pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Fri Feb 6 20:23:00 UTC 2026
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go124: distinfo
pkgsrc/lang/go125: distinfo
Log Message:
go: update to 1.25.7 and 1.24.13
These releases include 2 security fixes following the security policy:
- cmd/cgo: remove user-content from doc strings in cgo ASTs
A discrepancy between how Go and C/C++ comments
were parsed allowed for code smuggling into the
resulting cgo binary.
To prevent this behavior, the cgo compiler
will no longer parse user-provided doc
comments.
Thank you to RyotaK (https://ryotak.net) of
GMO Flatt Security Inc. for reporting this issue.
This is CVE-2025-61732 and https://go.dev/issue/76697.
- crypto/tls: unexpected session resumption when using
Config.GetConfigForClient
Config.GetConfigForClient is documented to use the original Config's
session ticket keys unless explicitly overridden. This can cause
unexpected behavior if the returned Config modifies authentication
parameters, like ClientCAs: a connection initially established with the
parent (or a sibling) Config can be resumed, bypassing the modified
authentication requirements.
If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
the server) or InsecureSkipVerify is false (on the client), crypto/tls now
checks that the root of the previously-verified chain is still in
ClientCAs/RootCAs when resuming a connection.
Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
issue related to session ticket keys being implicitly shared by
Config.Clone. Since this fix is broader, the Config.Clone behavior change
has been reverted.
Note that VerifyPeerCertificate still behaves as documented: it does not
apply to resumed connections. Applications that use
Config.GetConfigForClient or Config.Clone and do not wish to blindly
resume connections established with the original Config must use
VerifyConnection instead (or SetSessionTicketKeys or
SessionTicketsDisabled).
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.
To generate a diff of this commit:
cvs rdiff -u -r1.242 -r1.243 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/go124/distinfo
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go125/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.242 pkgsrc/lang/go/version.mk:1.243
--- pkgsrc/lang/go/version.mk:1.242 Thu Jan 15 19:46:56 2026
+++ pkgsrc/lang/go/version.mk Fri Feb 6 20:23:00 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.242 2026/01/15 19:46:56 bsiegert Exp $
+# $NetBSD: version.mk,v 1.243 2026/02/06 20:23:00 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
#
.include "go-vars.mk"
-GO125_VERSION= 1.25.6
-GO124_VERSION= 1.24.12
+GO125_VERSION= 1.25.7
+GO124_VERSION= 1.24.13
GO123_VERSION= 1.23.12
GO122_VERSION= 1.22.12
GO120_VERSION= 1.20.14
Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.13 pkgsrc/lang/go124/distinfo:1.14
--- pkgsrc/lang/go124/distinfo:1.13 Thu Jan 15 19:46:57 2026
+++ pkgsrc/lang/go124/distinfo Fri Feb 6 20:23:00 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.13 2026/01/15 19:46:57 bsiegert Exp $
+$NetBSD: distinfo,v 1.14 2026/02/06 20:23:00 bsiegert Exp $
-BLAKE2s (go1.24.12.src.tar.gz) = 47f24c01adfcb6d7472c86d2b62755ed150d50fb9ac32e5f6650d66526b50152
-SHA512 (go1.24.12.src.tar.gz) = 2de51c56f7ca04003b16d0fecc4cb35a3c5a42bd54f4da1f1e49d45b702d7a872057756d389f2283b4f7283fb33f0618465e231a6333b7cb6cfff98f67b2454e
-Size (go1.24.12.src.tar.gz) = 30803950 bytes
+BLAKE2s (go1.24.13.src.tar.gz) = 7ab5e8245a94a9e216a5931272d6f2da7af54f141805b2428da8ed0ed12acb31
+SHA512 (go1.24.13.src.tar.gz) = 049de4ea4be669853b2c567f1d93a4e0607815ebb57c2ca0c4802134a3613ef489b77434c83ab01e2a257b3eb4ee651b167b98ffb84d38b957d62ae933ebb243
+Size (go1.24.13.src.tar.gz) = 30802752 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.8 pkgsrc/lang/go125/distinfo:1.9
--- pkgsrc/lang/go125/distinfo:1.8 Thu Jan 15 19:46:57 2026
+++ pkgsrc/lang/go125/distinfo Fri Feb 6 20:23:00 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.8 2026/01/15 19:46:57 bsiegert Exp $
+$NetBSD: distinfo,v 1.9 2026/02/06 20:23:00 bsiegert Exp $
BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.6.src.tar.gz) = cc2ab6f98fb1eabe18d7fde522a2058c46dab79336ea40c70e15570f8c3b4a8a
-SHA512 (go1.25.6.src.tar.gz) = 214b2d82b5322d544e80d7202db9169c24e5f097338f2d0e6d34189bd5bde9e7c1656f06611062c78a156181f03956181971b346172fc14617726bfece5e61e9
-Size (go1.25.6.src.tar.gz) = 31987986 bytes
+BLAKE2s (go1.25.7.src.tar.gz) = 895d738c21ca97f50b38b2903175da9a8ac3d097fee185a8fd4c8222de1f6870
+SHA512 (go1.25.7.src.tar.gz) = 054fdb8219d18a7942c524d8acc3c942d0a7b8f1c01b96184fa79017b6548533798f5f48cc78f7ecfb70da504c5c66569377a35d517a0e3184c32fe84c9ee0b6
+Size (go1.25.7.src.tar.gz) = 31990868 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index