Changelog for
go1.16-1.16.7-1.23.1.x86_64.rpm :
* Thu Aug 05 2021 jkowalczykAATTsuse.com- go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil package, as well as bug fixes to the compiler, the linker, the runtime, the go command, and the net/http package. CVE-2021-36221 Refs boo#1182345 go1.16 release tracking
* boo#1189162 go#46866 CVE-2021-36221
* go#47474 net/http: panic due to racy read of persistConn after handler panic
* go#47348 cmd/go: \"go list -f \'{{.Stale}}\'\" stack overflow with cyclic imports
* go#47332 time: Timer reset broken under heavy use since go1.16 timer optimizations added
* go#47289 cmd/link: build error with cgo in Windows, redefinition of go.map.zero
* go#47015 cmd/go: go mod vendor: open C:\\Users\\LICENSE: Access is denied.
* go#46928 cmd/compile: register conflict between external linker and duffzero on arm64
* go#46858 runtime: ppc64x binaries randomly segfault on linux 5.13rc6
* go#46551 cmd/go: unhelpful error message when running \"go install\" on a replaced-but-not-required package
* Thu Aug 05 2021 jkowalczykAATTsuse.com- Drop patch to fix crashes on PowerPC with kernel >= 5.13, fixed in next upstream release:
* drop fix-ppc64-crashes.patch
* Mon Jul 19 2021 fvogtAATTsuse.com- Add patch to fix crashes on PowerPC with kernel >= 5.13:
* fix-ppc64-crashes.patch
* Mon Jul 12 2021 jkowalczykAATTsuse.com- go1.16.6 (released 2021-07-12) includes a security fix to the crypto/tls package, as well as bug fixes to the compiler, and the net and net/http packages. CVE-2021-34558 Refs boo#1182345 go1.16 release tracking
* boo#1188229 go#47143 CVE-2021-34558
* go#47145 security: fix CVE-2021-34558
* go#46999 net: LookupMX behaviour broken
* go#46981 net: TestCVE202133195 fails if /etc/resolv.conf specifies ndots larger than 3
* go#46769 syscall: TestGroupCleanupUserNamespace test failure on Fedora
* go#46657 runtime: deeply nested struct initialized with non-zero values
* go#44984 net/http: server not setting Content-Length in certain cases
* Thu Jun 10 2021 jkowalczykAATTsuse.com- Fix extraneous trailing percent character %endif% in spec file.
* Thu Jun 03 2021 jkowalczykAATTsuse.com- go1.16.5 (released 2021-06-03) includes security fixes to the archive/zip, math/big, net, and net/http/httputil packages, as well as bug fixes to the linker, the go command, and the net/http package. CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 Refs boo#1182345 go1.16 release tracking
* boo#1187443 go#46241 CVE-2021-33195
* go#46357 net: Lookup functions may return invalid host names
* go#46530 net: Unix dnsclient test for CVE-2021-33195 assumes that 1.2.3.4 does not resolve
* boo#1186622 go#46242 CVE-2021-33196
* go#46397 archive/zip: malformed archive may cause panic or memory exhaustion
* boo#1187444 go#46313 CVE-2021-33197
* go#46315 net/http/httputil: ReverseProxy forwards Connection headers if first one is empty
* boo#1187445 go#45910 CVE-2021-33198
* go#46306 math/big: (
*Rat).SetString with \"1.770p02041010010011001001\" crashes with \"makeslice: len out of range\"
* go#46214 cmd/go: make go mod download with no arguments leave go.sum alone
* go#46144 cmd/go: error out of \'go mod tidy\' if the go.mod file specifies a newer-than-supported Go version
* go#46128 cmd/link: internal error when externally linking very large binaries
* go#45927 cmd/link: SIGSEGV running \'openshift-install version\' for release-4.8 using external linking on PPC64LE
* go#45832 cmd/link: unexpected trampoline when cross-compiling to ppc64le
* Fri May 07 2021 jkowalczykAATTsuse.com- go1.16.4 (released 2021-05-06) includes a security fix to the net/http package, as well as bug fixes to the runtime, the compiler, and the archive/zip, time, and syscall packages. CVE-2021-31525 Refs boo#1182345 go1.16 release tracking
* boo#1185790 CVE-2021-31525
* go#45712 net/http: ReadRequest can stack overflow
* go#45636 cmd/compile: internal compiler error: Invalid PPC64 rotate mask
* go#45482 runtime: \"invalid pc-encoded table\" throw caused by bad cgo traceback (expandFinalInlineFrames)
* go#45385 time: Europe/Dublin timezone handling broken with embedded timezone database
* go#45347 archive/zip: duplicate entries in FS interface
* go#45307 os/signal: timeout in TestAllThreadsSyscallSignals
* Fri Apr 02 2021 jkowalczykAATTsuse.com- go1.16.3 (released 2021-04-01) includes fixes to the compiler, linker, runtime, the go command, and the testing and time packages. Refs boo#1182345 go1.16 release tracking
* go#45303 runtime: \"invalid pc-encoded table\" throw caused by bad cgo traceback
* go#45253 cmd/compile: fix long RMW bit operations on AMD64
* go#45240 all: run.{bash,bat,rc} sets GOPATH inconsistently
* go#45192 Strange behaviour with loops
* go#45030 cmd/link: go 1.16 plugin does not initialize global variables correctly when not used directly
* go#44888 testing: Helper line number has changed in 1.16
* go#44885 cmd/go: import paths ending with \'+\' are rejected (affects executable like g++ or clang++)
* go#44869 time, runtime: zero duration timer takes 2 minutes to fire
* go#44860 cmd/go: documentation at golang.org for cmd/go has confusing formatting
* go#44812 cmd/go: \'go get\' does not add missing hash to go.sum when ziphash file missing from cache
* go#44640 cmd/link: fail to build when using time/tzdata on ARM
* Fri Mar 12 2021 jkowalczykAATTsuse.com- go1.16.2 (released 2021-03-11) includes fixes to cgo, the compiler, linker, the go command, and the syscall and time packages. Refs boo#1182345 go1.16 release tracking
* go#44793 cmd/go: mod tidy should ignore missing standard library packages
* go#44746 cmd/go: improve error message when outside a module from \"working directory is not part of a module\"
* go#44676 cmd/go: warning message when getting a retracted module version is missing a trailing newline
* go#44659 runtime: marked free object in span
* go#44647 cmd/go: \"malformed import path\" in Go 1.16 for packages with path elements containing a leading dot
* go#44638 cmd/link: runtime crash, unexpected fault address 0xffffffffffffffff, h2_bundle.go, when using plugin
* go#44618 time: LoadLocationFromTZData with slim tzdata uses incorrect zone
* go#44593 syscall & x/sys/windows: buffer overflow in GetQueuedCompletionStatus
* go#44498 cmd/go: \'go mod edit -exclude\' erroneously rejects \'+incompatible\' versions
* go#44496 cmd/go: malformed module path with retract v2+
* go#44464 cmd/compile: ICE on deferred call to syscall.LazyDLL.Call
* go#44462 x/tools/go/analysis, syscall: ptrace redeclared in this block
* go#44433 cmd/compile: Compiler regression in Go 1.16 - internal compiler error: child dcl collision on symbol
* go#44402 doc: Broken image in readme
* go#44358 cmd/compile: internal compiler error: Value live at entry. It shouldn\'t be.
* go#44346 runtime/cgo: cannot build with -Wsign-compare
* Wed Mar 10 2021 jkowalczykAATTsuse.com- go1.16.1 (released 2021-03-10) includes security fixes to the archive/zip and encoding/xml packages. CVE-2021-27918 CVE-2021-27919 Refs boo#1182345 go1.16 release tracking
* boo#1183333 CVE-2021-27918
* go#44915 encoding/xml: infinite loop when using `xml.NewTokenDecoder` with a custom `TokenReader`
* boo#1183334 CVE-2021-27919
* go#44917 archive/zip: can panic when calling Reader.Open
* Thu Feb 18 2021 jkowalczykAATTsuse.com- gcc6-go.patch fix typo go-7 to go-6 for bootstrap on SLE-12 gcc6
* Tue Feb 16 2021 jkowalczykAATTsuse.com- go1.16 (released 2021-02-16) Go 1.16 is a major release of Go. go1.16.x minor releases will be provided through February 2022. https://github.com/golang/go/wiki/Go-Release-Cycle Most changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Refs boo#1182345 go1.16 release tracking
* See release notes https://golang.org/doc/go1.16. Excerpts relevant to OBS environment and for SUSE/openSUSE follow:
* Module-aware mode is enabled by default, regardless of whether a go.mod file is present in the current working directory or a parent directory. More precisely, the GO111MODULE environment variable now defaults to on. To switch to the previous behavior, set GO111MODULE to auto.
* Build commands like go build and go test no longer modify go.mod and go.sum by default. Instead, they report an error if a module requirement or checksum needs to be added or updated (as if the -mod=readonly flag were used). Module requirements and sums may be adjusted with go mod tidy or go get.
* go install now accepts arguments with version suffixes (for example, go install example.com/cmdAATTv1.0.0). This causes go install to build and install packages in module-aware mode, ignoring the go.mod file in the current directory or any parent directory, if there is one. This is useful for installing executables without affecting the dependencies of the main module.
* go install, with or without a version suffix (as described above), is now the recommended way to build and install packages in module mode. go get should be used with the -d flag to adjust the current module\'s dependencies without building packages, and use of go get to build and install packages is deprecated. In a future release, the -d flag will always be enabled.
* retract directives may now be used in a go.mod file to indicate that certain published versions of the module should not be used by other modules. A module author may retract a version after a severe problem is discovered or if the version was published unintentionally.
* The go mod vendor and go mod tidy subcommands now accept the -e flag, which instructs them to proceed despite errors in resolving missing packages.
* The go command now ignores requirements on module versions excluded by exclude directives in the main module. Previously, the go command used the next version higher than an excluded version, but that version could change over time, resulting in non-reproducible builds.
* In module mode, the go command now disallows import paths that include non-ASCII characters or path elements with a leading dot character (.). Module paths with these characters were already disallowed (see Module paths and versions), so this change affects only paths within module subdirectories.
* The go command now supports including static files and file trees as part of the final executable, using the new //go:embed directive. See the documentation for the new embed package for details.
* When using go test, a test that calls os.Exit(0) during execution of a test function will now be considered to fail. This will help catch cases in which a test calls code that calls os.Exit(0) and thereby stops running all future tests. If a TestMain function calls os.Exit(0) that is still considered to be a passing test.
* go test reports an error when the -c or -i flags are used together with unknown flags. Normally, unknown flags are passed to tests, but when -c or -i are used, tests are not run.
* The go get -insecure flag is deprecated and will be removed in a future version. This flag permits fetching from repositories and resolving custom domains using insecure schemes such as HTTP, and also bypasses module sum validation using the checksum database. To permit the use of insecure schemes, use the GOINSECURE environment variable instead. To bypass module sum validation, use GOPRIVATE or GONOSUMDB. See go help environment for details.
* go get example.com/modAATTpatch now requires that some version of example.com/mod already be required by the main module. (However, go get -u=patch continues to patch even newly-added dependencies.)
* GOVCS is a new environment variable that limits which version control tools the go command may use to download source code. This mitigates security issues with tools that are typically used in trusted, authenticated environments. By default, git and hg may be used to download code from any repository. svn, bzr, and fossil may only be used to download code from repositories with module paths or package paths matching patterns in the GOPRIVATE environment variable. See go help vcs for details.
* When the main module\'s go.mod file declares go 1.16 or higher, the all package pattern now matches only those packages that are transitively imported by a package or test found in the main module. (Packages imported by tests of packages imported by the main module are no longer included.) This is the same set of packages retained by go mod vendor since Go 1.11.
* When the -toolexec build flag is specified to use a program when invoking toolchain programs like compile or asm, the environment variable TOOLEXEC_IMPORTPATH is now set to the import path of the package being built.
* The -i flag accepted by go build, go install, and go test is now deprecated. The -i flag instructs the go command to install packages imported by packages named on the command line. Since the build cache was introduced in Go 1.10, the -i flag no longer has a significant effect on build times, and it causes errors when the install directory is not writable.
* When the -export flag is specified, the BuildID field is now set to the build ID of the compiled package. This is equivalent to running go tool buildid on go list -exported -f {{.Export}}, but without the extra step.
* The -overlay flag specifies a JSON configuration file containing a set of file path replacements. The -overlay flag may be used with all build commands and go mod subcommands. It is primarily intended to be used by editor tooling such as gopls to understand the effects of unsaved changes to source files. The config file maps actual file paths to replacement file paths and the go command and its builds will run as if the actual file paths exist with the contents given by the replacement file paths, or don\'t exist if the replacement file paths are empty.
* The cgo tool will no longer try to translate C struct bitfields into Go struct fields, even if their size can be represented in Go. The order in which C bitfields appear in memory is implementation dependent, so in some cases the cgo tool produced results that were silently incorrect.
* The linux/riscv64 port now supports cgo and -buildmode=pie. This release also includes performance optimizations and code generation improvements for RISC-V.
* The new runtime/metrics package introduces a stable interface for reading implementation-defined metrics from the Go runtime. It supersedes existing functions like runtime.ReadMemStats and debug.GCStats and is significantly more general and efficient. See the package documentation for more details.
* Setting the GODEBUG environment variable to inittrace=1 now causes the runtime to emit a single line to standard error for each package init, summarizing its execution time and memory allocation. This trace can be used to find bottlenecks or regressions in Go startup performance. The GODEBUG documentation describes the format.
* On Linux, the runtime now defaults to releasing memory to the operating system promptly (using MADV_DONTNEED), rather than lazily when the operating system is under memory pressure (using MADV_FREE). This means process-level memory statistics like RSS will more accurately reflect the amount of physical memory being used by Go processes. Systems that are currently using GODEBUG=madvdontneed=1 to improve memory monitoring behavior no longer need to set this environment variable.
* Go 1.16 fixes a discrepancy between the race detector and the Go memory model. The race detector now more precisely follows the channel synchronization rules of the memory model. As a result, the detector may now report races it previously missed.
* linker: This release includes additional improvements to the Go linker, reducing linker resource usage (both time and memory) and improving code robustness/maintainability. These changes form the second half of a two-release project to modernize the Go linker.
* The linker changes in 1.16 extend the 1.15 improvements to all supported architecture/OS combinations (the 1.15 performance improvements were primarily focused on ELF-based OSes and amd64 architectures). For a representative set of large Go programs, linking is 20-25% faster than 1.15 and requires 5-15% less memory on average for linux/amd64, with larger improvements for other architectures and OSes. Most binaries are also smaller as a result of more aggressive symbol pruning.
* The new embed package provides access to files embedded in the program during compilation using the new //go:embed directive.
* The new io/fs package defines the fs.FS interface, an abstraction for read-only trees of files. The standard library packages have been adapted to make use of the interface as appropriate.
* For testing code that implements fs.FS, the new testing/fstest package provides a TestFS function that checks for and reports common mistakes. It also provides a simple in-memory file system implementation, MapFS, which can be useful for testing code that accepts fs.FS implementations.
* syscall: On Linux, Setgid, Setuid, and related calls are now implemented. Previously, they returned an syscall.EOPNOTSUPP error. On Linux, the new functions AllThreadsSyscall and AllThreadsSyscall6 may be used to make a system call on all Go threads in the process. These functions may only be used by programs that do not use cgo; if a program uses cgo, they will always return syscall.ENOTSUP.
* time/tzdata: The slim timezone data format is now used for the timezone database in $GOROOT/lib/time/zoneinfo.zip and the embedded copy in this package. This reduces the size of the timezone database by about 350 KB.
* Thu Jan 28 2021 jkowalczykAATTsuse.com- go1.16rc1 (released 2021-01-28) is a release candidate of go1.16 cut from the master branch at the revision tagged go1.16rc1.
* Thu Dec 17 2020 jkowalczykAATTsuse.com- go1.16beta1 (released 2020-12-08) is a beta version of go1.16 cut from the master branch at the revision tagged go1.16beta1.