Patch CVE-2020-24553 in go

SPECS/golang/CVE-2020-24553.patch

@@ -0,0 +1,412 @@
+From 4f5cd0c0331943c7ec72df3b827d972584f77833 Mon Sep 17 00:00:00 2001
+From: Roberto Clapis <roberto@golang.org>
+Date: Wed, 26 Aug 2020 08:53:03 +0200
+Subject: [PATCH] net/http/cgi,net/http/fcgi: add Content-Type detection
+
+This CL ensures that responses served via CGI and FastCGI
+have a Content-Type header based on the content of the
+response if not explicitly set by handlers.
+
+If the implementers of the handler did not explicitly
+specify a Content-Type both CGI implementations would default
+to "text/html", potentially causing cross-site scripting.
+
+Thanks to RedTeam Pentesting GmbH for reporting this.
+
+Fixes #40928
+Fixes CVE-2020-24553
+
+Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/252179
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+---
+ src/net/http/cgi/child.go            | 36 +++++++++++------
+ src/net/http/cgi/child_test.go       | 58 ++++++++++++++++++++++++++++
+ src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++++++-
+ src/net/http/fcgi/child.go           | 39 ++++++++++++++-----
+ src/net/http/fcgi/fcgi_test.go       | 52 +++++++++++++++++++++++++
+ 5 files changed, 216 insertions(+), 22 deletions(-)
+
+diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go
+index d7d813e68a83..690986335c07 100644
+--- a/src/net/http/cgi/child.go
++++ b/src/net/http/cgi/child.go
+@@ -166,10 +166,12 @@ func Serve(handler http.Handler) error {
+ }
+ 
+ type response struct {
+-	req        *http.Request
+-	header     http.Header
+-	bufw       *bufio.Writer
+-	headerSent bool
++	req            *http.Request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	bufw           *bufio.Writer
+ }
+ 
+ func (r *response) Flush() {
+@@ -181,26 +183,38 @@ func (r *response) Header() http.Header {
+ }
+ 
+ func (r *response) Write(p []byte) (n int, err error) {
+-	if !r.headerSent {
++	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
+ 	return r.bufw.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+-	if r.headerSent {
++	if r.wroteHeader {
+ 		// Note: explicitly using Stderr, as Stdout is our HTTP output.
+ 		fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL)
+ 		return
+ 	}
+-	r.headerSent = true
+-	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code))
++	r.wroteHeader = true
++	r.code = code
++}
+ 
+-	// Set a default Content-Type
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
+ 	if _, hasType := r.header["Content-Type"]; !hasType {
+-		r.header.Add("Content-Type", "text/html; charset=utf-8")
++		r.header.Set("Content-Type", http.DetectContentType(p))
+ 	}
+-
+ 	r.header.Write(r.bufw)
+ 	r.bufw.WriteString("\r\n")
+ 	r.bufw.Flush()
+diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go
+index 14e0af475f5a..18cf789bd59d 100644
+--- a/src/net/http/cgi/child_test.go
++++ b/src/net/http/cgi/child_test.go
+@@ -7,6 +7,11 @@
+ package cgi
+ 
+ import (
++	"bufio"
++	"bytes"
++	"net/http"
++	"net/http/httptest"
++	"strings"
+ 	"testing"
+ )
+ 
+@@ -148,3 +153,56 @@ func TestRequestWithoutRemotePort(t *testing.T) {
+ 		t.Errorf("RemoteAddr: got %q; want %q", g, e)
+ 	}
+ }
++
++func TestResponse(t *testing.T) {
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			var buf bytes.Buffer
++			resp := response{
++				req:    httptest.NewRequest("GET", "/", nil),
++				header: http.Header{},
++				bufw:   bufio.NewWriter(&buf),
++			}
++			n, err := resp.Write([]byte(tt.body))
++			if err != nil {
++				t.Errorf("Write: unexpected %v", err)
++			}
++			if want := len(tt.body); n != want {
++				t.Errorf("reported short Write: got %v want %v", n, want)
++			}
++			resp.writeCGIHeader(nil)
++			resp.Flush()
++			if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT)
++			}
++			if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) {
++				t.Errorf("body was not correctly written")
++			}
++		})
++	}
++}
+diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go
+index eaa090f6fe4f..76cbca8e6036 100644
+--- a/src/net/http/cgi/integration_test.go
++++ b/src/net/http/cgi/integration_test.go
+@@ -16,7 +16,9 @@ import (
+ 	"io"
+ 	"net/http"
+ 	"net/http/httptest"
++	"net/url"
+ 	"os"
++	"strings"
+ 	"testing"
+ 	"time"
+ )
+@@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) {
+ 	}
+ 	replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap)
+ 
+-	if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
++	if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
+ 		t.Errorf("got a Content-Type of %q; expected %q", got, expected)
+ 	}
+ 	if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected {
+@@ -169,6 +171,51 @@ func TestNilRequestBody(t *testing.T) {
+ 	_ = runCgiTest(t, h, "POST /test.go?nil-request-body=1 HTTP/1.0\nHost: example.com\nContent-Length: 0\n\n", expectedMap)
+ }
+ 
++func TestChildContentType(t *testing.T) {
++	testenv.MustHaveExec(t)
++
++	h := &Handler{
++		Path: os.Args[0],
++		Root: "/test.go",
++		Args: []string{"-test.run=TestBeChildCGIProcess"},
++	}
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			expectedMap := map[string]string{"_body": tt.body}
++			req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body))
++			replay := runCgiTest(t, h, req, expectedMap)
++			if got := replay.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
++			}
++		})
++	}
++}
++
+ // golang.org/issue/7198
+ func Test500WithNoHeaders(t *testing.T)     { want500Test(t, "/immediate-disconnect") }
+ func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") }
+@@ -224,6 +271,10 @@ func TestBeChildCGIProcess(t *testing.T) {
+ 		if req.FormValue("no-body") == "1" {
+ 			return
+ 		}
++		if eb, ok := req.Form["exact-body"]; ok {
++			io.WriteString(rw, eb[0])
++			return
++		}
+ 		if req.FormValue("write-forever") == "1" {
+ 			io.Copy(rw, neverEnding('a'))
+ 			for {
+diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go
+index 0e91042543b5..34761f32ee18 100644
+--- a/src/net/http/fcgi/child.go
++++ b/src/net/http/fcgi/child.go
+@@ -74,10 +74,12 @@ func (r *request) parseParams() {
+ 
+ // response implements http.ResponseWriter.
+ type response struct {
+-	req         *request
+-	header      http.Header
+-	w           *bufWriter
+-	wroteHeader bool
++	req            *request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	w              *bufWriter
+ }
+ 
+ func newResponse(c *child, req *request) *response {
+@@ -92,11 +94,14 @@ func (r *response) Header() http.Header {
+ 	return r.header
+ }
+ 
+-func (r *response) Write(data []byte) (int, error) {
++func (r *response) Write(p []byte) (n int, err error) {
+ 	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
+-	return r.w.Write(data)
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
++	return r.w.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) {
+ 		return
+ 	}
+ 	r.wroteHeader = true
++	r.code = code
+ 	if code == http.StatusNotModified {
+ 		// Must not have body.
+ 		r.header.Del("Content-Type")
+ 		r.header.Del("Content-Length")
+ 		r.header.Del("Transfer-Encoding")
+-	} else if r.header.Get("Content-Type") == "" {
+-		r.header.Set("Content-Type", "text/html; charset=utf-8")
+ 	}
+-
+ 	if r.header.Get("Date") == "" {
+ 		r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
+ 	}
++}
+ 
+-	fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code))
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
++	if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType {
++		r.header.Set("Content-Type", http.DetectContentType(p))
++	}
+ 	r.header.Write(r.w)
+ 	r.w.WriteString("\r\n")
++	r.w.Flush()
+ }
+ 
+ func (r *response) Flush() {
+@@ -293,6 +310,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) {
+ 		httpReq = httpReq.WithContext(envVarCtx)
+ 		c.handler.ServeHTTP(r, httpReq)
+ 	}
++	// Make sure we serve something even if nothing was written to r
++	r.Write(nil)
+ 	r.Close()
+ 	c.mu.Lock()
+ 	delete(c.requests, req.reqId)
+diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go
+index e9d2b34023c8..4a27a12c35a9 100644
+--- a/src/net/http/fcgi/fcgi_test.go
++++ b/src/net/http/fcgi/fcgi_test.go
+@@ -10,6 +10,7 @@ import (
+ 	"io"
+ 	"io/ioutil"
+ 	"net/http"
++	"strings"
+ 	"testing"
+ )
+ 
+@@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) {
+ 		<-done
+ 	}
+ }
++
++func TestResponseWriterSniffsContentType(t *testing.T) {
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			input := make([]byte, len(streamFullRequestStdin))
++			copy(input, streamFullRequestStdin)
++			rc := nopWriteCloser{bytes.NewBuffer(input)}
++			done := make(chan bool)
++			var resp *response
++			c := newChild(rc, http.HandlerFunc(func(
++				w http.ResponseWriter,
++				r *http.Request,
++			) {
++				io.WriteString(w, tt.body)
++				resp = w.(*response)
++				done <- true
++			}))
++			defer c.cleanUp()
++			go c.serve()
++			<-done
++			if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
++			}
++		})
++	}
++}

SPECS/golang/golang-1.13.spec

@@ -1,4 +1,4 @@
-%global goroot          /usr/lib/golang
+%global goroot          %{_lib}/golang
 %global gopath          %{_datadir}/gocode
 %ifarch aarch64
 %global gohostarch      arm64
@@ -7,23 +7,22 @@
 %endif
 %define debug_package %{nil}
 %define __strip /bin/true
-
 # rpmbuild magic to keep from having meta dependency on libc.so.6
 %define _use_internal_dependency_generator 0
 %define __find_requires %{nil}
-
 Summary:        Go
 Name:           golang
 Version:        1.13.15
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
-URL:            https://golang.org
-Group:          System Environment/Security
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://golang.org
 Source0:        https://dl.google.com/go/go%{version}.src.tar.gz
 Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
+Patch1:         CVE-2020-24553.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 
@@ -34,19 +33,20 @@ Go is an open source programming language that makes it easy to build simple, re
 # Setup go 1.4 bootstrap source
 tar xf %{SOURCE1} --no-same-owner
 %ifarch aarch64
-patch -Np1 --ignore-whitespace < /usr/src/mariner/SOURCES/go14_bootstrap_aarch64.patch
+patch -Np1 --ignore-whitespace < %{_prefix}/src/mariner/SOURCES/go14_bootstrap_aarch64.patch
 %endif
 mv -v go go-bootstrap
 
-%setup -qn go
+%setup -q -n go
+%patch1 -p1
 
 %build
 # Build go 1.4 bootstrap
-pushd /usr/src/mariner/BUILD/go-bootstrap/src
+pushd %{_prefix}/src/mariner/BUILD/go-bootstrap/src
 CGO_ENABLED=0 ./make.bash
 popd
-mv -v /usr/src/mariner/BUILD/go-bootstrap /usr/lib/golang
-export GOROOT=/usr/lib/golang
+mv -v %{_prefix}/src/mariner/BUILD/go-bootstrap %{_lib}/golang
+export GOROOT=%{_lib}/golang
 
 # Build current go version
 export GOHOSTOS=linux
@@ -62,7 +62,6 @@ pushd src
 popd
 
 %install
-rm -rf %{buildroot}
 
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{goroot}
@@ -88,8 +87,8 @@ mkdir -p %{buildroot}%{gopath}/src/github.com/
 mkdir -p %{buildroot}%{gopath}/src/bitbucket.org/
 mkdir -p %{buildroot}%{gopath}/src/code.google.com/p/
 
-install -vdm755 %{buildroot}/etc/profile.d
-cat >> %{buildroot}/etc/profile.d/go-exports.sh <<- "EOF"
+install -vdm755 %{buildroot}%{_sysconfdir}/profile.d
+cat >> %{buildroot}%{_sysconfdir}/profile.d/go-exports.sh <<- "EOF"
 export GOROOT=%{goroot}
 export GOPATH=%{_datadir}/gocode
 export GOHOSTOS=linux
@@ -98,25 +97,21 @@ export GOOS=linux
 EOF
 
 %post -p /sbin/ldconfig
-
 %postun
 /sbin/ldconfig
 if [ $1 -eq 0 ]; then
   #This is uninstall
-  rm /etc/profile.d/go-exports.sh
+  rm %{_sysconfdir}/profile.d/go-exports.sh
   rm -rf /opt/go
   exit 0
 fi
 
-%clean
-rm -rf %{buildroot}/*
-
 %files
 %defattr(-,root,root)
 %license LICENSE
 %exclude %{goroot}/src/*.rc
 %exclude %{goroot}/include/plan9
-/etc/profile.d/go-exports.sh
+%{_sysconfdir}/profile.d/go-exports.sh
 %{goroot}/*
 %{gopath}/src
 %exclude %{goroot}/src/pkg/debug/dwarf/testdata
@@ -124,57 +119,86 @@ rm -rf %{buildroot}/*
 %{_bindir}/*
 
 %changelog
-*   Tue Sep 08 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.13.15-1
--   Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845.
-*   Sun May 24 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.13.11-1
--   Updated to version 1.13.11
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.12.5-7
--   Added %%license line automatically
-*   Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 1.12.5-6
--   Renaming go to golang
-*   Thu Apr 23 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.12.5-5
--   Fix CVE-2019-14809.
-*   Fri Mar 27 2020 Andrew Phelps <anphel@microsoft.com> 1.12.5-4
--   Support building standalone by adding go 1.4 bootstrap.
-*   Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 1.12.5-3
--   Remove meta dependency on libc.so.6
-*   Thu Feb 6 2020 Andrew Phelps <anphel@microsoft.com> 1.12.5-2
--   Remove ExtraBuildRequires
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.12.5-1
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Jan 21 2019 Bo Gan <ganb@vmware.com> 1.9.7-1
--   Update to 1.9.7
-*   Wed Oct 24 2018 Alexey Makhalov <amakhalov@vmware.com> 1.9.4-3
--   Use extra build requires
-*   Mon Apr 02 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.4-2
--   Fix for CVE-2018-7187
-*   Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-1
--   Update to golang release v1.9.4
-*   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 1.9.1-2
--   Aarch64 support
-*   Wed Nov 01 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.1-1
--   Update to golang release v1.9.1
-*   Wed May 31 2017 Xiaolin Li <xiaolinl@vmware.com> 1.8.1-2
--   Remove mercurial from buildrequires and requires.
-*   Tue Apr 11 2017 Danut Moraru <dmoraru@vmware.com> 1.8.1-1
--   Update Golang to version 1.8.1, updated patch0
-*   Wed Dec 28 2016 Xiaolin Li <xiaolinl@vmware.com> 1.7.4-1
--   Updated Golang to 1.7.4.
-*   Thu Oct 06 2016 ChangLee <changlee@vmware.com> 1.6.3-2
--   Modified %check
-*   Wed Jul 27 2016 Anish Swaminathan <anishs@vmware.com> 1.6.3-1
--   Update Golang to version 1.6.3 - fixes CVE 2016-5386
-*   Fri Jul 8 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.6.2-1
--   Updated the Golang to version 1.6.2
-*   Thu Jun 2 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.4.2-5
--   Fix script syntax
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.4.2-4
--   GA - Bump release of all rpms
-*   Thu May 05 2016 Kumar Kaushik <kaushikk@vmware.com> 1.4.2-3
--   Handling upgrade scenario pre/post/un scripts.
-*   Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 1.4.2-2
--   Edit post script.
-*   Mon Aug 03 2015 Vinay Kulkarni <kulkarniv@vmware.com> 1.4.2-1
--   Update to golang release version 1.4.2
-*   Fri Oct 17 2014 Divya Thaluru <dthaluru@vmware.com> 1.3.3-1
--   Initial build.  First version
+* Fri Oct 30 2020 Thomas Crain <thcrain@microsoft.com> - 1.13.15-2
+- Patch CVE-2020-24553
+
+* Tue Sep 08 2020 Nicolas Ontiveros <niontive@microsoft.com> - 1.13.15-1
+- Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845.
+
+* Sun May 24 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.13.11-1
+- Updated to version 1.13.11
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.12.5-7
+- Added %%license line automatically
+
+* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 1.12.5-6
+- Renaming go to golang
+
+* Thu Apr 23 2020 Nicolas Ontiveros <niontive@microsoft.com> - 1.12.5-5
+- Fix CVE-2019-14809.
+
+* Fri Mar 27 2020 Andrew Phelps <anphel@microsoft.com> - 1.12.5-4
+- Support building standalone by adding go 1.4 bootstrap.
+
+* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> - 1.12.5-3
+- Remove meta dependency on libc.so.6
+
+* Thu Feb 6 2020 Andrew Phelps <anphel@microsoft.com> - 1.12.5-2
+- Remove ExtraBuildRequires
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.12.5-1
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Jan 21 2019 Bo Gan <ganb@vmware.com> - 1.9.7-1
+- Update to 1.9.7
+
+* Wed Oct 24 2018 Alexey Makhalov <amakhalov@vmware.com> - 1.9.4-3
+- Use extra build requires
+
+* Mon Apr 02 2018 Dheeraj Shetty <dheerajs@vmware.com> - 1.9.4-2
+- Fix for CVE-2018-7187
+
+* Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> - 1.9.4-1
+- Update to golang release v1.9.4
+
+* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 1.9.1-2
+- Aarch64 support
+
+* Wed Nov 01 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 1.9.1-1
+- Update to golang release v1.9.1
+
+* Wed May 31 2017 Xiaolin Li <xiaolinl@vmware.com> - 1.8.1-2
+- Remove mercurial from buildrequires and requires.
+
+* Tue Apr 11 2017 Danut Moraru <dmoraru@vmware.com> - 1.8.1-1
+- Update Golang to version 1.8.1, updated patch0
+
+* Wed Dec 28 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.7.4-1
+- Updated Golang to 1.7.4.
+
+* Thu Oct 06 2016 ChangLee <changlee@vmware.com> - 1.6.3-2
+- Modified %check
+
+* Wed Jul 27 2016 Anish Swaminathan <anishs@vmware.com> - 1.6.3-1
+- Update Golang to version 1.6.3 - fixes CVE 2016-5386
+
+* Fri Jul 8 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.6.2-1
+- Updated the Golang to version 1.6.2
+
+* Thu Jun 2 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.4.2-5
+- Fix script syntax
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.4.2-4
+- GA - Bump release of all rpms
+
+* Thu May 05 2016 Kumar Kaushik <kaushikk@vmware.com> - 1.4.2-3
+- Handling upgrade scenario pre/post/un scripts.
+
+* Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> - 1.4.2-2
+- Edit post script.
+
+* Mon Aug 03 2015 Vinay Kulkarni <kulkarniv@vmware.com> - 1.4.2-1
+- Update to golang release version 1.4.2
+
+* Fri Oct 17 2014 Divya Thaluru <dthaluru@vmware.com> - 1.3.3-1
+- Initial build.  First version