head 1.14; access; symbols pkgsrc-2026Q2:1.13.0.2 pkgsrc-2026Q2-base:1.13 pkgsrc-2026Q1:1.10.0.2 pkgsrc-2026Q1-base:1.10 pkgsrc-2025Q4:1.7.0.2 pkgsrc-2025Q4-base:1.7 pkgsrc-2025Q3:1.2.0.2 pkgsrc-2025Q3-base:1.2; locks; strict; comment @# @; 1.14 date 2026.07.08.18.31.11; author bsiegert; state Exp; branches; next 1.13; commitid IrSh8cMn1xgLDSMG; 1.13 date 2026.06.05.10.18.24; author bsiegert; state Exp; branches 1.13.2.1; next 1.12; commitid KSIJ72G4chXsYAIG; 1.12 date 2026.05.07.18.40.36; author bsiegert; state Exp; branches; next 1.11; commitid oi0GYkAg0YeyGUEG; 1.11 date 2026.04.08.05.43.35; author bsiegert; state Exp; branches; next 1.10; commitid yAAyuaAxwamMj7BG; 1.10 date 2026.03.06.20.57.34; author bsiegert; state Exp; branches 1.10.2.1; next 1.9; commitid vJ8nNOcaJZ16rXwG; 1.9 date 2026.02.06.20.23.00; author bsiegert; state Exp; branches; next 1.8; commitid WBmpyX6EqcG29mtG; 1.8 date 2026.01.15.19.46.57; author bsiegert; state Exp; branches; next 1.7; commitid UMHWQmm5nrRvEwqG; 1.7 date 2025.12.19.17.02.26; author bsiegert; state Exp; branches; next 1.6; commitid MncNXWjydPrTB2nG; 1.6 date 2025.12.02.19.24.16; author bsiegert; state Exp; branches; next 1.5; commitid vqCaTBTHJZmqWRkG; 1.5 date 2025.11.08.02.26.15; author bsiegert; state Exp; branches; next 1.4; commitid J2seTpqCIN315HhG; 1.4 date 2025.10.16.17.58.17; author bsiegert; state Exp; branches; next 1.3; commitid o1SYgNzaHDbBYOeG; 1.3 date 2025.10.07.20.26.56; author bsiegert; state Exp; branches; next 1.2; commitid 88Eqflmpv70w5GdG; 1.2 date 2025.09.06.12.54.33; author bsiegert; state Exp; branches 1.2.2.1; next 1.1; commitid PC15qUBIp407AE9G; 1.1 date 2025.08.16.15.52.04; author bsiegert; state Exp; branches; next ; commitid KZyLpw7Amw1ReY6G; 1.13.2.1 date 2026.07.14.00.27.14; author maya; state Exp; branches; next ; commitid euOO7ZZEdeLWryNG; 1.10.2.1 date 2026.04.22.14.24.43; author maya; state Exp; branches; next ; commitid b6prw6l8M9zEKXCG; 1.2.2.1 date 2025.10.15.17.14.57; author maya; state Exp; branches; next ; commitid RAHhZcbqLIQILGeG; desc @@ 1.14 log @go: update to 1.26.5 and 1.25.12 (security) These releases include 2 security fixes following the security policy: - os: Root escape via symlink plus trailing slash On Unix systems, opening a file in an os.Root improperly followed symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, root.Open("symlink/") would open "symlink" even when "symlink" is a symbolic link pointing outside of the root. On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks in path when path ends in a /. Root failed to account for this behavior, permitting paths with a trailing / to escape. It now properly sanitizes the path parameter provided to openat. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-39822 and Go issue https://go.dev/issue/79005. - crypto/tls: Encrypted Client Hello privacy leak The Encrypted Client Hello implementation would leak the pre-shared key identities during the handshake, allowing a passive network observer who can collect handshakes to de-anonymize the hostname of the server, even when ECH was being used. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2026-42505 and Go issue https://go.dev/issue/79282. View the release notes for more information: https://go.dev/doc/devel/release#go1.26.5 @ text @$NetBSD: distinfo,v 1.13 2026/06/05 10:18:24 bsiegert Exp $ BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628 SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33 Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes BLAKE2s (go1.25.12.src.tar.gz) = 2650deb9f9fff8ec52466c156891bee279e71d178d9885c774bdcf3b0cc35ab9 SHA512 (go1.25.12.src.tar.gz) = 748341d737c3ce9eb64a0f072c70be7cf3ceab7d1033da2d88b3aea4cf0de96745cded982b6db4a47de505c14e49babf59926fa61e6a86f2e22e61625daf762a Size (go1.25.12.src.tar.gz) = 32013699 bytes SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35 SHA1 (patch-src_crypto_x509_root__solaris.go) = d636a1599ede225ac339388fba2b6e253112d461 SHA1 (patch-src_syscall_syscall__solaris.go) = a23052ad13e128578c1c0cf46812f26d2d8ccdd1 SHA1 (patch-src_syscall_zerrors__solaris__amd64.go) = d57d20dd3e19e7e0879fbbf5b1717df82c817d85 SHA1 (patch-src_syscall_zsysnum__solaris__amd64.go) = ec28a0fa37ba9599ec1651c8e9337a2efc48a26b @ 1.13 log @go: update to 1.26.4 and 1.25.11 (security). These releases include 3 security fixes following the security policy: - mime: quadratic complexity in WordDecoder.DecodeHeader Decoding a maliciously-crafted MIME header containing many invalid encoded-words could consume excessive CPU. The MIME decoder now better handles this case. Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue. This is CVE-2026-42504 and Go issue https://go.dev/issue/79217. - net/textproto: arbitrary input are included in errors without any escaping When returning errors, functions in the net/textproto package would include its input as part of the error, without any escaping. Note that said input is often controlled by external parties when using this package naturally. For example, a net/http client uses ReadMIMEHeader when parsing the headers it receive from a server. As a result, an attacker could inject arbitrary content into the error. Practically, this can result in an attacker injecting misleading content, terminal control bytes, etc. into a victim's output or logs. This is CVE-2026-42507 and Go issue https://go.dev/issue/79346 - crypto/x509: split candidate hostname only once (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue. This is CVE-2026-27145 and https://go.dev/issue/79694. View the release notes for more information: https://go.dev/doc/devel/release#go1.26.4 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2026/05/07 18:40:36 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.11.src.tar.gz) = c3d61476d3e97aad9a9be8a1dcc6f8aa5189c50fa6ef8e203db3db71899a7fb3 SHA512 (go1.25.11.src.tar.gz) = d1fa0d267ee8ba55aacbe47562c128cccabb757dc1f5c553ac0fe70eec9edc49cf66133df6f88997c752e89f9d24b77bf4b6448f73fdd7d05f8bca88951eea26 Size (go1.25.11.src.tar.gz) = 31999704 bytes @ 1.13.2.1 log @Pullup ticket #7169 - requested by bsiegert lang/go125: Security fix lang/go126: Security fix Revisions pulled up: - lang/go/version.mk 1.251 - lang/go125/PLIST 1.9 - lang/go125/distinfo 1.14 - lang/go126/PLIST 1.6 - lang/go126/distinfo 1.6 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Jul 8 18:31:11 UTC 2026 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go125: PLIST distinfo pkgsrc/lang/go126: PLIST distinfo Log Message: go: update to 1.26.5 and 1.25.12 (security) These releases include 2 security fixes following the security policy: - os: Root escape via symlink plus trailing slash On Unix systems, opening a file in an os.Root improperly followed symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, root.Open("symlink/") would open "symlink" even when "symlink" is a symbolic link pointing outside of the root. On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks in path when path ends in a /. Root failed to account for this behavior, permitting paths with a trailing / to escape. It now properly sanitizes the path parameter provided to openat. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-39822 and Go issue https://go.dev/issue/79005. - crypto/tls: Encrypted Client Hello privacy leak The Encrypted Client Hello implementation would leak the pre-shared key identities during the handshake, allowing a passive network observer who can collect handshakes to de-anonymize the hostname of the server, even when ECH was being used. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2026-42505 and Go issue https://go.dev/issue/79282. View the release notes for more information: https://go.dev/doc/devel/release#go1.26.5 @ text @d1 1 a1 1 $NetBSD$ d6 3 a8 3 BLAKE2s (go1.25.12.src.tar.gz) = 2650deb9f9fff8ec52466c156891bee279e71d178d9885c774bdcf3b0cc35ab9 SHA512 (go1.25.12.src.tar.gz) = 748341d737c3ce9eb64a0f072c70be7cf3ceab7d1033da2d88b3aea4cf0de96745cded982b6db4a47de505c14e49babf59926fa61e6a86f2e22e61625daf762a Size (go1.25.12.src.tar.gz) = 32013699 bytes @ 1.12 log @go: update to 1.25.10 and 1.26.3 (security) These releases include 11 security fixes following the security policy : - cmd/go: malicious module proxy can bypass checksum database A malicious module proxy could exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated. The go command now properly checks checksum database responses to ensure that the expected module signature is present, not just that if a signature is present it matches the expectation. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-42501 and Go issue https://go.dev/issue/79070. - net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy did not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This could permit ReverseProxy to forward a request containing a query parameter that was not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" could forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. ReverseProxy now avoids forwarding parameters that exceed the ParseQuery limit. This is CVE-2026-39825 and Go issue https://go.dev/issue/78948. - net: panic in Dial and LookupPort when handling NUL byte on Windows The Dial and LookupPort functions would panic on Windows when provided with an input containing a NUL (0). These functions now return an error rather than panicking. This is CVE-2026-39836 and Go issue https://go.dev/issue/79006. - net/mail: quadratic string concatenation in consumePhrase Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. This is CVE-2026-42499 and Go issue https://go.dev/issue/78987. - net/mail: quadratic string concatentation in consumeComment Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. This is CVE-2026-39820 and Go issue https://go.dev/issue/78566. - cmd/go: "go bug" follows symlinks in predictable temporary filenames The "go bug" command wrote to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory could create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. The "go bug" command now uses os.MkdirTemp to create a safe working directory. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2026-39819 and Go issue https://go.dev/issue/78584. - cmd/go: "go tool pack" does not sanitize output paths The "go tool pack" subcommand is a minimal version of the Unix ar utility. It is used by the compiler as an internal tool with known-good inputs. The "pack" subcommand did not sanitize output filenames. When invoked to extract a malicious archive file, it could write files to arbitrary locations on the filesystem. The "pack" subcommand now refuses to extract files with names containing any directory components. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2026-39817 and Go issue https://go.dev/issue/78778. - net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. This allows potential DoS against a client by a malicious server. HTTP/2 transport now properly checks that the received SETTINGS_MAX_FRAME_SIZE is valid. Thanks to Marwan Atia (marwansamir688@@gmail.com) for reporting this issue. This is CVE-2026-33814 and Go issue https://go.dev/issue/78476. - html/template: escaper bypass leads to XSS If a trusted template author were to write a tag containing an empty type attribute or a type attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. This is CVE-2026-39826 and Go issue https://go.dev/issue/78981. - net: crash when handling long CNAME response When using LookupCNAME with the cgo DNS resolver, a very long CNAME response could trigger a double-free of C memory and a crash. The double-free has been fixed. Thanks to hamayanhamayan for reporting this issue. This is CVE-2026-33811 and Go issue https://go.dev/issue/78803. - html/template: bypass of meta content URL escaping causes XSS CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the = rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Dynamic inputs to a tag's attribute are now whitespace sanitized prior to escaping. Thanks to Samy Ghannad for reporting this issue. This is CVE-2026-39823 and Go issue https://go.dev/issue/78913. View the release notes for more information: https://go.dev/doc/devel/release#go1.26.3 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2026/04/08 05:43:35 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.10.src.tar.gz) = ad9ca5c85de58992571cb893a86099dd978c86015ed970606656c6cfddfbfea9 SHA512 (go1.25.10.src.tar.gz) = 4a938b18d00af583d1ab8592386b8c71385997b1c8fab661549232ee84ac2f42716dc8304c38f1f462335a12048da19611bb614a7007d8201e6818a11f187487 Size (go1.25.10.src.tar.gz) = 32000721 bytes @ 1.11 log @go: update to 1.25.9 and 1.26.2 (security). These releases include 10 security fixes following the security policy : - os: Root.Chmod can follow symlinks out of the root on Linux On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod could operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. On Linux, Root.Chmod now uses the fchmodat2 syscall when available, and an workaround using /proc/self/fd otherwise. Thanks to Uuganbayar Lkhamsuren for reporting this issue. This is CVE-2026-32282 and Go issue https://go.dev/issue/78293. - html/template: JS template literal context incorrectly tracked Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. This only affects templates that use template actions within JS template literals. This is CVE-2026-32289 and Go issue https://go.dev/issue/78331. - crypto/x509: excluded DNS constraints not properly applied to wildcard domains When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. For example, if a certificate contains the DNS name "*.example.com" and the excluded DNS name "EXAMPLE.COM", the constraint will not be applied. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. This issue only affects Go 1.26. Thank you to Riyas from Saintgits College of Engineering, k1rnt, @@1seal for reporting this issue. This is CVE-2026-33810 and Go issue https://go.dev/issue/78332. - cmd/compile: no-op interface conversion bypasses overlap checking Previously, the compiler failed to unwrap pointers contained within a no-op interface conversion leading to an incorrect determination of a non-overlapping move. To prevent unsafe move operations, the compiler will now unwrap all such conversions before considering a move non-overlapping. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27144 and Go issue https://go.dev/issue/78371. - cmd/compile: possible memory corruption after bound check elimination Previously, slices and arrays accessed using induction variables were sometimes incorrectly proved in-bound. If the induction variable used for indexing were to overflow or underflow, it could allow access to memory beyond the scope of the original slice or array. To prevent this behavior, the compiler ensures that any mutated induction variable that overflows/underflows with respect to its loop condition is not used for bound check elimination. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27143 and Go issue https://go.dev/issue/78333. - archive/tar: unbounded allocation when parsing old format GNU sparse map tar.Reader could allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. We now limit both the number of old GNU sparse map extension blocks, and the total number of sparse file entries, regardless of encoding. Thanks to Colin Walters (walters@@verbum.org) who initially reported this issue. Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub Ciolek who additionally reported this issue. This is CVE-2026-32288 and Go issue https://go.dev/issue/78301. - crypto/tls: multiple key update handshake messages can cause connection to deadlock If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32283 and Go issue https://go.dev/issue/78334. - cmd/go: trust layer bypass when using cgo and SWIG A well-crafted SWIG source file could take advantage of a file-naming convention used inside the trust boundary of the cgo compiler. Doing so could result in arbitrary code execution during build time. SWIG files are disallowed from using this convention. Thank you to Juho Forsén of Mattermost for reporting this issue. This is CVE-2026-27140 and Go issue https://go.dev/issue/78335. - crypto/x509: unexpected work during chain building During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32280 and Go issue https://go.dev/issue/78282. - crypto/x509: inefficient policy validation Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32281 and Go issue https://go.dev/issue/78281. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2026/03/06 20:57:34 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.9.src.tar.gz) = cb6479fc548f1786addd2758c263d1f978fcdd7a123fd4b9089aa70dd3395b4c SHA512 (go1.25.9.src.tar.gz) = b1a89da9f53db56f59716814adf412f10fcb7e72aa9fa0df216ad7200082731f18b449bc669d340f59b80355e66a6e2f156567a45ffd2e138df45bf8bce8dd8f Size (go1.25.9.src.tar.gz) = 31997830 bytes @ 1.10 log @go: update to 1.25.8 and 1.26.1 (security) These releases include 5 security fixes following the security policy: - crypto/x509: incorrect enforcement of email constraints When verifying a certificate chain which contains a certificate containing multiple email address constraints (composed of the full email address) which share common local portions (the portion of the address before the '@@' character) but different domain portions (the portion of the address after the '@@' character), these constraints will not be properly applied, and only the last constraint will be considered. This can allow certificates in the chain containing email addresses which are either not permitted or excluded by the relevant constraints to be returned by calls to Certificate.Verify. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing either not permitted or excluded email addresses. This issue only affects Go 1.26. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2026-27137 and Go issue https://go.dev/issue/77952. - crypto/x509: panic in name constraint checking for malformed certificates Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS. Since the name constraint checks happen after chain building is complete, this only applies to certificate chains which chain to trusted roots (root certificates either in VerifyOptions.Roots or in the system root certificate pool), requiring a trusted CA to issue certificates containing malformed DNS names. This issue only affects Go 1.26. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2026-27138 and Go issue https://go.dev/issue/77953. - html/template: URLs in meta content attribute actions are not escaped Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. This is CVE-2026-27142 and Go issue https://go.dev/issue/77954. - net/url: reject IPv6 literal not at start of host The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid. To prevent this behavior, net/url.Parse now rejects IPv6 literals that do not appear at the start of the host subcomponent of a URL. Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly. This is CVE-2026-25679 and Go issue https://go.dev/issue/77578. - os: FileInfo can escape from a Root On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The contents of the FileInfo were populated using the lstat system call, which takes the path to the file as a parameter. If a component of the full path of the file described by the FileInfo is replaced with a symbolic link, the target of the lstat can be directed to another location on the filesystem. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem. This could be used to probe for the presence or absence of files as well as gleaning metadata like file sizes, but does not permit reading or writing files outside the root. The FileInfo is now populated using fstatat. Thank you to Miloslav Trmač of Red Hat for reporting this issue. This is CVE-2026-27139 and Go issue https://go.dev/issue/77827. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2026/02/06 20:23:00 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.8.src.tar.gz) = e9882b64493cf3f5eca80739862a90e9bda9d43f67f40d423de9070367d10036 SHA512 (go1.25.8.src.tar.gz) = 2f5c9f314d18169985a9a4b19346e00dd5d4b396c8c17bfffe5719e51f27d834cc9649d0165f7eeb7367d3b6d384f49917325a40b49ba4da65e22f2c5362c739 Size (go1.25.8.src.tar.gz) = 31991986 bytes @ 1.10.2.1 log @Pullup ticket #7080 - requested by bsiegert lang/go125: Security fix lang/go126: Security fix Revisions pulled up: - lang/go/version.mk 1.247 - lang/go125/PLIST 1.6 - lang/go125/distinfo 1.11 - lang/go126/PLIST 1.3 - lang/go126/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Wed Apr 8 05:43:35 UTC 2026 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go125: PLIST distinfo pkgsrc/lang/go126: PLIST distinfo Log Message: go: update to 1.25.9 and 1.26.2 (security). These releases include 10 security fixes following the security policy : - os: Root.Chmod can follow symlinks out of the root on Linux On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod could operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. On Linux, Root.Chmod now uses the fchmodat2 syscall when available, and an workaround using /proc/self/fd otherwise. Thanks to Uuganbayar Lkhamsuren for reporting this issue. This is CVE-2026-32282 and Go issue https://go.dev/issue/78293. - html/template: JS template literal context incorrectly tracked Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. This only affects templates that use template actions within JS template literals. This is CVE-2026-32289 and Go issue https://go.dev/issue/78331. - crypto/x509: excluded DNS constraints not properly applied to wildcard domains When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. For example, if a certificate contains the DNS name "*.example.com" and the excluded DNS name "EXAMPLE.COM", the constraint will not be applied. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. This issue only affects Go 1.26. Thank you to Riyas from Saintgits College of Engineering, k1rnt, @@1seal for reporting this issue. This is CVE-2026-33810 and Go issue https://go.dev/issue/78332. - cmd/compile: no-op interface conversion bypasses overlap checking Previously, the compiler failed to unwrap pointers contained within a no-op interface conversion leading to an incorrect determination of a non-overlapping move. To prevent unsafe move operations, the compiler will now unwrap all such conversions before considering a move non-overlapping. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27144 and Go issue https://go.dev/issue/78371. - cmd/compile: possible memory corruption after bound check elimination Previously, slices and arrays accessed using induction variables were sometimes incorrectly proved in-bound. If the induction variable used for indexing were to overflow or underflow, it could allow access to memory beyond the scope of the original slice or array. To prevent this behavior, the compiler ensures that any mutated induction variable that overflows/underflows with respect to its loop condition is not used for bound check elimination. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-27143 and Go issue https://go.dev/issue/78333. - archive/tar: unbounded allocation when parsing old format GNU sparse map tar.Reader could allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. We now limit both the number of old GNU sparse map extension blocks, and the total number of sparse file entries, regardless of encoding. Thanks to Colin Walters (walters@@verbum.org) who initially reported this issue. Thanks also to Uuganbayar Lkhamsuren (https://github.com/uug4na) and Jakub Ciolek who additionally reported this issue. This is CVE-2026-32288 and Go issue https://go.dev/issue/78301. - crypto/tls: multiple key update handshake messages can cause connection to deadlock If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of servi= ce. This only affects TLS 1.3. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32283 and Go issue https://go.dev/issue/78334. - cmd/go: trust layer bypass when using cgo and SWIG A well-crafted SWIG source file could take advantage of a file-naming convention used inside the trust boundary of the cgo compiler. Doing so could result in arbitrary code execution during build time. SWIG files are disallowed from using this convention. Thank you to Juho Fors=C3=A9n of Mattermost for reporting this issue. This is CVE-2026-27140 and Go issue https://go.dev/issue/78335. - crypto/x509: unexpected work during chain building During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32280 and Go issue https://go.dev/issue/78282. - crypto/x509: inefficient policy validation Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. Thank you to Jakub Ciolek - https://ciolek.dev/ for reporting this issue. This is CVE-2026-32281 and Go issue https://go.dev/issue/78281. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2026/03/06 20:57:34 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.9.src.tar.gz) = cb6479fc548f1786addd2758c263d1f978fcdd7a123fd4b9089aa70dd3395b4c SHA512 (go1.25.9.src.tar.gz) = b1a89da9f53db56f59716814adf412f10fcb7e72aa9fa0df216ad7200082731f18b449bc669d340f59b80355e66a6e2f156567a45ffd2e138df45bf8bce8dd8f Size (go1.25.9.src.tar.gz) = 31997830 bytes @ 1.9 log @go: update to 1.25.7 and 1.24.13 These releases include 2 security fixes following the security policy: - cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. To prevent this behavior, the cgo compiler will no longer parse user-provided doc comments. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61732 and https://go.dev/issue/76697. - crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented to use the original Config's session ticket keys unless explicitly overridden. This can cause unexpected behavior if the returned Config modifies authentication parameters, like ClientCAs: a connection initially established with the parent (or a sibling) Config can be resumed, bypassing the modified authentication requirements. If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the server) or InsecureSkipVerify is false (on the client), crypto/tls now checks that the root of the previously-verified chain is still in ClientCAs/RootCAs when resuming a connection. Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue related to session ticket keys being implicitly shared by Config.Clone. Since this fix is broader, the Config.Clone behavior change has been reverted. Note that VerifyPeerCertificate still behaves as documented: it does not apply to resumed connections. Applications that use Config.GetConfigForClient or Config.Clone and do not wish to blindly resume connections established with the original Config must use VerifyConnection instead (or SetSessionTicketKeys or SessionTicketsDisabled). Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2026/01/15 19:46:57 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.7.src.tar.gz) = 895d738c21ca97f50b38b2903175da9a8ac3d097fee185a8fd4c8222de1f6870 SHA512 (go1.25.7.src.tar.gz) = 054fdb8219d18a7942c524d8acc3c942d0a7b8f1c01b96184fa79017b6548533798f5f48cc78f7ecfb70da504c5c66569377a35d517a0e3184c32fe84c9ee0b6 Size (go1.25.7.src.tar.gz) = 31990868 bytes @ 1.8 log @go: update to 1.24.12, 1.25.6 (security) These releases include 6 security fixes following the security policy: - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Thanks to Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61728 and Go issue https://go.dev/issue/77102. - net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. Thanks to jub0bs for reporting this issue. This is CVE-2025-61726 and Go issue https://go.dev/issue/77101. - crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. Config.Clone no longer copies the automatically generated session ticket keys. Config.Clone still copies keys which are explicitly provided, either by setting Config.SessionTicketKey or by calling Config.SetSessionTicketKeys. This issue was discoverd by the Go Security team while investigating another issue reported by Coia Prant (github.com/rbqvq). Additionally, on the server side only the expiration of the leaf certificate, if one was provided during the initial handshake, was checked when considering if a session could be resumed. This allowed sessions to be resumed if an intermediate or root certificate in the chain had expired. Session resumption now takes into account of the full chain when determining if the session can be resumed. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-68121 and Go issue https://go.dev/issue/77113. - cmd/go: bypass of flag sanitization can lead to arbitrary code execution Usage of 'CgoPkgConfig' allowed execution of the pkg-config binary with flags that are not explicitly safe-listed. To prevent this behavior, compiler flags resulting from usage of 'CgoPkgConfig' are sanitized prior to invoking pkg-config. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61731 and go.dev/issue/77100. - cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @@latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. Thanks to splitline (@@splitline) from DEVCORE Research Team for reporting this issue. This is CVE-2025-68119 and Go issue https://go.dev/issue/77099. - crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-61730 and Go issue https://go.dev/issue/76443 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2025/12/19 17:02:26 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.6.src.tar.gz) = cc2ab6f98fb1eabe18d7fde522a2058c46dab79336ea40c70e15570f8c3b4a8a SHA512 (go1.25.6.src.tar.gz) = 214b2d82b5322d544e80d7202db9169c24e5f097338f2d0e6d34189bd5bde9e7c1656f06611062c78a156181f03956181971b346172fc14617726bfece5e61e9 Size (go1.25.6.src.tar.gz) = 31987986 bytes @ 1.7 log @go125: avoid linker panics on i386 Add a patch to fix https://github.com/golang/go/issues/76815, noticed in NetBSD/i386 bulk builds. In builds with cgo, the assembler can create a section twice by mistake, which confuses the linker. This should fix several package build failures observed in bulk builds. ok during freeze by maya@@ @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2025/12/02 19:24:16 bsiegert Exp $ d6 3 a8 3 BLAKE2s (go1.25.5.src.tar.gz) = a91a3c9dcfba4ff41b95c2371166b5913f870b8ff136feba7f0abe6d34b0e537 SHA512 (go1.25.5.src.tar.gz) = 97ec368521253bce610e1e3a6f10460f4a38eba440289553a40ab27afcdf2bb9b426d150ffaa3be8db50e84a00a4eb723a631ebc4f39168bc133bf7b2f1ccf66 Size (go1.25.5.src.tar.gz) = 31983405 bytes @ 1.6 log @go: update to 1.24.11 and 1.25.5 (security) These releases include 2 security fixes following the security policy: - crypto/x509: excessive resource consumption in printing error string for host certificate validation Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61729 and Go issue https://go.dev/issue/76445. - crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. This is CVE-2025-61727 and Go issue https://go.dev/issue/76442. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.5 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2025/11/08 02:26:15 bsiegert Exp $ d3 3 @ 1.5 log @go: update to 1.25.4 and 1.24.10 go1.25.4 (released 2025-11-05) includes fixes to the compiler, the runtime, and the crypto/subtle, encoding/pem, net/url, and os packages. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2025/10/16 17:58:17 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.25.4.src.tar.gz) = f8c7bb92c10ff2d314eebf14165d5654591bac4e23ffc618f759057d3750c7fb SHA512 (go1.25.4.src.tar.gz) = 6892c2cadc22bce82250f52c754053a70e9e594ec53754a1bed6b9594e8faffda1a6b052d6e298692948740ac0079697294430a4138a842ea298877449cf01cd Size (go1.25.4.src.tar.gz) = 31981767 bytes @ 1.4 log @go: update to 1.25.3 and 1.24.9 This release addresses breakage caused by a security patch included in Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on the parsing of X.509 certificates. We've removed those restrictions while maintaining the security fix that the initial release addressed. We apologize for any issues this may have caused. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2025/10/07 20:26:56 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.25.3.src.tar.gz) = 5f2d0f2c88a4575a8ce110e26ebb044207e1c92938d5ae7ab00ab7a27ccdf745 SHA512 (go1.25.3.src.tar.gz) = 91d32bbff864c06b5ee7b914d3d95c59462352a4c395adba85eaab72704a8aa4d19ac2a361ed64774dce3c8e01a8d4feadf1a788814f6d7b4072a3bdfefbb3b4 Size (go1.25.3.src.tar.gz) = 31980799 bytes @ 1.3 log @go: update to 1.24.8 and 1.25.2 (security) These minor releases include 10 security fixes following the security policy: - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61725 and Go issue https://go.dev/issue/75680. - crypto/x509: quadratic complexity when checking name constraints Due to the design of the name constraint checking algorithm, the processing time of some inputs scales non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58187 and Go issue https://go.dev/issue/75681. - crypto/tls: ALPN negotiation errors can contain arbitrary text The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped. This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs. Thanks to National Cyber Security Centre Finland for reporting this issue. This is CVE-2025-58189 and Go issue https://go.dev/issue/75652. - encoding/pem: quadratic complexity when parsing some invalid inputs Due to the design of the PEM parsing function, the processing time for some inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61723 and Go issue https://go.dev/issue/75676. - net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue. This is CVE-2025-47912 and Go issue https://go.dev/issue/75678. - encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion When parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58185 and Go issue https://go.dev/issue/75671. - net/http: lack of limit when parsing cookies can cause memory exhaustion Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option. Thanks to jub0bs for reporting this issue. This is CVE-2025-58186 and Go issue https://go.dev/issue/75672. - crypto/x509: panic when validating certificates with DSA public keys Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58188 and Go issue https://go.dev/issue/75675. - archive/tar: unbounded allocation when parsing GNU sparse map tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2025-58183 and Go issue https://go.dev/issue/75677. - net/textproto: excessive CPU consumption in Reader.ReadResponse The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61724 and Go issue https://go.dev/issue/75716. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.2 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.2 2025/09/06 12:54:33 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.25.2.src.tar.gz) = 7bb077ae4666f53b7e3203464817ee3a54c016a4b1f59bbce1af46133600c766 SHA512 (go1.25.2.src.tar.gz) = 2700ceca314bb78b8ff97aa8703442b60eceb3acbad46b7959739bb0399174f27af372c7f72cd1adb83997adacbf43e2e2572e85fa5cf2a18271d0ef1ee0b8b4 Size (go1.25.2.src.tar.gz) = 31978632 bytes @ 1.2 log @go: update to 1.24.7 and 1.25.1 (security) These minor releases include 1 security fixes following the security policy: - net/http: CrossOriginProtection bypass patterns are over-broad When passing patterns to CrossOriginProtection.AddInsecureBypassPattern, requests that would have redirected to those patterns (e.g. without a trailing slash) were also exempted, which might be unexpected. Thanks to Marco Gazerro for reporting this issue. This is CVE-2025-47910 and Go issue https://go.dev/issue/75054. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.1 2025/08/16 15:52:04 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.25.1.src.tar.gz) = 72f1278bbe406337a11fef85da52063ce1fed9c9ae456ddaaf28f908980794ab SHA512 (go1.25.1.src.tar.gz) = e77ae799a0dcd4ded40a196c3645da5b7e808e417831d2c5441387b0fd0ed5f946b678305294c52fda0a258889225c24c6073bb0973c3531ba4aa107b6afe849 Size (go1.25.1.src.tar.gz) = 31974863 bytes @ 1.2.2.1 log @Pullup ticket #7009 - requested by bsiegert lang/go: Security fix lang/go124: Security fix lang/go125: Security fix Revisions pulled up: - lang/go/version.mk 1.238 - lang/go124/PLIST 1.7 - lang/go124/distinfo 1.9 - lang/go125/PLIST 1.2 - lang/go125/distinfo 1.3 --- Module Name: pkgsrc Committed By: bsiegert Date: Tue Oct 7 20:26:56 UTC 2025 Modified Files: pkgsrc/lang/go: version.mk pkgsrc/lang/go124: PLIST distinfo pkgsrc/lang/go125: PLIST distinfo Log Message: go: update to 1.24.8 and 1.25.2 (security) These minor releases include 10 security fixes following the security policy: - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. This is CVE-2025-61725 and Go issue https://go.dev/issue/75680. - crypto/x509: quadratic complexity when checking name constraints Due to the design of the name constraint checking algorithm, the processing time of some inputs scales non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58187 and Go issue https://go.dev/issue/75681. - crypto/tls: ALPN negotiation errors can contain arbitrary text The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped. This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs. Thanks to National Cyber Security Centre Finland for reporting this issue. This is CVE-2025-58189 and Go issue https://go.dev/issue/75652. - encoding/pem: quadratic complexity when parsing some invalid inputs Due to the design of the PEM parsing function, the processing time for some inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61723 and Go issue https://go.dev/issue/75676. - net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/";. IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue. This is CVE-2025-47912 and Go issue https://go.dev/issue/75678. - encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion When parsing DER payloads, memories were being allocated prior to fully validating the payloads. This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58185 and Go issue https://go.dev/issue/75671. - net/http: lack of limit when parsing cookies can cause memory exhaustion Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option. Thanks to jub0bs for reporting this issue. This is CVE-2025-58186 and Go issue https://go.dev/issue/75672. - crypto/x509: panic when validating certificates with DSA public keys Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-58188 and Go issue https://go.dev/issue/75675. - archive/tar: unbounded allocation when parsing GNU sparse map tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. Thanks to Harshit Gupta (Mr HAX) for reporting this issue. This is CVE-2025-58183 and Go issue https://go.dev/issue/75677. - net/textproto: excessive CPU consumption in Reader.ReadResponse The Reader.ReadResponse function constructed a response string through repeated string concatenation of lines. When the number of lines in a response is large, this could cause excessive CPU consumption. Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61724 and Go issue https://go.dev/issue/75716. View the release notes for more information: https://go.dev/doc/devel/release#go1.25.2 @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 BLAKE2s (go1.25.2.src.tar.gz) = 7bb077ae4666f53b7e3203464817ee3a54c016a4b1f59bbce1af46133600c766 SHA512 (go1.25.2.src.tar.gz) = 2700ceca314bb78b8ff97aa8703442b60eceb3acbad46b7959739bb0399174f27af372c7f72cd1adb83997adacbf43e2e2572e85fa5cf2a18271d0ef1ee0b8b4 Size (go1.25.2.src.tar.gz) = 31978632 bytes @ 1.1 log @New package, go125 Via wip. Release notes: https://go.dev/doc/go1.25 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2025/06/06 13:45:14 bsiegert Exp $ d3 3 a5 3 BLAKE2s (go1.25.0.src.tar.gz) = 02cdf6b4fb0c6a6095636544daf42ff50cc816efa30306624ea03e4f89b0e143 SHA512 (go1.25.0.src.tar.gz) = 45030cd02ab0ed4feb74e12ad9dde544bf2255c4d1a48655fca5b643bbe690c75ea3dfac74a0e3e3c707c5af5e9171ae383a7a322e70fe824f9a47b6ffd42201 Size (go1.25.0.src.tar.gz) = 31974753 bytes @