File go1.14.changes of Package go1.14.17895

-------------------------------------------------------------------
Tue Jan 19 23:21:26 UTC 2021 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.14 (released 2021-01-19) includes security fixes to the
  cmd/go and crypto/elliptic packages.
  CVE-2021-3114 CVE-2021-3115
  Refs boo#1164903 go1.14 release tracking
  * boo#1181145 CVE-2021-3114
  * go#43787 crypto/elliptic: incorrect operations on the P-224 curve
  * boo#1181146 CVE-2021-3115
  * go#43784 cmd/go: packages using cgo can cause arbitrary code execution on Windows

-------------------------------------------------------------------
Thu Dec  3 22:31:19 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.13 (released 2020-12-03) includes fixes to the compiler,
  runtime, and the go command.
  Refs boo#1164903 go1.14 release tracking
  * go#42755 cmd/compile: ICE due to bad ORL constant
  * go#42635 runtime: infinite loop in lockextra on linux/amd64
  * go#42566 cmd/go: allow flags in CGO_LDFLAGS environment variable not in security allowlist

-------------------------------------------------------------------
Thu Nov 12 21:10:05 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.12 (released 2020-11-12) includes security fixes to the
  cmd/go and math/big packages.
  CVE-2020-28362 CVE-2020-28367 CVE-2020-28366
  Refs boo#1164903 go1.14 release tracking
  * boo#1178750 CVE-2020-28362
  * go#42553 math/big: panic during recursive division of very large numbers
  * boo#1178752 CVE-2020-28367
  * go#42560 cmd/go: arbitrary code can be injected into cgo generated files
  * boo#1178753 CVE-2020-28366
  * go#42557 cmd/go: improper validation of cgo flags can lead to remote code execution at build time

-------------------------------------------------------------------
Fri Nov  6 14:50:07 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.11 (released 2020-11-05) includes fixes to the runtime,
  and the net/http and time packages.
  Refs boo#1164903 go1.14 release tracking
  * go#42155 time: Location interprets wrong timezone (DST) with slim zoneinfo
  * go#42112 x/net/http2: the first write error on a connection will cause all subsequent write requests to fail blindly
  * go#41991 runtime: macOS-only segfault on 1.14+ with "split stack overflow"
  * go#41913 net/http: request.Clone doesn't deep copy TransferEncoding
  * go#41703 runtime: macOS syscall.Exec can get SIGILL due to preemption signal
  * go#41386 x/net/http2: connection-level flow control not returned if stream errors, causes server hang

-------------------------------------------------------------------
Thu Oct 15 02:42:36 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.10 (released 2020-10-14) includes fixes to the compiler,
  runtime, and the plugin and testing packages.
  Refs boo#1164903 go1.14 release tracking
  * go#41815 database/sql: TestTxCannotCommitAfterRollback failures on windows-amd64-2008 builder
  * go#41796 runtime: memory corruption from stack-allocated defer on 32-bit
  * go#41619 memory corruption on linux/386 with float32 arithmetic, GO386=387, buildmode pie/c-archive
  * go#41322 runtime: "fatal error: unexpected signal during runtime execution" on windows-amd64-longtest builder of Go 1.15.2 commit
  * go#40880 testing: summary and test output interleaved
  * go#40694 plugin: program on linux/s390x sometimes hangs after calling "plugin.Open"
  * go#40647 runtime: pcdata is -2 and 12 locals stack map entries error on nil pointer
  * go#40642 runtime: race between stack shrinking and channel send/recv leads to bad sudog values

-------------------------------------------------------------------
Thu Sep 09 22:51:08 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.9 (released 2020-09-09) includes fixes to the compiler,
  linker, runtime, documentation, and the net/http and testing
  packages.
  Refs boo#1164903 go1.14 release tracking
  * go#41192 net/http/fcgi: race detected during execution of TestResponseWriterSniffsContentType test
  * go#41016 net/http: Transport.CancelRequest no longer cancels in-flight request
  * go#40973 net/http: RoundTrip unexpectedly changes Request
  * go#40968 runtime: checkptr incorrectly -race flagging when using &^ arithmetic
  * go#40938 cmd/compile: R12 can be clobbered for write barrier call on PPC64
  * go#40848 testing: "=== PAUSE" lines do not change the test name for the next log line
  * go#40797 cmd/compile: inline marker targets not reachable after assembly on arm
  * go#40766 cmd/compile: inline marker targets not reachable after assembly on ppc64x
  * go#40501 cmd/compile: for range loop reading past slice end
  * go#40411 runtime: Windows service lifecycle events behave incorrectly when called within a golang environment
  * go#40398 runtime: fatal error: checkdead: runnable g
  * go#40192 runtime: pageAlloc.searchAddr may point to unmapped memory in discontiguous heaps, violating its invariant
  * go#39955 cmd/link: incorrect GC bitmap when global's type is in another shared object
  * go#39690 cmd/compile: s390x floating point <-> integer conversions clobbering the condition code
  * go#39279 net/http: Re-connect with upgraded HTTP2 connection fails to send Request.body
  * go#38904 doc: include fix for #34437 in Go 1.14 release notes
- Use go_api instead of version for update-alternatives priority
- Add missing '?' before 'suse_version' test by Xia Lei <emricg2@gmail.com>

-------------------------------------------------------------------
Fri Sep  4 14:51:12 UTC 2020 - Marcus Meissner <meissner@suse.com>

- replace binutils-gold requires by recommends for aarch64 on SLE. (bsc#1170826)

-------------------------------------------------------------------
Tue Sep  1 17:01:46 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.8 (released 2020-09-01) includes security fixes to the
  net/http/cgi and net/http/fcgi packages.
  CVE-2020-24553
  Refs boo#1164903 go1.14 release tracking
  * boo#1176031 CVE-2020-24553
  * go#41164 net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

-------------------------------------------------------------------
Thu Aug  6 19:23:18 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.7 (released 2020-08-06) includes security fixes to the
  encoding/binary package.
  CVE-2020-16845
  Refs boo#1164903 go1.14 release tracking
  * boo#1174977 CVE-2020-16845
  * go#40619 encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs

-------------------------------------------------------------------
Fri Jul 17 07:33:25 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.6 (released 2020-07-16) includes fixes to the go command,
  the compiler, the linker, vet, and the database/sql,
  encoding/json, net/http, reflect, and testing packages.
  Refs boo#1164903 go1.14 release tracking
  * go#39991 runtime: missing deferreturn on linux/ppc64le
  * go#39920 net/http: panic on misformed If-None-Match Header with http.ServeContent
  * go#39849 cmd/compile: internal compile error when using sync.Pool: mismatched zero/store sizes
  * go#39824 cmd/go: TestBuildIDContainsArchModeEnv/386 fails on linux/386 in Go 1.14 and 1.13, not 1.15
  * go#39698 reflect: panic from malloc after MakeFunc function returns value that is also stored globally
  * go#39636 reflect: DeepEqual can return true for values that are not equal
  * go#39585 encoding/json: incorrect object key unmarshaling when using custom TextUnmarshaler as Key with string values
  * go#39562 cmd/compile/internal/ssa: TestNexting/dlv-dbg-hist failing on linux-386-longtest builder because it tries to use an older version of dlv which only supports linux/amd64
  * go#39308 testing: streaming output loses parallel subtest associations
  * go#39288 cmd/vet: update for new number formats
  * go#39101 database/sql: context cancellation allows statements to execute after rollback
  * go#38030 doc: BuildNameToCertificate deprecated in go 1.14 not mentioned in the release notes

-------------------------------------------------------------------
Wed Jul 14 00:24:08 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.5 (released 2020-07-14) includes security fixes to the
  crypto/x509 and net/http packages addressing the following CVEs:
  CVE-2020-15586 CVE-2020-14039
  Refs boo#1174153 boo#1174191
  Refs boo#1164903 go1.14 release tracking
  * boo#1174153 CVE-2020-15586
  * boo#1174191 CVE-2020-14039 (Windows only)
  * go#40212 net/http: Expect 100-continue panics in httputil.ReverseProxy
  * go#40210 crypto/x509: Certificate.Verify method seemingly ignoring EKU requirements on Windows

-------------------------------------------------------------------
Tue Jun 30 17:14:24 UTC 2020 - Andreas Schwab <schwab@suse.de>

- Add support for riscv64

-------------------------------------------------------------------
Mon Jun 29 13:46:47 UTC 2020 - Dirk Mueller <dmueller@suse.com>

- Packaging improvements for update-alternatives priority,
  %license tag, and permissions in %files macro section.
  * update-alternatives increment priority on this and subsequent
    go1.x versions using priority = 20 + (minor version) i.e.
    go1.13 = 33, go1.14 = 34, etc.
  * Use %license tag for LICENSE keep %doc for suse_version < 1500
  * Remove %defattr(-,root,root,-) in %files

-------------------------------------------------------------------
Fri Jun 12 12:34:48 UTC 2020 - Richard Brown <rbrown@suse.com>

- Add patch to ensure /etc/hosts is used if /etc/nsswitch.conf is
  not present boo#1172868 gh#golang/go#35305
  * add go1.x-prefer-etc-hosts-over-dns.patch
  * Patch renamed and fields added per packaging guidelines
    on 2020-07-15 by Jeff Kowalczyk <jkowalczyk@suse.com>
  * Patch can likely be dropped for go1.16 in February 2021

-------------------------------------------------------------------
Tue Jun  9 17:32:52 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.4 (released 2020-06-01) includes fixes to the go doc command,
  the runtime, and the encoding/json and os packages.
  Refs boo#1164903 go1.14 release tracking
  * go#39158 os: opening an existing file with O_CREATE|O_TRUNC and permission 0 changes file to be read-only on Windows
  * go#38993 cmd/doc: -src flag misbehaves on some systems
  * go#38933 runtime: preemption in startTemplateThread may cause infinite hang
  * go#38178 encoding/json: marshal result of string type struct field with ",string" option change in go1.14
  * go#38106 encoding/json: mangled unmarshal string result

-------------------------------------------------------------------
Mon Jun  8 08:22:07 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Ensure ARM arch is set properly - boo#1169832

-------------------------------------------------------------------
Sat Jun  6 01:46:13 UTC 2020 - Aleksa Sarai <asarai@suse.com>

- Update compiler-rt snapshot to 0fb8a5356214c47bbb832e89fbb3da1c755eeb73
  which is needed for go1.14.3 to build on amd64.
- Change compiler-rt git repo url to new location in LLVM project.
- Allow go-race to be built on arm64 and ppc64le.
- Document (and clean up) LLVM snapshotting for go-race.
- Update _service to no longer fetch Go from git.

-------------------------------------------------------------------
Fri May 15 19:42:01 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.3 (released 2020-05-14) includes fixes to cgo, the compiler,
  the runtime, and the go/doc and math/big packages.
  Refs boo#1164903 go1.14 release tracking
  * go#38856 runtime: scavenger freezes up in Go 1.14 in Windows due to coarse time granularity
  * go#38606 runtime: pageAlloc.allocToCache updates pageAlloc.searchAddr in an invalid way
  * go#38443 cmd/compile: unexpected nil dereference on s390x
  * go#38426 cmd/cgo: types regression for anonymous structs
  * go#38418 go/doc: whole file is used as example even when there are tests or benchmarks
  * go#38321 runtime/race: race_linux_amd64.syso now depends on glibc 2.16
  * go#38123 cmd/compile: conversion from int/float typed constant to complex variable changed in 1.14
  * go#37501 math/big: panic in big.ParseFloat (off by one access)

-------------------------------------------------------------------
Wed Apr 29 13:20:06 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Requires binutils-gold for %arm and aarch64 - boo#1170826

-------------------------------------------------------------------
Thu Apr  9 03:49:17 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.2 (released 2020-04-08) includes fixes to cgo, the go command,
  the runtime, os/exec, and testing packages.
  Refs boo#1164903 go1.14 release tracking
  * go#38156 doc: BuildNameToCertificate deprecated in go 1.14 not mentioned in the release notes
  * go#38118 runtime/pprof: lostProfileEvent stack breaks gentraceback guarantee
  * go#38083 cmd/go/internal/test: data race in (*runCache).builderRunTest
  * go#38072 runtime: timer self-deadlock due to preemption point
  * go#38051 runtime: loops forever on sched_yield sometimes(timer related)
  * go#38005 runtime: "pipe failed with -89" at program startup(mipsle only), timer related netpoll init.
  * go#37970 runtime/pprof: panic: runtime error: index out of range [-1]
  * go#37968 runtime: fatal error: found bad pointer in Go heap (incorrect use of unsafe or cgo?)
  * go#37959 testing: data race between parallel panicking and normal subtest
  * go#37931 cmd/go: explain automatic vendoring in 'go help modules'
  * go#37928 runtime: GC pacing exhibits strange behavior with a low GOGC
  * go#37800 cmd/go: 'Access is denied' when renaming module cache directory
  * go#37699 PowerRegisterSuspendResumeNotification error on Azure App Services with go 1.13.7
  * go#37622 cmd/cgo: fails to generate certain types with Go 1.14
  * go#37480 runtime: "fatal error: unexpected signal" 0xC0000005 on Windows for a small program with a large allocation
  * go#37471 os/exec: environForSysProcAttr is never called as sysattr.Env is never nil

-------------------------------------------------------------------
Fri Mar 20 04:31:14 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14.1 (released 2020-03-19) includes fixes to the go command,
  tools, and the runtime.
  Refs boo#1164903 go1.14 release tracking
  * go#37905 cmd/compile: -d=checkptr should not reject unaligned pointers to non-pointer data
  * go#37833 runtime: sometimes 100% CPU spin during init phase in Go 1.14 with preemptive scheduler
  * go#37822 cmd/go: module's "go" version should be included in cache key
  * go#37807 runtime: mlock of signal stack failed: 12
  * go#37782 runtime: crash on 1.14 with unexpected return pc, fatal error: unknown caller pc
  * go#37721 reflect: MakeMap() and not native map type wrong behavior
  * go#37671 cmd/go: tests that panic or exit are marked as passing when -json flag is used
  * go#37667 runtime: asyncPreempt should not try to save floating-point context for softfloat MIPS targets
  * go#37630 doc: missing documentation of quoting the URL of url.Errors in go1.14 release notes
  * go#37613 runtime: Go 1.14.rc1 3-5% performance regression from 1.13 during protobuf marshalling
  * go#37494 time: racy Timer access should either work or throw, not panic
  * go#37478 SIGILL: illegal instruction on any go tool under macOS
  * go#37447 runtime/pprof: inline frames may not use combined location
  * go#37343 cmd/trace: requires HTML imports, which doesn't work on any major browser anymore

-------------------------------------------------------------------
Tue Mar  3 00:09:02 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Packaging sync accumulated changes from go1.12
  Refs boo#1164903 go1.14 release tracking
- Use gcc9 by default by updating define gcc_go_version 9 (was 8)
  * drop unneeded patch gcc8-go.patch
- Fix broken go_api evaluation (1.12 < 1.5, when evaluated as floats),
  let RPM evaluate the expression, drop no longer required bc.
- Own the gdbinit.d directory, avoid the build dependency on gdb.
- Add %ifarch %arm aarch64 BuildRequires: binutils-gold to fix
  /usr/lib64/go/{version}/pkg/tool/linux_arm64/link: running gcc failed: exit status 1
  collect2: fatal error: cannot find 'ld'-

-------------------------------------------------------------------
Tue Feb 25 21:54:49 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14 (released 2020-02-25) is a major release of Go.
  go1.14.x minor releases will be provided through February 2021.
  https://github.com/golang/go/wiki/Go-Release-Cycle
  Most changes are in the implementation of the toolchain, runtime,
  and libraries. As always, the release maintains the Go 1 promise
  of compatibility. We expect almost all Go programs to continue to
  compile and run as before.
  Refs boo#1164903 go1.14 release tracking
  * See release notes https://golang.org/doc/go1.14. Excerpts
    relevant to OBS environment and for SUSE/openSUSE follow:
  * Module support in the go command is now ready for production
    use, and we encourage all users to migrate to Go modules for
    dependency management.
  * RISC-V experimental support for 64-bit RISC-V on Linux
    (GOOS=linux, GOARCH=riscv64). Be aware that performance,
    assembly syntax stability, and possibly correctness are a work
    in progress.
  * When the main module contains a top-level vendor directory and
    its go.mod file specifies go 1.14 or higher, the go command now
    defaults to -mod=vendor for operations that accept that flag. A
    new value for that flag, -mod=mod, causes the go command to
    instead load modules from the module cache (as when no vendor
    directory is present).
  * When -mod=vendor is set (explicitly or by default), the go
    command now verifies that the main module's vendor/modules.txt
    file is consistent with its go.mod file.
  * go list -m no longer silently omits transitive dependencies
    that do not provide packages in the vendor directory. It now
    fails explicitly if -mod=vendor is set and information is
    requested for a module not mentioned in vendor/modules.txt.
  * The go get command no longer accepts the -mod flag. Previously,
    the flag's setting either was ignored or caused the build to
    fail.
  * mod=readonly is now set by default when the go.mod file is
    read-only and no top-level vendor directory is present.
  * modcacherw is a new flag that instructs the go command to leave
    newly-created directories in the module cache at their default
    permissions rather than making them read-only. The use of this
    flag makes it more likely that tests or other tools will
    accidentally add files not included in the module's verified
    checksum. However, it allows the use of rm -rf (instead of go
    clean -modcache) to remove the module cache.
  * modfile=file is a new flag that instructs the go command to
    read (and possibly write) an alternate go.mod file instead of
    the one in the module root directory. A file named go.mod must
    still be present in order to determine the module root
    directory, but it is not accessed. When -modfile is specified,
    an alternate go.sum file is also used: its path is derived from
    the -modfile flag by trimming the .mod extension and appending
    .sum.

-------------------------------------------------------------------
Thu Feb  6 04:28:14 UTC 2020 - Jeff Kowalczyk <jkowalczyk@suse.com>

- go1.14rc1 (released 2020/02/05) is a release candidate version of
  Go 1.14. It is cut from release-branch.go1.14 at the revision
  tagged go1.14rc1. go1.14rc1 is packaged before stable release of
  go1.14 to provide a preview of new default behavior for go
  modules. This early access is primarily intended to test use in
  offline OBS environment use with upstream go proxy infrastructure.
  * packaging: drop patch gcc9-rsp-clobber.patch now merged in go1.14
  * packaging: update version of LLVM compiler-rt
  * packaging: update _service definitions
  * packaging: update %doc entries rm devel/ add modules.md
  * doc: rename HTML element IDs to avoid duplicates
  * net: don't check LookupHost error in TestLookupNullByte
  * runtime: don't treat SIGURG as a bad signal
  * internal/bytealg: fix riscv64 offset names
  * doc: remove paragraph break for upgrading to modules
  * syscall: Revert "release a js.Func object in fsCall"
  * doc/go1.14: note that all changes to the standard library are minor
  * doc/go1.14: fix broken links
  * doc/go1.14: remove TODO about Solaris port
openSUSE Build Service is sponsored by