https://groups.google.com/forum/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ
We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).
This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
Incorporate wrapGAppsHook so that all gnumeric binaries are wrapped,
following the convention used by many gnome applications.
This addresses two issues:
1. The packaged ssconvert, ssdiff, ssgrep, and ssindex executables
in bin are not currently wrapped so some expected environment
variables including XDG_DATA_DIRS and GIO_EXTRA_MODULES are not
set. The result is many warnings on stderr when running these
commands, e.g.
==================================================================
CRITICAL **:...go_conf_add_monitor: assertion 'node || key' failed
CRITICAL **:...go_conf_get_node: assertion 'parent || key' failed
WARNING **:...unknown GOConfMonitor id.
==================================================================
2. None of the binaries, including gnumeric, currently wrap the
environment variable GDK_PIXBUF_MODULE_FILE. This can cause
segfaults if an incompatible GDK_PIXBUF_MODULE_FILE is already set
in the environment (e.g. by plasma5). This could be encountered
running a nixos pre-19.03 gnumeric binary from a nixos 18.09 KDE
session.
postgis: cleanup
Another part of https://github.com/NixOS/nixpkgs/pull/38698, though I did cleanup even more.
Moving docs to separate output should save another 30MB.
I did pin poppler to 0.61 just to be sure GDAL doesn't break again next
time poppler changes internal APIs.
