, 22 Mar 2018 12:07:32 +0100 -Subject: [PATCH 1/3] Don't use the bundled tzdata at runtime, except for the - internal test suite - ---- - src/time/internal_test.go | 7 +++++-- - src/time/zoneinfo_test.go | 3 ++- - src/time/zoneinfo_unix.go | 2 -- - 3 files changed, 7 insertions(+), 5 deletions(-) - -diff --git a/src/time/internal_test.go b/src/time/internal_test.go -index 76d5524124..e81ace5f64 100644 ---- a/src/time/internal_test.go -+++ b/src/time/internal_test.go -@@ -4,13 +4,15 @@ - - package time - -+import "runtime" -+ - func init() { - // force US/Pacific for time zone tests - ForceUSPacificForTesting() - } - - func initTestingZone() { -- z, err := loadLocation("America/Los_Angeles", zoneSources[len(zoneSources)-1:]) -+ z, err := loadLocation("America/Los_Angeles", zoneSources) - if err != nil { - panic("cannot load America/Los_Angeles for testing: " + err.Error()) - } -@@ -21,8 +23,9 @@ func initTestingZone() { - var OrigZoneSources = zoneSources - - func forceZipFileForTesting(zipOnly bool) { -- zoneSources = make([]string, len(OrigZoneSources)) -+ zoneSources = make([]string, len(OrigZoneSources)+1) - copy(zoneSources, OrigZoneSources) -+ zoneSources = append(zoneSources, runtime.GOROOT()+"/lib/time/zoneinfo.zip") - if zipOnly { - zoneSources = zoneSources[len(zoneSources)-1:] - } -diff --git a/src/time/zoneinfo_test.go b/src/time/zoneinfo_test.go -index 7a55d4f618..6063ca1195 100644 ---- a/src/time/zoneinfo_test.go -+++ b/src/time/zoneinfo_test.go -@@ -8,6 +8,7 @@ import ( - "fmt" - "os" - "reflect" -+ "runtime" - "testing" - "time" - ) -@@ -128,7 +129,7 @@ func TestLoadLocationFromTZData(t *testing.T) { - t.Fatal(err) - } - -- tzinfo, err := time.LoadTzinfo(locationName, time.OrigZoneSources[len(time.OrigZoneSources)-1]) -+ tzinfo, err := time.LoadTzinfo(locationName, runtime.GOROOT()+"/lib/time/zoneinfo.zip") - if err != nil { - t.Fatal(err) - } -diff --git a/src/time/zoneinfo_unix.go b/src/time/zoneinfo_unix.go -index 88313aa0ed..d9596115ef 100644 ---- a/src/time/zoneinfo_unix.go -+++ b/src/time/zoneinfo_unix.go -@@ -12,7 +12,6 @@ - package time - - import ( -- "runtime" - "syscall" - ) - -@@ -22,7 +21,6 @@ var zoneSources = []string{ - "/usr/share/zoneinfo/", - "/usr/share/lib/zoneinfo/", - "/usr/lib/locale/TZ/", -- runtime.GOROOT() + "/lib/time/zoneinfo.zip", - } - - func initLocal() { --- -2.14.3 - diff --git a/0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch b/0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch deleted file mode 100644 index 072440d..0000000 --- a/0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 817407fc2d6a861e65086388766f58082d38bc0b Mon Sep 17 00:00:00 2001 -From: Michael Munday -Date: Tue, 17 Jan 2017 11:33:38 -0500 -Subject: [PATCH 2/3] syscall: expose IfInfomsg.X__ifi_pad on s390x - -Exposing this field on s390x improves compatibility with the other -linux architectures, all of which already expose it. - -Fixes #18628 and updates #18632. - -Change-Id: I08e8e1eb705f898cd8822f8bee0d61ce11d514b5 ---- - src/syscall/ztypes_linux_s390x.go | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/syscall/ztypes_linux_s390x.go b/src/syscall/ztypes_linux_s390x.go -index 63c4a83b19..b5894255df 100644 ---- a/src/syscall/ztypes_linux_s390x.go -+++ b/src/syscall/ztypes_linux_s390x.go -@@ -449,12 +449,12 @@ type RtAttr struct { - } - - type IfInfomsg struct { -- Family uint8 -- _ uint8 -- Type uint16 -- Index int32 -- Flags uint32 -- Change uint32 -+ Family uint8 -+ X__ifi_pad uint8 -+ Type uint16 -+ Index int32 -+ Flags uint32 -+ Change uint32 - } - - type IfAddrmsg struct { --- -2.14.3 - diff --git a/0003-release-branch.go1.11-security-crypto-elliptic-reduc.patch b/0003-release-branch.go1.11-security-crypto-elliptic-reduc.patch deleted file mode 100644 index ca5631e..0000000 --- a/0003-release-branch.go1.11-security-crypto-elliptic-reduc.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 867a07a179ebcb40143c76403f7f232b90812059 Mon Sep 17 00:00:00 2001 -From: Filippo Valsorda -Date: Tue, 22 Jan 2019 16:02:41 -0500 -Subject: [PATCH] [release-branch.go1.11-security] crypto/elliptic: reduce - subtraction term to prevent long busy loop - -If beta8 is unusually large, the addition loop might take a very long -time to bring x3-beta8 back positive. - -This would lead to a DoS vulnerability in the implementation of the -P-521 and P-384 elliptic curves that may let an attacker craft inputs -to ScalarMult that consume excessive amounts of CPU. - -This fixes CVE-2019-6486. - -Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a -Reviewed-on: https://team-review.git.corp.google.com/c/399777 -Reviewed-by: Adam Langley -Reviewed-by: Julie Qiu -(cherry picked from commit 746d6abe2dfb9ce7609f8e1e1a8dcb7e221f423e) -Reviewed-on: https://team-review.git.corp.google.com/c/401142 -Reviewed-by: Filippo Valsorda ---- - src/crypto/elliptic/elliptic.go | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go -index 4fc2b5e521..c84657c5e3 100644 ---- a/src/crypto/elliptic/elliptic.go -+++ b/src/crypto/elliptic/elliptic.go -@@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int, - - x3 := new(big.Int).Mul(alpha, alpha) - beta8 := new(big.Int).Lsh(beta, 3) -+ beta8.Mod(beta8, curve.P) - x3.Sub(x3, beta8) -- for x3.Sign() == -1 { -+ if x3.Sign() == -1 { - x3.Add(x3, curve.P) - } - x3.Mod(x3, curve.P) --- -2.17.1 - diff --git a/0004-fix-CVE-2019-9512-9514.patch b/0004-fix-CVE-2019-9512-9514.patch deleted file mode 100644 index 1909085..0000000 --- a/0004-fix-CVE-2019-9512-9514.patch +++ /dev/null @@ -1,173 +0,0 @@ -From e152b01a468a1c18a290bf9aec52ccea7693c7f2 Mon Sep 17 00:00:00 2001 -From: Filippo Valsorda -Date: Mon, 12 Aug 2019 16:59:30 -0400 -Subject: [PATCH] [release-branch.go1.11-security] net/http: update bundled - http2 to import security fix - -Apply the following unpublished golang.org/x/net commit. - - commit b1cc14aba47abf96f96818003fa4caad3a4b4e86 - Author: Filippo Valsorda - Date: Sun Aug 11 02:12:18 2019 -0400 - - [release-branch.go1.11] http2: limit number of control frames in server send queue - - An attacker could cause servers to queue an unlimited number of PING - ACKs or RST_STREAM frames by soliciting them and not reading them, until - the program runs out of memory. - - Limit control frames in the queue to a few thousands (matching the limit - imposed by other vendors) by counting as they enter and exit the scheduler, - so the protection will work with any WriteScheduler. - - Once the limit is exceeded, close the connection, as we have no way to - communicate with the peer. - - Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b - Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552 - Reviewed-by: Brad Fitzpatrick - (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80) - Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070 - Reviewed-by: Dmitri Shuralyov - -Fixes CVE-2019-9512 and CVE-2019-9514 -Updates #33606 - -Change-Id: Iecedf1cc63ec7a1cd75661ec591d91ebc911cc64 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526072 -Reviewed-by: Dmitri Shuralyov ---- - src/net/http/h2_bundle.go | 54 +++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 45 insertions(+), 9 deletions(-) - -diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go -index 2cd2b86..6182495 100644 ---- a/src/net/http/h2_bundle.go -+++ b/src/net/http/h2_bundle.go -@@ -3835,10 +3835,11 @@ func (p *http2pipe) Done() <-chan struct{} { - } - - const ( -- http2prefaceTimeout = 10 * time.Second -- http2firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway -- http2handlerChunkWriteSize = 4 << 10 -- http2defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? -+ http2prefaceTimeout = 10 * time.Second -+ http2firstSettingsTimeout = 2 * time.Second // should be in-flight with preface anyway -+ http2handlerChunkWriteSize = 4 << 10 -+ http2defaultMaxStreams = 250 // TODO: make this 100 as the GFE seems to? -+ http2maxQueuedControlFrames = 10000 - ) - - var ( -@@ -3946,6 +3947,15 @@ func (s *http2Server) maxConcurrentStreams() uint32 { - return http2defaultMaxStreams - } - -+// maxQueuedControlFrames is the maximum number of control frames like -+// SETTINGS, PING and RST_STREAM that will be queued for writing before -+// the connection is closed to prevent memory exhaustion attacks. -+func (s *http2Server) maxQueuedControlFrames() int { -+ // TODO: if anybody asks, add a Server field, and remember to define the -+ // behavior of negative values. -+ return http2maxQueuedControlFrames -+} -+ - type http2serverInternalState struct { - mu sync.Mutex - activeConns map[*http2serverConn]struct{} -@@ -4254,6 +4264,7 @@ type http2serverConn struct { - sawFirstSettings bool // got the initial SETTINGS frame after the preface - needToSendSettingsAck bool - unackedSettings int // how many SETTINGS have we sent without ACKs? -+ queuedControlFrames int // control frames in the writeSched queue - clientMaxStreams uint32 // SETTINGS_MAX_CONCURRENT_STREAMS from client (our PUSH_PROMISE limit) - advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client - curClientStreams uint32 // number of open streams initiated by the client -@@ -4644,6 +4655,14 @@ func (sc *http2serverConn) serve() { - } - } - -+ // If the peer is causing us to generate a lot of control frames, -+ // but not reading them from us, assume they are trying to make us -+ // run out of memory. -+ if sc.queuedControlFrames > sc.srv.maxQueuedControlFrames() { -+ sc.vlogf("http2: too many control frames in send queue, closing connection") -+ return -+ } -+ - // Start the shutdown timer after sending a GOAWAY. When sending GOAWAY - // with no error code (graceful shutdown), don't start the timer until - // all open streams have been completed. -@@ -4845,6 +4864,14 @@ func (sc *http2serverConn) writeFrame(wr http2FrameWriteRequest) { - } - - if !ignoreWrite { -+ if wr.isControl() { -+ sc.queuedControlFrames++ -+ // For extra safety, detect wraparounds, which should not happen, -+ // and pull the plug. -+ if sc.queuedControlFrames < 0 { -+ sc.conn.Close() -+ } -+ } - sc.writeSched.Push(wr) - } - sc.scheduleFrameWrite() -@@ -4962,10 +4989,8 @@ func (sc *http2serverConn) wroteFrame(res http2frameWriteResult) { - // If a frame is already being written, nothing happens. This will be called again - // when the frame is done being written. - // --// If a frame isn't being written we need to send one, the best frame --// to send is selected, preferring first things that aren't --// stream-specific (e.g. ACKing settings), and then finding the --// highest priority stream. -+// If a frame isn't being written and we need to send one, the best frame -+// to send is selected by writeSched. - // - // If a frame isn't being written and there's nothing else to send, we - // flush the write buffer. -@@ -4993,6 +5018,9 @@ func (sc *http2serverConn) scheduleFrameWrite() { - } - if !sc.inGoAway || sc.goAwayCode == http2ErrCodeNo { - if wr, ok := sc.writeSched.Pop(); ok { -+ if wr.isControl() { -+ sc.queuedControlFrames-- -+ } - sc.startFrameWrite(wr) - continue - } -@@ -5285,6 +5313,8 @@ func (sc *http2serverConn) processSettings(f *http2SettingsFrame) error { - if err := f.ForeachSetting(sc.processSetting); err != nil { - return err - } -+ // TODO: judging by RFC 7540, Section 6.5.3 each SETTINGS frame should be -+ // acknowledged individually, even if multiple are received before the ACK. - sc.needToSendSettingsAck = true - sc.scheduleFrameWrite() - return nil -@@ -9476,7 +9506,7 @@ type http2WriteScheduler interface { - - // Pop dequeues the next frame to write. Returns false if no frames can - // be written. Frames with a given wr.StreamID() are Pop'd in the same -- // order they are Push'd. -+ // order they are Push'd. No frames should be discarded except by CloseStream. - Pop() (wr http2FrameWriteRequest, ok bool) - } - -@@ -9520,6 +9550,12 @@ func (wr http2FrameWriteRequest) StreamID() uint32 { - return wr.stream.id - } - -+// isControl reports whether wr is a control frame for MaxQueuedControlFrames -+// purposes. That includes non-stream frames and RST_STREAM frames. -+func (wr http2FrameWriteRequest) isControl() bool { -+ return wr.stream == nil -+} -+ - // DataSize returns the number of flow control bytes that must be consumed - // to write this entire frame. This is 0 for non-DATA frames. - func (wr http2FrameWriteRequest) DataSize() int { --- -1.9.4 - diff --git a/go1.11.src.tar.gz b/go1.11.src.tar.gz deleted file mode 100644 index c097235..0000000 Binary files a/go1.11.src.tar.gz and /dev/null differ