head 1.14; access; symbols pkgsrc-2026Q2:1.14.0.8 pkgsrc-2026Q2-base:1.14 pkgsrc-2026Q1:1.14.0.6 pkgsrc-2026Q1-base:1.14 pkgsrc-2025Q4:1.14.0.4 pkgsrc-2025Q4-base:1.14 pkgsrc-2025Q3:1.14.0.2 pkgsrc-2025Q3-base:1.14 pkgsrc-2025Q2:1.12.0.2 pkgsrc-2025Q2-base:1.12 pkgsrc-2025Q1:1.9.0.2 pkgsrc-2025Q1-base:1.9 pkgsrc-2024Q4:1.5.0.2 pkgsrc-2024Q4-base:1.5 pkgsrc-2024Q3:1.2.0.2 pkgsrc-2024Q3-base:1.2; locks; strict; comment @# @; 1.14 date 2025.08.15.12.46.30; author bsiegert; state Exp; branches; next 1.13; commitid sRKuL9IcStzcfP6G; 1.13 date 2025.07.09.07.41.35; author bsiegert; state Exp; branches; next 1.12; commitid 8RjHZo8fDjbkK22G; 1.12 date 2025.06.06.13.45.14; author bsiegert; state Exp; branches 1.12.2.1; next 1.11; commitid mqpCiWuweYlQOPXF; 1.11 date 2025.05.08.18.55.52; author bsiegert; state Exp; branches; next 1.10; commitid eXnAwuKsRXKct8UF; 1.10 date 2025.04.01.17.44.25; author bsiegert; state Exp; branches; next 1.9; commitid 2jMBaIG1RXiqgnPF; 1.9 date 2025.03.07.20.41.31; author bsiegert; state Exp; branches 1.9.2.1; next 1.8; commitid OojHDThJToy03bMF; 1.8 date 2025.02.07.10.17.49; author bsiegert; state Exp; branches; next 1.7; commitid ywNJTsY2ed3luwIF; 1.7 date 2025.01.17.10.33.09; author bsiegert; state Exp; branches; next 1.6; commitid 93PzS0JOzVXmfPFF; 1.6 date 2025.01.02.19.53.12; author bsiegert; state Exp; branches; next 1.5; commitid 90lA2FXY11NYPWDF; 1.5 date 2024.12.04.18.51.39; author bsiegert; state Exp; branches 1.5.2.1; next 1.4; commitid KUxSi1QX7YOlqdAF; 1.4 date 2024.11.08.19.46.59; author bsiegert; state Exp; branches; next 1.3; commitid EhFJF6T8Jrl9zSwF; 1.3 date 2024.10.03.15.41.00; author bsiegert; state Exp; branches; next 1.2; commitid YoOQLIt16iWBmesF; 1.2 date 2024.09.06.18.38.23; author bsiegert; state Exp; branches; next 1.1; commitid DQ8cffPvbY2pdMoF; 1.1 date 2024.08.14.10.04.04; author bsiegert; state Exp; branches; next ; commitid jM4vGefbH1zv6MlF; 1.12.2.1 date 2025.07.09.14.42.51; author maya; state Exp; branches; next ; commitid YoYU8b8S0TcP452G; 1.9.2.1 date 2025.04.02.02.19.08; author maya; state Exp; branches; next 1.9.2.2; commitid gTfpYoF2izoZ6qPF; 1.9.2.2 date 2025.05.16.14.05.02; author maya; state Exp; branches; next 1.9.2.3; commitid SvSaMeXMcUvtB8VF; 1.9.2.3 date 2025.06.08.19.00.23; author maya; state Exp; branches; next ; commitid UcnONgAP3auXu7YF; 1.5.2.1 date 2025.01.07.07.54.34; author maya; state Exp; branches; next 1.5.2.2; commitid 09HcvmlyuQFtHwEF; 1.5.2.2 date 2025.02.06.15.33.18; author maya; state Exp; branches; next ; commitid YxXhbO7DqE23hqIF; desc @@ 1.14 log @go: update to 1.23.12 and 1.24.6 (security) These minor releases include 2 security fixes following the security policy: - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Thanks to Olivier Mengué for reporting this issue. This is CVE-2025-47906 and Go issue https://go.dev/issue/74466. - database/sql: incorrect results returned from Rows.Scan Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. We believe this affects most database/sql drivers. Thanks to Spike Curtis from Coder for reporting this issue. This is CVE-2025-47907 and https://go.dev/issue/74831. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.6 @ text @$NetBSD: distinfo,v 1.13 2025/07/09 07:41:35 bsiegert Exp $ BLAKE2s (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 80c77c55780bbd3b61f54698a5790169566a5c1c142ea9cf6b3de4ff261375f6 SHA512 (80344887818a2321296ce7fa71cca8ca2520611d.diff) = a72fe9c2bba6191df1fb796fe55cc0fea2eb1809f7a4f148230a8be798e3b6820405e48a92a57da59d8fbe23d7d624b49cef9761852a62b4e81ba9dcaa7deaa6 Size (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 3273 bytes BLAKE2s (go1.23.12.src.tar.gz) = 4e8b5d7ed67ccafb8a5dd50f7e08c038355fa40675ddfee8f15b019618fba1be SHA512 (go1.23.12.src.tar.gz) = c7f2125328da13aa956b58e5238ff4bba6bd94f2e93dac88c1b96c0556c1de3de28c512197a780366806bba92fb4ec03f1ccd14b606b8544b16bb08df106cb50 Size (go1.23.12.src.tar.gz) = 28185486 bytes SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35 SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461 SHA1 (patch-src_syscall_syscall__solaris.go) = a23052ad13e128578c1c0cf46812f26d2d8ccdd1 SHA1 (patch-src_syscall_zerrors__solaris__amd64.go) = d57d20dd3e19e7e0879fbbf5b1717df82c817d85 SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.13 log @go: update to 1.23.11 and 1.24.5 These minor releases include 1 security fixes following the security policy: cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a ".hg" directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. The toolchain will now abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata (such as a ".git" directoy in a parent directory and a ".hg" directory in a child directory). This will not prevent the toolchain from building modules, but will result in binaries omitting VCS related build information. If this behavior is expected by the user, the old behavior can be re-enabled by setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted repositories. Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue. This is CVE-2025-4674 and https://go.dev/issue/74380. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2025/06/06 13:45:14 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.11.src.tar.gz) = 1dcbc120e60fe40f920bb440fbcf914434b085115d0c716cc6b7303267d13a59 SHA512 (go1.23.11.src.tar.gz) = 108b86d384de01617b7c58fba8a2c6446f6d1e8d07b720de2c49854e664c8c2660f6a3700827bf77cb7f018f78c7f3dc4f9c9f3a8fba8ca5e91cadde2df98a95 Size (go1.23.11.src.tar.gz) = 28185977 bytes @ 1.12 log @Update go123 to 1.23.10 and go124 to 1.24.4 (security) These minor releases include 3 security fixes following the security policy: - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2025-4673 and Go issue https://go.dev/issue/73816. - os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue. This is CVE-2025-0913 and Go issue https://go.dev/issue/73702. - crypto/x509: usage of ExtKeyUsageAny disables policy validation Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. Thanks to Krzysztof Skrzętnicki (@@Tener) of Teleport for reporting this issue. This is CVE-2025-22874 and Go issue https://go.dev/issue/73612. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2025/05/08 18:55:52 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.10.src.tar.gz) = 15ae1f8f571ac69bfb71a67724772d1e0ab0a2e2efb66af17b067e5a22a91e30 SHA512 (go1.23.10.src.tar.gz) = 20639185b05720aa8bb295c54e3eaa7cf56739763544d28ce14a6f0323bf890900d5fad13086032291fbefad4482f1442772875bbdf16a94e2286eb405c8f327 Size (go1.23.10.src.tar.gz) = 28183775 bytes @ 1.12.2.1 log @Pullup ticket #6983 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.233 - lang/go123/PLIST 1.11 - lang/go123/distinfo 1.13 - lang/go124/PLIST 1.6 - lang/go124/distinfo 1.6 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Jul 9 07:41:36 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: go: update to 1.23.11 and 1.24.5 These minor releases include 1 security fixes following the security policy= : cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can resu= lt in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directo= ry contains multiple VCS configuration metadata (such as a ".hg" directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and deter= mine module versions. The toolchain will now abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata (such as a ".git" directoy in a parent directory and a ".hg" directory in a child directory). This will not prevent the toolchain from building modules, but will result in binaries omitting VCS related buil= d information. If this behavior is expected by the user, the old behavior can be re-enabled by setting GODEBUG=3Dallowmultiplevcs=3D1. This should only be done in tru= sted repositories. Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue. This is CVE-2025-4674 and https://go.dev/issue/74380. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2025/06/06 13:45:14 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.11.src.tar.gz) = 1dcbc120e60fe40f920bb440fbcf914434b085115d0c716cc6b7303267d13a59 SHA512 (go1.23.11.src.tar.gz) = 108b86d384de01617b7c58fba8a2c6446f6d1e8d07b720de2c49854e664c8c2660f6a3700827bf77cb7f018f78c7f3dc4f9c9f3a8fba8ca5e91cadde2df98a95 Size (go1.23.11.src.tar.gz) = 28185977 bytes @ 1.11 log @go: update go123 to 1.23.9 and go124 to 1.24.3. The Go 1.24.3 minor release includes 1 security fix following the security policy: - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555. Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue. This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are not affected by this. go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2025/04/01 17:44:25 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.9.src.tar.gz) = 0baa261abe5d019650942e21285b18b0332781baa139e0ed417ea58981701049 SHA512 (go1.23.9.src.tar.gz) = 0f80680caabbf50a4f55555d0515530c55e297f38bf193a9da531e640f069719e3c7a5670b72f7629fada8162f978305ae1e4e6398369b8021cfe6dc9157254a Size (go1.23.9.src.tar.gz) = 28182928 bytes @ 1.10 log @Update go123 to 1.23.8 and go124 to 1.24.2 These minor releases include 1 security fixes following the security policy: - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. The net/http package now rejects chunk-size lines containing a bare LF. Thanks to Jeppe Bonde Weikop for reporting this issue. This is CVE-2025-22871 and Go issue https://go.dev/issue/71988. View the release notes for more information. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2025/03/07 20:41:31 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.8.src.tar.gz) = 2cef7c1512b3878d657a9316990a39cfd6ce1922bde0e656dbb12e007ccf56ed SHA512 (go1.23.8.src.tar.gz) = 8e352a01484c168894026080ee4501180e327d734fb3d892ab17daac193964fcd5fd90033c9cf86d6ffe8b7e4da64bda83ba4501a6c05919bcefbe9e2467c771 Size (go1.23.8.src.tar.gz) = 28182772 bytes @ 1.9 log @go123: update to 1.23.7 (security) go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages. See the Go 1.23.7 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2025/02/07 10:17:49 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.7.src.tar.gz) = fda562713c406d6f38739ee994d79f345315dbf4bd1042b1dfb463f18a562d55 SHA512 (go1.23.7.src.tar.gz) = 79192b760ab6fcc9512fd879a9484a3566fdeec5eace36c54b728cd9cb033e7ac68065a42fc657b351a106d684b79fdbefbf682cf63209c0191e7e7c8c0a0147 Size (go1.23.7.src.tar.gz) = 28181215 bytes @ 1.9.2.1 log @Pullup ticket #6952 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.229 - lang/go123/PLIST 1.8 - lang/go123/distinfo 1.10 - lang/go124/PLIST 1.3 - lang/go124/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Tue Apr 1 17:44:25 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: Update go123 to 1.23.8 and go124 to 1.24.2 These minor releases include 1 security fixes following the security policy= : - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. The net/http package now rejects chunk-size lines containing a bare LF. Thanks to Jeppe Bonde Weikop for reporting this issue. This is CVE-2025-22871 and Go issue https://go.dev/issue/71988. View the release notes for more information. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2025/03/07 20:41:31 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.8.src.tar.gz) = 2cef7c1512b3878d657a9316990a39cfd6ce1922bde0e656dbb12e007ccf56ed SHA512 (go1.23.8.src.tar.gz) = 8e352a01484c168894026080ee4501180e327d734fb3d892ab17daac193964fcd5fd90033c9cf86d6ffe8b7e4da64bda83ba4501a6c05919bcefbe9e2467c771 Size (go1.23.8.src.tar.gz) = 28182772 bytes @ 1.9.2.2 log @Pullup ticket #6963 - requested by bsiegert lang/go124: Security fix lang/go123: Not a security fix, but doesn't hurt Revisions pulled up: - lang/go/version.mk 1.231 - lang/go123/PLIST 1.9 - lang/go123/distinfo 1.11 - lang/go124/PLIST 1.4 - lang/go124/distinfo 1.4 --- Module Name: pkgsrc Committed By: bsiegert Date: Thu May 8 18:55:53 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: go: update go123 to 1.23.9 and go124 to 1.24.3. The Go 1.24.3 minor release includes 1 security fix following the security policy: - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555. Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue. This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are not affected by this. go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9.2.1 2025/04/02 02:19:08 maya Exp $ d6 3 a8 3 BLAKE2s (go1.23.9.src.tar.gz) = 0baa261abe5d019650942e21285b18b0332781baa139e0ed417ea58981701049 SHA512 (go1.23.9.src.tar.gz) = 0f80680caabbf50a4f55555d0515530c55e297f38bf193a9da531e640f069719e3c7a5670b72f7629fada8162f978305ae1e4e6398369b8021cfe6dc9157254a Size (go1.23.9.src.tar.gz) = 28182928 bytes @ 1.9.2.3 log @Pullup ticket #6971 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.232 - lang/go123/PLIST 1.10 - lang/go123/distinfo 1.12 - lang/go124/PLIST 1.5 - lang/go124/distinfo 1.5 --- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jun 6 13:45:15 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: Update go123 to 1.23.10 and go124 to 1.24.4 (security) These minor releases include 3 security fixes following the security policy= : - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporti= ng this issue. This is CVE-2025-4673 and Go issue https://go.dev/issue/73816. - os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks= . On Windows, when the target path was a symlink to a nonexistent locatio= n, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue. This is CVE-2025-0913 and Go issue https://go.dev/issue/73702. - crypto/x509: usage of ExtKeyUsageAny disables policy validation Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsage= Any unintentionally disabledpolicy validation. This only affected certifica= te chains which contain policy graphs, which are rather uncommon. Thanks to Krzysztof Skrz=C4=99tnicki (@@Tener) of Teleport for reporting= this issue. This is CVE-2025-22874 and Go issue https://go.dev/issue/73612. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9.2.2 2025/05/16 14:05:02 maya Exp $ d6 3 a8 3 BLAKE2s (go1.23.10.src.tar.gz) = 15ae1f8f571ac69bfb71a67724772d1e0ab0a2e2efb66af17b067e5a22a91e30 SHA512 (go1.23.10.src.tar.gz) = 20639185b05720aa8bb295c54e3eaa7cf56739763544d28ce14a6f0323bf890900d5fad13086032291fbefad4482f1442772875bbdf16a94e2286eb405c8f327 Size (go1.23.10.src.tar.gz) = 28183775 bytes @ 1.8 log @Update go122 to 1.22.12 and go123 to 1.23.6. This is a security update but it only applies on the ppc64le platform. These minor releases include 1 security fix following the security policy: - crypto/elliptic: timing sidechannel for P-256 on ppc64le Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols. This is CVE-2025-22866 and Go issue https://go.dev/issue/71383. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2025/01/17 10:33:09 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.6.src.tar.gz) = 39540123071b012aca1326c326453ead7a2ac8d67e6e696ec9e10bd6ca719113 SHA512 (go1.23.6.src.tar.gz) = c504476d42cdbcd1b6afe53c0974e82c19eb0efac974bc06d41c1641440676891cfe6416455a0cfc81fe82902a9b82ea0a1d95089c676667d05487e45f5e04e3 Size (go1.23.6.src.tar.gz) = 28179132 bytes @ 1.7 log @Update go122 to 1.22.11 and go123 to 1.23.5. These minor releases include 2 security fixes following the security policy: - crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-45341 and Go issue https://go.dev/issue/71156. - net/http: sensitive headers incorrectly sent after cross-domain redirect The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Thanks to Kyle Seely for reporting this issue. This is CVE-2024-45336 and Go issue https://go.dev/issue/70530. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2025/01/02 19:53:12 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.5.src.tar.gz) = 3adb2f7d2ff3bddc8566f6b55102d51e72f12c2c2ea74fb9efcf3691c6482f81 SHA512 (go1.23.5.src.tar.gz) = b04317afeab2d0ced7c36b8682dd32ac085d95d874cf3f614daa34859d7f7f2b75138132e7a64e237c6b4d711d5b03a4d20533f92a44840915630f4ea7cfafa2 Size (go1.23.5.src.tar.gz) = 28179014 bytes @ 1.6 log @go123: stop requiring /proc on NetBSD This adds a patch (taken from Go 1.24 development) to use a sysctl instead of /proc to find the path of the executable, and thus the files for the standard library. Earlier versions of Go (including 1.22) had the directory where the standard library is installed baked in to the binaries as GOROOT_FINAL. In the interest of portability, this is now determined at runtime. In NetBSD, this used to use /proc/self/exe, however many build sandboxes do not have /proc mounted. With this change, /proc is no longer required for building Go code. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2024/12/04 18:51:39 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.23.4.src.tar.gz) = 23d99679a436a8dc39cf40ce3e6a4610e018037bea4ccc3ed8230f702117b7e5 SHA512 (go1.23.4.src.tar.gz) = 5d1cce76b2cbdf628f86a1a8185a07f362becee053cb4270281520e77b36e3908faeaf5b2a6266e61dec9866dc1f3791f77e8dc1bf5f8beaf858c138d0e18c22 Size (go1.23.4.src.tar.gz) = 28177188 bytes @ 1.5 log @Update Go to 1.22.10, 1.23.4 go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package. See the Go 1.23.4 milestone on our issue tracker for details. go1.22.10 (released 2024-12-03) includes fixes to the runtime and the syscall package. See the Go 1.22.10 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2024/11/08 19:46:59 bsiegert Exp $ d3 3 @ 1.5.2.1 log @Pullup ticket #6924 - requested by bsiegert lang/go123: build fix Revisions pulled up: - lang/go123/Makefile 1.6 - lang/go123/PLIST 1.5 - lang/go123/distinfo 1.6 --- Module Name: pkgsrc Committed By: bsiegert Date: Thu Jan 2 19:53:12 UTC 2025 Modified Files: pkgsrc/lang/go123: Makefile PLIST distinfo Log Message: go123: stop requiring /proc on NetBSD This adds a patch (taken from Go 1.24 development) to use a sysctl instead of /proc to find the path of the executable, and thus the files for the standard library. Earlier versions of Go (including 1.22) had the directory where the standard library is installed baked in to the binaries as GOROOT_FINAL. In the interest of portability, this is now determined at runtime. In NetBSD, this used to use /proc/self/exe, however many build sandboxes do not have /proc mounted. With this change, /proc is no longer required for building Go code. @ text @d1 1 a1 1 $NetBSD$ a2 3 BLAKE2s (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 80c77c55780bbd3b61f54698a5790169566a5c1c142ea9cf6b3de4ff261375f6 SHA512 (80344887818a2321296ce7fa71cca8ca2520611d.diff) = a72fe9c2bba6191df1fb796fe55cc0fea2eb1809f7a4f148230a8be798e3b6820405e48a92a57da59d8fbe23d7d624b49cef9761852a62b4e81ba9dcaa7deaa6 Size (80344887818a2321296ce7fa71cca8ca2520611d.diff) = 3273 bytes @ 1.5.2.2 log @Pullup ticket #6939 - requested by bsiegert lang/go122: Security fix lang/go123: Security fix Revisions pulled up: - lang/go/version.mk 1.221 - lang/go122/distinfo 1.14 - lang/go123/PLIST 1.6 - lang/go123/distinfo 1.7 --- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jan 17 10:33:09 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go122: distinfo pkgsrc/lang/go123: PLIST distinfo Log Message: Update go122 to 1.22.11 and go123 to 1.23.5. These minor releases include 2 security fixes following the security policy= : - crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Thanks to Juho Fors=C3=A9n of Mattermost for reporting this issue. This is CVE-2024-45341 and Go issue https://go.dev/issue/71156. - net/http: sensitive headers incorrectly sent after cross-domain redirect The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Thanks to Kyle Seely for reporting this issue. This is CVE-2024-45336 and Go issue https://go.dev/issue/70530. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5.2.1 2025/01/07 07:54:34 maya Exp $ d6 3 a8 3 BLAKE2s (go1.23.5.src.tar.gz) = 3adb2f7d2ff3bddc8566f6b55102d51e72f12c2c2ea74fb9efcf3691c6482f81 SHA512 (go1.23.5.src.tar.gz) = b04317afeab2d0ced7c36b8682dd32ac085d95d874cf3f614daa34859d7f7f2b75138132e7a64e237c6b4d711d5b03a4d20533f92a44840915630f4ea7cfafa2 Size (go1.23.5.src.tar.gz) = 28179014 bytes @ 1.4 log @go: update to 1.22.9 and 1.23.2. go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages. See the Go 1.23.3 milestone on our issue tracker for details. go1.22.9 (released 2024-11-06) includes fixes to the linker. See the Go 1.22.9 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2024/10/03 15:41:00 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.23.3.src.tar.gz) = 56ea6af002e13df6e497fba835f78883189f7f508beb86d5be0b7e1cca805a0b SHA512 (go1.23.3.src.tar.gz) = b9b0d36aa1c42f45434b839037f95201f20a1ac8e1c4a1ee4a646f49c85273038854540d36fca0ea3a9edc314431b410717331397d20a8d20c4bead78c060bbb Size (go1.23.3.src.tar.gz) = 28173788 bytes @ 1.3 log @go: update go123 to 1.23.2 and go122 to 1.22.8. go1.23.2 (released 2024-10-01) includes fixes to the compiler, cgo, the runtime, and the maps, os, os/exec, time, and unique packages. See the Go 1.23.2 milestone on our issue tracker for details. go1.22.8 (released 2024-10-01) includes fixes to cgo, and the maps and syscall packages. See the Go 1.22.8 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2024/09/06 18:38:23 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.23.2.src.tar.gz) = 2fbc7a11508dca251080286b90a57cb3a6199a6fc82830d9264ce6fc92fea7bd SHA512 (go1.23.2.src.tar.gz) = e4f9d17ed7888b89b6a72966f8681bbacb5b8bebb7959e530dc058d2fa94012d45067d1884eccd352a0fc8279e6814a932260a46140b65593679d28598bf4d5c Size (go1.23.2.src.tar.gz) = 28171276 bytes @ 1.2 log @go123: update to 1.23.1 This minor release includes 3 security fixes following the security policy: go/parser: stack exhaustion in all Parse* functions Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. This is CVE-2024-34155 and Go issue https://go.dev/issue/69138. encoding/gob: stack exhaustion in Decoder.Decode Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@@osu.edu) for reporting this issue. This is CVE-2024-34156 and Go issue https://go.dev/issue/69139. go/build/constraint: stack exhaustion in Parse Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. This is CVE-2024-34158 and Go issue https://go.dev/issue/69141. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2024/08/14 10:04:04 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.23.1.src.tar.gz) = d74ba1ae026f98c49013b56ad5dd596cbae0713568100eec0de80f28938741d6 SHA512 (go1.23.1.src.tar.gz) = c1db053bab03c33b4ec4cbef6c8dfae279542cde433fdb787b564ccf797bb9ac6d191aae3152a860a9539956502f31003f746e924287040849afce5ccaaf0988 Size (go1.23.1.src.tar.gz) = 28164249 bytes @ 1.1 log @go123: add Go version 1.23.0. Not the default yet. The latest Go release, version 1.23, arrives six months after Go 1.22. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Go 1.23 makes the (Go 1.22) “range-over-func” experiment a part of the language. Starting in Go 1.23, the Go toolchain can collect usage and breakage statistics that help the Go team understand how the Go toolchain is used and how well it is working. We refer to these statistics as Go telemetry. Go telemetry is an opt-in system, controlled by the go telemetry command. By default, the toolchain programs collect statistics in counter files that can be inspected locally but are otherwise unused (go telemetry local). Setting the GOROOT_FINAL environment variable no longer has an effect. Distributions that install the go command to a location other than $GOROOT/bin/go should install a symlink instead of relocating or copying the go binary. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2024/06/13 12:55:15 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.23.0.src.tar.gz) = 06bd9978a1ed13efe9dd50ee5a4848af7477576e1a2d8469afd9936735ec6daa SHA512 (go1.23.0.src.tar.gz) = 5822124ca570662ac8dcec32a79196520ce355fe421d83372f8b8a97b3811de0739edcd7080a23f845cf700a6a26f3af6c93278f6ce485b93120afdd4f6c4f47 Size (go1.23.0.src.tar.gz) = 28163301 bytes @