head 1.14; access; symbols pkgsrc-2026Q2:1.14.0.4 pkgsrc-2026Q2-base:1.14 pkgsrc-2026Q1:1.14.0.2 pkgsrc-2026Q1-base:1.14 pkgsrc-2025Q4:1.12.0.2 pkgsrc-2025Q4-base:1.12 pkgsrc-2025Q3:1.8.0.2 pkgsrc-2025Q3-base:1.8 pkgsrc-2025Q2:1.5.0.2 pkgsrc-2025Q2-base:1.5 pkgsrc-2025Q1:1.2.0.2 pkgsrc-2025Q1-base:1.2; locks; strict; comment @# @; 1.14 date 2026.02.06.20.23.00; author bsiegert; state Exp; branches; next 1.13; commitid WBmpyX6EqcG29mtG; 1.13 date 2026.01.15.19.46.57; author bsiegert; state Exp; branches; next 1.12; commitid UMHWQmm5nrRvEwqG; 1.12 date 2025.12.02.19.24.16; author bsiegert; state Exp; branches; next 1.11; commitid vqCaTBTHJZmqWRkG; 1.11 date 2025.11.08.02.26.15; author bsiegert; state Exp; branches; next 1.10; commitid J2seTpqCIN315HhG; 1.10 date 2025.10.16.17.58.17; author bsiegert; state Exp; branches; next 1.9; commitid o1SYgNzaHDbBYOeG; 1.9 date 2025.10.07.20.26.56; author bsiegert; state Exp; branches; next 1.8; commitid 88Eqflmpv70w5GdG; 1.8 date 2025.09.06.12.54.33; author bsiegert; state Exp; branches 1.8.2.1; next 1.7; commitid PC15qUBIp407AE9G; 1.7 date 2025.08.15.12.46.30; author bsiegert; state Exp; branches; next 1.6; commitid sRKuL9IcStzcfP6G; 1.6 date 2025.07.09.07.41.36; author bsiegert; state Exp; branches; next 1.5; commitid 8RjHZo8fDjbkK22G; 1.5 date 2025.06.06.13.45.14; author bsiegert; state Exp; branches 1.5.2.1; next 1.4; commitid mqpCiWuweYlQOPXF; 1.4 date 2025.05.08.18.55.52; author bsiegert; state Exp; branches; next 1.3; commitid eXnAwuKsRXKct8UF; 1.3 date 2025.04.01.17.44.25; author bsiegert; state Exp; branches; next 1.2; commitid 2jMBaIG1RXiqgnPF; 1.2 date 2025.03.07.16.30.08; author bsiegert; state Exp; branches 1.2.2.1; next 1.1; commitid arbRqCXceAOLE9MF; 1.1 date 2025.02.25.20.09.17; author bsiegert; state Exp; branches; next ; commitid MsvIGULSr5qSbTKF; 1.8.2.1 date 2025.10.15.17.14.57; author maya; state Exp; branches; next ; commitid RAHhZcbqLIQILGeG; 1.5.2.1 date 2025.07.09.14.42.51; author maya; state Exp; branches; next ; commitid YoYU8b8S0TcP452G; 1.2.2.1 date 2025.04.02.02.19.08; author maya; state Exp; branches; next 1.2.2.2; commitid gTfpYoF2izoZ6qPF; 1.2.2.2 date 2025.05.16.14.05.02; author maya; state Exp; branches; next 1.2.2.3; commitid SvSaMeXMcUvtB8VF; 1.2.2.3 date 2025.06.08.19.00.23; author maya; state Exp; branches; next ; commitid UcnONgAP3auXu7YF; desc @@ 1.14 log @go: update to 1.25.7 and 1.24.13 These releases include 2 security fixes following the security policy: - cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. To prevent this behavior, the cgo compiler will no longer parse user-provided doc comments. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61732 and https://go.dev/issue/76697. - crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented to use the original Config's session ticket keys unless explicitly overridden. This can cause unexpected behavior if the returned Config modifies authentication parameters, like ClientCAs: a connection initially established with the parent (or a sibling) Config can be resumed, bypassing the modified authentication requirements. If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the server) or InsecureSkipVerify is false (on the client), crypto/tls now checks that the root of the previously-verified chain is still in ClientCAs/RootCAs when resuming a connection. Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue related to session ticket keys being implicitly shared by Config.Clone. Since this fix is broader, the Config.Clone behavior change has been reverted. Note that VerifyPeerCertificate still behaves as documented: it does not apply to resumed connections. Applications that use Config.GetConfigForClient or Config.Clone and do not wish to blindly resume connections established with the original Config must use VerifyConnection instead (or SetSessionTicketKeys or SessionTicketsDisabled). Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. @ text @$NetBSD: distinfo,v 1.13 2026/01/15 19:46:57 bsiegert Exp $ BLAKE2s (go1.24.13.src.tar.gz) = 7ab5e8245a94a9e216a5931272d6f2da7af54f141805b2428da8ed0ed12acb31 SHA512 (go1.24.13.src.tar.gz) = 049de4ea4be669853b2c567f1d93a4e0607815ebb57c2ca0c4802134a3613ef489b77434c83ab01e2a257b3eb4ee651b167b98ffb84d38b957d62ae933ebb243 Size (go1.24.13.src.tar.gz) = 30802752 bytes SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35 SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461 SHA1 (patch-src_syscall_syscall__solaris.go) = a23052ad13e128578c1c0cf46812f26d2d8ccdd1 SHA1 (patch-src_syscall_zerrors__solaris__amd64.go) = d57d20dd3e19e7e0879fbbf5b1717df82c817d85 SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.13 log @go: update to 1.24.12, 1.25.6 (security) These releases include 6 security fixes following the security policy: - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Thanks to Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61728 and Go issue https://go.dev/issue/77102. - net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. Thanks to jub0bs for reporting this issue. This is CVE-2025-61726 and Go issue https://go.dev/issue/77101. - crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. Config.Clone no longer copies the automatically generated session ticket keys. Config.Clone still copies keys which are explicitly provided, either by setting Config.SessionTicketKey or by calling Config.SetSessionTicketKeys. This issue was discoverd by the Go Security team while investigating another issue reported by Coia Prant (github.com/rbqvq). Additionally, on the server side only the expiration of the leaf certificate, if one was provided during the initial handshake, was checked when considering if a session could be resumed. This allowed sessions to be resumed if an intermediate or root certificate in the chain had expired. Session resumption now takes into account of the full chain when determining if the session can be resumed. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-68121 and Go issue https://go.dev/issue/77113. - cmd/go: bypass of flag sanitization can lead to arbitrary code execution Usage of 'CgoPkgConfig' allowed execution of the pkg-config binary with flags that are not explicitly safe-listed. To prevent this behavior, compiler flags resulting from usage of 'CgoPkgConfig' are sanitized prior to invoking pkg-config. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61731 and go.dev/issue/77100. - cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @@latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. Thanks to splitline (@@splitline) from DEVCORE Research Team for reporting this issue. This is CVE-2025-68119 and Go issue https://go.dev/issue/77099. - crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-61730 and Go issue https://go.dev/issue/76443 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2025/12/02 19:24:16 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.12.src.tar.gz) = 47f24c01adfcb6d7472c86d2b62755ed150d50fb9ac32e5f6650d66526b50152 SHA512 (go1.24.12.src.tar.gz) = 2de51c56f7ca04003b16d0fecc4cb35a3c5a42bd54f4da1f1e49d45b702d7a872057756d389f2283b4f7283fb33f0618465e231a6333b7cb6cfff98f67b2454e Size (go1.24.12.src.tar.gz) = 30803950 bytes @ 1.12 log @go: update to 1.24.11 and 1.25.5 (security) These releases include 2 security fixes following the security policy: - crypto/x509: excessive resource consumption in printing error string for host certificate validation Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61729 and Go issue https://go.dev/issue/76445. - crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. This is CVE-2025-61727 and Go issue https://go.dev/issue/76442. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.5 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2025/11/08 02:26:15 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.11.src.tar.gz) = 41d1c9d42d5021a4cc84d55991789f59dfe015273e96d273c7903e8127adf9ef SHA512 (go1.24.11.src.tar.gz) = 9344039d231e50b63f52acbdd6cf2f483a4052d95b5fcc3e8a6d8fde80f0195f66ac5588302809ff0425de4d7c6b428ae842ec33b468c7020873acedbdea16ef Size (go1.24.11.src.tar.gz) = 30801851 bytes @ 1.11 log @go: update to 1.25.4 and 1.24.10 go1.25.4 (released 2025-11-05) includes fixes to the compiler, the runtime, and the crypto/subtle, encoding/pem, net/url, and os packages. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2025/10/16 17:58:17 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.10.src.tar.gz) = 3f7981d0dd364df8e65cdb72c75fd1b8fc045cb308061a8cde0084f6b038b9b9 SHA512 (go1.24.10.src.tar.gz) = 4fa49b8948ecc9dfe8b18e098f0fef4226eeb59ea0bfd266e0bf207bfd06a51e2c4bbf8aa98482e1cdc4c892defa4de2afcbcd289cb5872dc9c62cd355fbcfbe Size (go1.24.10.src.tar.gz) = 30800718 bytes @ 1.10 log @go: update to 1.25.3 and 1.24.9 This release addresses breakage caused by a security patch included in Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on the parsing of X.509 certificates. We've removed those restrictions while maintaining the security fix that the initial release addressed. We apologize for any issues this may have caused. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2025/10/07 20:26:56 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.9.src.tar.gz) = 59e4d7319527874a9d2c46c6f7d385492c34a1715c03020f11476d53688e68cd SHA512 (go1.24.9.src.tar.gz) = f553a6bdafa9e59d33756c99f6180dcb7e51762733f300488cdab1d42b918e0fff87fa42d714a6b667e039dd22e1ea14ef5f6e3eb1c9c215ff620d559a5c091a Size (go1.24.9.src.tar.gz) = 30800154 bytes @ 1.9 log @go: update to 1.24.8 and 1.25.2 (security) These minor releases include 10 security fixes following the security policy: - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61725 and Go issue https://go.dev/issue/75680. - crypto/x509: quadratic complexity when checking name constraints Due to the design of the name constraint checking algorithm, the processing time of some inputs scales non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58187 and Go issue https://go.dev/issue/75681. - crypto/tls: ALPN negotiation errors can contain arbitrary text The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped. This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs. Thanks to National Cyber Security Centre Finland for reporting this issue. This is CVE-2025-58189 and Go issue https://go.dev/issue/75652. - encoding/pem: quadratic complexity when parsing some invalid inputs Due to the design of the PEM parsing function, the processing time for some inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61723 and Go issue https://go.dev/issue/75676. - net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue. This is CVE-2025-47912 and Go issue https://go.dev/issue/75678. - encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion When parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58185 and Go issue https://go.dev/issue/75671. - net/http: lack of limit when parsing cookies can cause memory exhaustion Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option. Thanks to jub0bs for reporting this issue. This is CVE-2025-58186 and Go issue https://go.dev/issue/75672. - crypto/x509: panic when validating certificates with DSA public keys Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58188 and Go issue https://go.dev/issue/75675. - archive/tar: unbounded allocation when parsing GNU sparse map tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2025-58183 and Go issue https://go.dev/issue/75677. - net/textproto: excessive CPU consumption in Reader.ReadResponse The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61724 and Go issue https://go.dev/issue/75716. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.2 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2025/09/06 12:54:33 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.8.src.tar.gz) = 0955f60915a81bdb8d4d468d038ad4ebb597355a8b2df5d5737d06dfb41b2f9c SHA512 (go1.24.8.src.tar.gz) = 3233c75223b310d14ccb1846e192d0d4867e8ecc1091c9853bc536f5051cdfb8682ae2f86b5caec77b1f3cbfaf5864c9231fb3a756471ff77d7a904e79bb3f15 Size (go1.24.8.src.tar.gz) = 30797581 bytes @ 1.8 log @go: update to 1.24.7 and 1.25.1 (security) These minor releases include 1 security fixes following the security policy: - net/http: CrossOriginProtection bypass patterns are over-broad When passing patterns to CrossOriginProtection.AddInsecureBypassPattern, requests that would have redirected to those patterns (e.g. without a trailing slash) were also exempted, which might be unexpected. Thanks to Marco Gazerro for reporting this issue. This is CVE-2025-47910 and Go issue https://go.dev/issue/75054. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2025/08/15 12:46:30 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.7.src.tar.gz) = ce05bb8d4f1c68ad3f35466dd43aacb176c71cab03a355d15b1d3ae9c225851f SHA512 (go1.24.7.src.tar.gz) = 656bb879244ba888af18b6e609fb2c4bc067b919827b9026c3ee44b3e2d0c7bffde262945de989880066196846b669c215da2e8c5d9adfb8491bb5d52af0d49a Size (go1.24.7.src.tar.gz) = 30794506 bytes @ 1.8.2.1 log @Pullup ticket #7009 - requested by bsiegert lang/go: Security fix lang/go124: Security fix lang/go125: Security fix Revisions pulled up: - lang/go/version.mk 1.238 - lang/go124/PLIST 1.7 - lang/go124/distinfo 1.9 - lang/go125/PLIST 1.2 - lang/go125/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Tue Oct 7 20:26:56 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go124: PLIST distinfo pkgsrc/lang/go125: PLIST distinfo Log Message: go: update to 1.24.8 and 1.25.2 (security) These minor releases include 10 security fixes following the security policy: - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61725 and Go issue https://go.dev/issue/75680. - crypto/x509: quadratic complexity when checking name constraints Due to the design of the name constraint checking algorithm, the processing time of some inputs scales non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58187 and Go issue https://go.dev/issue/75681. - crypto/tls: ALPN negotiation errors can contain arbitrary text The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped. This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs. Thanks to National Cyber Security Centre Finland for reporting this issue. This is CVE-2025-58189 and Go issue https://go.dev/issue/75652. - encoding/pem: quadratic complexity when parsing some invalid inputs Due to the design of the PEM parsing function, the processing time for some inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61723 and Go issue https://go.dev/issue/75676. - net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/";. IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue. This is CVE-2025-47912 and Go issue https://go.dev/issue/75678. - encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion When parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58185 and Go issue https://go.dev/issue/75671. - net/http: lack of limit when parsing cookies can cause memory exhaustion Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option. Thanks to jub0bs for reporting this issue. This is CVE-2025-58186 and Go issue https://go.dev/issue/75672. - crypto/x509: panic when validating certificates with DSA public keys Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58188 and Go issue https://go.dev/issue/75675. - archive/tar: unbounded allocation when parsing GNU sparse map tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2025-58183 and Go issue https://go.dev/issue/75677. - net/textproto: excessive CPU consumption in Reader.ReadResponse The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61724 and Go issue https://go.dev/issue/75716. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.2 @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (go1.24.8.src.tar.gz) = 0955f60915a81bdb8d4d468d038ad4ebb597355a8b2df5d5737d06dfb41b2f9c SHA512 (go1.24.8.src.tar.gz) = 3233c75223b310d14ccb1846e192d0d4867e8ecc1091c9853bc536f5051cdfb8682ae2f86b5caec77b1f3cbfaf5864c9231fb3a756471ff77d7a904e79bb3f15 Size (go1.24.8.src.tar.gz) = 30797581 bytes @ 1.7 log @go: update to 1.23.12 and 1.24.6 (security) These minor releases include 2 security fixes following the security policy: - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Thanks to Olivier Mengué for reporting this issue. This is CVE-2025-47906 and Go issue https://go.dev/issue/74466. - database/sql: incorrect results returned from Rows.Scan Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. We believe this affects most database/sql drivers. Thanks to Spike Curtis from Coder for reporting this issue. This is CVE-2025-47907 and https://go.dev/issue/74831. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.6 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2025/07/09 07:41:36 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.6.src.tar.gz) = 58cbdca8e7c9de658a6213de8d2003dc140bfee43316d27a478e4b5045374b14 SHA512 (go1.24.6.src.tar.gz) = 65f535c722f4a0f6111c9ed829677621e456a5bc969ccb99009da1ade096b2b1a648a44ccfa913543677c220baeaf1afe634ba8ba165d9474ac9433ac249c914 Size (go1.24.6.src.tar.gz) = 30794139 bytes @ 1.6 log @go: update to 1.23.11 and 1.24.5 These minor releases include 1 security fixes following the security policy: cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can result in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directory contains multiple VCS configuration metadata (such as a ".hg" directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and determine module versions. The toolchain will now abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata (such as a ".git" directoy in a parent directory and a ".hg" directory in a child directory). This will not prevent the toolchain from building modules, but will result in binaries omitting VCS related build information. If this behavior is expected by the user, the old behavior can be re-enabled by setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted repositories. Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue. This is CVE-2025-4674 and https://go.dev/issue/74380. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2025/06/06 13:45:14 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.5.src.tar.gz) = c6e8ca8692a0f6fdadfa9e1484a345017480d48aced9c40387cb344857aea29d SHA512 (go1.24.5.src.tar.gz) = 917cd6ac83e3370227da40f8490697e8638847e9279ed1806044a173d3b52829c67c429990db92d8aadcfba6a37bfc00114c1ecec3ac387a781bb7edc8dcab22 Size (go1.24.5.src.tar.gz) = 30792943 bytes @ 1.5 log @Update go123 to 1.23.10 and go124 to 1.24.4 (security) These minor releases include 3 security fixes following the security policy: - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2025-4673 and Go issue https://go.dev/issue/73816. - os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue. This is CVE-2025-0913 and Go issue https://go.dev/issue/73702. - crypto/x509: usage of ExtKeyUsageAny disables policy validation Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. Thanks to Krzysztof Skrzętnicki (@@Tener) of Teleport for reporting this issue. This is CVE-2025-22874 and Go issue https://go.dev/issue/73612. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2025/05/08 18:55:52 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.4.src.tar.gz) = 1338f7e0026c21a04feceefe7ccfbcb2c69102162cb26915852aa18b9a707470 SHA512 (go1.24.4.src.tar.gz) = b785583fc53d62094b2de793a0e3281a26d2de17897a35b378fc2d13cb912ca473c37a7bae54a50660141809d5d0a70a97663d406cf30d7f0221ecbb5ffddec6 Size (go1.24.4.src.tar.gz) = 30788576 bytes @ 1.5.2.1 log @Pullup ticket #6983 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.233 - lang/go123/PLIST 1.11 - lang/go123/distinfo 1.13 - lang/go124/PLIST 1.6 - lang/go124/distinfo 1.6 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Jul 9 07:41:36 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: go: update to 1.23.11 and 1.24.5 These minor releases include 1 security fixes following the security policy= : cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories can resu= lt in unexpected code execution. When using the Go toolchain in directories fetched using various VCS tools (such as directly cloning Git or Mercurial repositories) can cause the toolchain to execute unexpected commands, if said directo= ry contains multiple VCS configuration metadata (such as a ".hg" directory in a Git repository). This is due to how the Go toolchain attempts to resolve which VCS is being used in order to embed build information in binaries and deter= mine module versions. The toolchain will now abort attempting to resolve which VCS is being used if it detects multiple VCS configuration metadata in a module directory or nested VCS configuration metadata (such as a ".git" directoy in a parent directory and a ".hg" directory in a child directory). This will not prevent the toolchain from building modules, but will result in binaries omitting VCS related buil= d information. If this behavior is expected by the user, the old behavior can be re-enabled by setting GODEBUG=3Dallowmultiplevcs=3D1. This should only be done in tru= sted repositories. Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting this issue. This is CVE-2025-4674 and https://go.dev/issue/74380. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2025/06/06 13:45:14 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.5.src.tar.gz) = c6e8ca8692a0f6fdadfa9e1484a345017480d48aced9c40387cb344857aea29d SHA512 (go1.24.5.src.tar.gz) = 917cd6ac83e3370227da40f8490697e8638847e9279ed1806044a173d3b52829c67c429990db92d8aadcfba6a37bfc00114c1ecec3ac387a781bb7edc8dcab22 Size (go1.24.5.src.tar.gz) = 30792943 bytes @ 1.4 log @go: update go123 to 1.23.9 and go124 to 1.24.3. The Go 1.24.3 minor release includes 1 security fix following the security policy: - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555. Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue. This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are not affected by this. go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2025/04/01 17:44:25 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.3.src.tar.gz) = 7dadd01b0239f154d455cff91e10225f8532b34e69a2459296966495b3ce363f SHA512 (go1.24.3.src.tar.gz) = 05d19372fb923eeea19395b4de569d2ecfec7fadf2d8236d47cd667982de51c569e9816372cb79e32166553f9bcbe68f7bc2a6ded5655809b1caf5bd941011e7 Size (go1.24.3.src.tar.gz) = 30789282 bytes @ 1.3 log @Update go123 to 1.23.8 and go124 to 1.24.2 These minor releases include 1 security fixes following the security policy: - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. The net/http package now rejects chunk-size lines containing a bare LF. Thanks to Jeppe Bonde Weikop for reporting this issue. This is CVE-2025-22871 and Go issue https://go.dev/issue/71988. View the release notes for more information. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/03/07 16:30:08 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.2.src.tar.gz) = 40e468465c036116332e888fed7943ca92b5893a5b6835e32cbd87cbb3435b9f SHA512 (go1.24.2.src.tar.gz) = 6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f Size (go1.24.2.src.tar.gz) = 30787666 bytes @ 1.2 log @go124: update to 1.24.1 (security) go1.24.1 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, the go command, and the reflect, runtime, and syscall packages. See the Go 1.24.1 milestone on our issue tracker for details. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2025/02/25 20:09:17 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.1.src.tar.gz) = 1c7804d3f49c0aaa82dfb463201b4bf3611daa85049e7b8ffee89bf835aa1246 SHA512 (go1.24.1.src.tar.gz) = a924d6bdc7e7101917e6d063bc7b471390525394e79224c152997564657c4362b5600e0c8bf6ee857d345129ccf7368bdf4ed2251ab740446ea2abda144e6353 Size (go1.24.1.src.tar.gz) = 30777528 bytes @ 1.2.2.1 log @Pullup ticket #6952 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.229 - lang/go123/PLIST 1.8 - lang/go123/distinfo 1.10 - lang/go124/PLIST 1.3 - lang/go124/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Tue Apr 1 17:44:25 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: Update go123 to 1.23.8 and go124 to 1.24.2 These minor releases include 1 security fixes following the security policy= : - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. The net/http package now rejects chunk-size lines containing a bare LF. Thanks to Jeppe Bonde Weikop for reporting this issue. This is CVE-2025-22871 and Go issue https://go.dev/issue/71988. View the release notes for more information. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (go1.24.2.src.tar.gz) = 40e468465c036116332e888fed7943ca92b5893a5b6835e32cbd87cbb3435b9f SHA512 (go1.24.2.src.tar.gz) = 6366a32f6678e7908b138f62dafeed96f7144b3b93505e75fba374b33727da8b1d087c1f979f493382b319758ebfcbeb30e9d7dadcb2923b628c8abe7db41c6f Size (go1.24.2.src.tar.gz) = 30787666 bytes @ 1.2.2.2 log @Pullup ticket #6963 - requested by bsiegert lang/go124: Security fix lang/go123: Not a security fix, but doesn't hurt Revisions pulled up: - lang/go/version.mk 1.231 - lang/go123/PLIST 1.9 - lang/go123/distinfo 1.11 - lang/go124/PLIST 1.4 - lang/go124/distinfo 1.4 --- Module Name: pkgsrc Committed By: bsiegert Date: Thu May 8 18:55:53 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: go: update go123 to 1.23.9 and go124 to 1.24.3. The Go 1.24.3 minor release includes 1 security fix following the security policy: - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. Root now correctly returns an error in this case. This is CVE-2025-22873 and Go issue https://go.dev/issue/73555. Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this issue. This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are not affected by this. go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2.2.1 2025/04/02 02:19:08 maya Exp $ d3 3 a5 3 BLAKE2s (go1.24.3.src.tar.gz) = 7dadd01b0239f154d455cff91e10225f8532b34e69a2459296966495b3ce363f SHA512 (go1.24.3.src.tar.gz) = 05d19372fb923eeea19395b4de569d2ecfec7fadf2d8236d47cd667982de51c569e9816372cb79e32166553f9bcbe68f7bc2a6ded5655809b1caf5bd941011e7 Size (go1.24.3.src.tar.gz) = 30789282 bytes @ 1.2.2.3 log @Pullup ticket #6971 - requested by bsiegert lang/go123: Security fix lang/go124: Security fix Revisions pulled up: - lang/go/version.mk 1.232 - lang/go123/PLIST 1.10 - lang/go123/distinfo 1.12 - lang/go124/PLIST 1.5 - lang/go124/distinfo 1.5 --- Module Name: pkgsrc Committed By: bsiegert Date: Fri Jun 6 13:45:15 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go123: PLIST distinfo pkgsrc/lang/go124: PLIST distinfo Log Message: Update go123 to 1.23.10 and go124 to 1.24.4 (security) These minor releases include 3 security fixes following the security policy= : - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporti= ng this issue. This is CVE-2025-4673 and Go issue https://go.dev/issue/73816. - os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks= . On Windows, when the target path was a symlink to a nonexistent locatio= n, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink. Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue. This is CVE-2025-0913 and Go issue https://go.dev/issue/73702. - crypto/x509: usage of ExtKeyUsageAny disables policy validation Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsage= Any unintentionally disabledpolicy validation. This only affected certifica= te chains which contain policy graphs, which are rather uncommon. Thanks to Krzysztof Skrz=C4=99tnicki (@@Tener) of Teleport for reporting= this issue. This is CVE-2025-22874 and Go issue https://go.dev/issue/73612. View the release notes for more information: https://go.dev/doc/devel/release#go1.24.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2.2.2 2025/05/16 14:05:02 maya Exp $ d3 3 a5 3 BLAKE2s (go1.24.4.src.tar.gz) = 1338f7e0026c21a04feceefe7ccfbcb2c69102162cb26915852aa18b9a707470 SHA512 (go1.24.4.src.tar.gz) = b785583fc53d62094b2de793a0e3281a26d2de17897a35b378fc2d13cb912ca473c37a7bae54a50660141809d5d0a70a97663d406cf30d7f0221ecbb5ffddec6 Size (go1.24.4.src.tar.gz) = 30788576 bytes @ 1.1 log @go124: new package for 1.24.0, from wip. The latest Go release, version 1.24, arrives six months after Go 1.23. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Go 1.24 now fully supports generic type aliases: a type alias may be parameterized like a defined type. Go modules can now track executable dependencies using tool directives in go.mod. Several performance improvements to the runtime have decreased CPU overheads by 2-3% on average across a suite of representative benchmarks. Results may vary by application. These improvements include a new builtin map implementation based on Swiss Tables, more efficient memory allocation of small objects, and a new runtime-internal mutex implementation. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2024/12/04 18:51:39 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.24.0.src.tar.gz) = 138a6f4f82654f9851f57f207eb84d427adb726e806263747bb0ec196c6c901e SHA512 (go1.24.0.src.tar.gz) = 36ba9a3a541208fd33aa49b969d892578e209570541d2b6ca6ff784250d8b6777597d347b823c6026acf0c2741b4abc9012693004e623a1434b06cfecdbebaa8 Size (go1.24.0.src.tar.gz) = 30663922 bytes @