Update go to 1.11.5

A security issue was announced in Go: https://groups.google.com/forum/m/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ

I don't know if the things we build with Go are affected by this issue.

added TorBrowserTeam201901R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-rbm type::defect labels

As far as obfs4proxy is concerned, the only thing that might trigger this is meek_lite, which Tor Browser doesn't use (yet).

It's safe to assume that meek-client is affected, though in --helper mode which Tor Browser uses it's probably not. I'll redeploy the meek-server and Snowflake websocket-server and whatnot.

This is the patch I'm trying:

index 1841705..be9f84d 100644
--- a/projects/go/config
+++ b/projects/go/config
@@ -1,5 +1,5 @@
 # vim: filetype=yaml sw=2
-version: 1.11.1
+version: 1.11.5
 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz'
 
 var:
@@ -84,7 +84,7 @@ input_files:
     enable: '[% c("var/windows") || c("var/osx") %]'
   - URL: 'https://golang.org/dl/go[% c("version") %].src.tar.gz'
     name: go
-    sha256sum: 558f8c169ae215e25b81421596e8de7572bd3ba824b79add22fba6e284db1117
+    sha256sum: bc1ef02bb1668835db1390a2e478dcbccb5dd16911691af9d75184bbe5aa943e
   - URL: 'https://golang.org/dl/go[% c("var/go14_version") %].src.tar.gz'
     name: go14
     sha256sum: 9947fc705b0b841b5938c48b22dc33e9647ec0752bae66e50278df4f23f64959

Happy to merge the patch for the upcoming alpha. However, I'd need it today-ish in that case. I plan to kick off the alpha build tomorrow (Jan 25) morning European time.

I started a testbuild; not sure when it will finish. It's unlikely that the patch won't work, but also I think it's not urgent to get it into the next alpha.

Trac:
0001-Bug-29167-Upgrade-go-to-1.11.5.patch

Here is a patch. Tested with a make testbuild. Tried Moat and obfs4 in the linux-x86_64 build.

Trac:
Keywords: TorBrowserTeam201901 deleted, TorBrowserTeam201901R added
Status: new to needs_review

Looks good to me. Merged to master (commit 9bac5b8ddc129cc0349f1c6350f819f8ba29af94).

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

closed

moved to tpo/applications/tor-browser#29167 (closed)