#29167 closed defect (fixed)

Update go to 1.11.5

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201901R, tbb-rbm
Cc: yawning, dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A security issue was announced in Go:
https://groups.google.com/forum/m/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ

I don't know if the things we build with Go are affected by this issue.

Child Tickets

Attachments (1)

0001-Bug-29167-Upgrade-go-to-1.11.5.patch (1.1 KB) - added by dcf 10 months ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 10 months ago by yawning

As far as obfs4proxy is concerned, the only thing that might trigger this is meek_lite, which Tor Browser doesn't use (yet).

comment:2 Changed 10 months ago by dcf

It's safe to assume that meek-client is affected, though in --helper mode which Tor Browser uses it's probably not. I'll redeploy the meek-server and Snowflake websocket-server and whatnot.

This is the patch I'm trying:

  • projects/go/config

    index 1841705..be9f84d 100644
    a b  
    11# vim: filetype=yaml sw=2
    2 version: 1.11.1
     2version: 1.11.5
    33filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
    44
    55var:
    input_files: 
    8484    enable: '[% c("var/windows") || c("var/osx") %]'
    8585  - URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz'
    8686    name: go
    87     sha256sum: 558f8c169ae215e25b81421596e8de7572bd3ba824b79add22fba6e284db1117
     87    sha256sum: bc1ef02bb1668835db1390a2e478dcbccb5dd16911691af9d75184bbe5aa943e
    8888  - URL: 'https://golang.org/dl/go[% c("var/go14_version") %].src.tar.gz'
    8989    name: go14
    9090    sha256sum: 9947fc705b0b841b5938c48b22dc33e9647ec0752bae66e50278df4f23f64959

comment:3 Changed 10 months ago by gk

Happy to merge the patch for the upcoming alpha. However, I'd need it today-ish in that case. I plan to kick off the alpha build tomorrow (Jan 25) morning European time.

comment:4 Changed 10 months ago by dcf

I started a testbuild; not sure when it will finish. It's unlikely that the patch won't work, but also I think it's not urgent to get it into the next alpha.

comment:5 Changed 10 months ago by dcf

Keywords: TorBrowserTeam201901R added; TorBrowserTeam201901 removed
Status: newneeds_review

Here is a patch. Tested with a make testbuild. Tried Moat and obfs4 in the linux-x86_64 build.

comment:6 Changed 10 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. Merged to master (commit 9bac5b8ddc129cc0349f1c6350f819f8ba29af94).

Note: See TracTickets for help on using tickets.