From d803da845f866b9ff0fcbb4aea341d28fd59655a Mon Sep 17 00:00:00 2001
From: allowthere <31812983+allowthere@users.noreply.github.com>
Date: Sun, 27 Jan 2019 02:59:44 +0000
Subject: [PATCH 1/3] go: 1.11.4 -> 1.11.5
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://groups.google.com/forum/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ

We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).

This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
---
 pkgs/development/compilers/go/1.11.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/go/1.11.nix b/pkgs/development/compilers/go/1.11.nix
index ae682f8b8f87..1c9bc0a30091 100644
--- a/pkgs/development/compilers/go/1.11.nix
+++ b/pkgs/development/compilers/go/1.11.nix
@@ -29,13 +29,13 @@ in
 
 stdenv.mkDerivation rec {
   name = "go-${version}";
-  version = "1.11.4";
+  version = "1.11.5";
 
   src = fetchFromGitHub {
     owner = "golang";
     repo = "go";
     rev = "go${version}";
-    sha256 = "036nc17hffy0gcfs9j64qzwpjry65znbm4klf2h0xn81dp8d6mxk";
+    sha256 = "0d45057rc0bngq0nja847cagxji42qmlywr68f0dkg51im8nyr9y";
   };
 
   # perl is used for testing go vet

From d32e779ae850a7053218ebc6d99d34a3f2e6eed3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sun, 27 Jan 2019 11:29:13 +0100
Subject: [PATCH 2/3] go_1_10: 1.10.7 -> 1.10.8 (security)

https://groups.google.com/forum/#!topic/golang-announce/mVeX35iXuSw
https://github.com/NixOS/nixpkgs/pull/54658
---
 pkgs/development/compilers/go/1.10.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/go/1.10.nix b/pkgs/development/compilers/go/1.10.nix
index 92a9291222f5..867344e84da4 100644
--- a/pkgs/development/compilers/go/1.10.nix
+++ b/pkgs/development/compilers/go/1.10.nix
@@ -22,13 +22,13 @@ in
 
 stdenv.mkDerivation rec {
   name = "go-${version}";
-  version = "1.10.7";
+  version = "1.10.8";
 
   src = fetchFromGitHub {
     owner = "golang";
     repo = "go";
     rev = "go${version}";
-    sha256 = "1alc7dagijdg4p4hhvlznlgcxsl8gz94v7p9wk3kn303y782dl41";
+    sha256 = "1yynv105wh8pwiq61v4yg5i50k13g3x634x60mhxhv4gj9cq06cx";
   };
 
   GOCACHE = "off";

From a687ef973990cbde6dd350a8db54deb86a4c5d83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sun, 27 Jan 2019 11:32:22 +0100
Subject: [PATCH 3/3] go_1_9: mark as insecure (see the parent commit)

Upstream only supports two latest releases.
https://github.com/golang/go/issues/29903#issuecomment-457307356
---
 pkgs/development/compilers/go/1.9.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/compilers/go/1.9.nix b/pkgs/development/compilers/go/1.9.nix
index 799e047a60e8..9d8b2089b4a0 100644
--- a/pkgs/development/compilers/go/1.9.nix
+++ b/pkgs/development/compilers/go/1.9.nix
@@ -174,6 +174,7 @@ stdenv.mkDerivation rec {
   disallowedReferences = [ go_bootstrap ];
 
   meta = with stdenv.lib; {
+    knownVulnerabilities = [ "CVE-2019-6486" ];
     branch = "1.9";
     homepage = http://golang.org/;
     description = "The Go Programming language";