pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/lang



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Feb  6 20:23:00 UTC 2026

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go124: distinfo
        pkgsrc/lang/go125: distinfo

Log Message:
go: update to 1.25.7 and 1.24.13

These releases include 2 security fixes following the security policy:

-   cmd/cgo: remove user-content from doc strings in cgo ASTs

    A discrepancy between how Go and C/C++ comments
    were parsed allowed for code smuggling into the
    resulting cgo binary.

    To prevent this behavior, the cgo compiler
    will no longer parse user-provided doc
    comments.

    Thank you to RyotaK (https://ryotak.net) of
    GMO Flatt Security Inc. for reporting this issue.

    This is CVE-2025-61732 and https://go.dev/issue/76697.

-   crypto/tls: unexpected session resumption when using
    Config.GetConfigForClient

    Config.GetConfigForClient is documented to use the original Config's
    session ticket keys unless explicitly overridden. This can cause
    unexpected behavior if the returned Config modifies authentication
    parameters, like ClientCAs: a connection initially established with the
    parent (or a sibling) Config can be resumed, bypassing the modified
    authentication requirements.

    If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
    the server) or InsecureSkipVerify is false (on the client), crypto/tls now
    checks that the root of the previously-verified chain is still in
    ClientCAs/RootCAs when resuming a connection.

    Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
    issue related to session ticket keys being implicitly shared by
    Config.Clone. Since this fix is broader, the Config.Clone behavior change
    has been reverted.

    Note that VerifyPeerCertificate still behaves as documented: it does not
    apply to resumed connections. Applications that use
    Config.GetConfigForClient or Config.Clone and do not wish to blindly
    resume connections established with the original Config must use
    VerifyConnection instead (or SetSessionTicketKeys or
    SessionTicketsDisabled).

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.


To generate a diff of this commit:
cvs rdiff -u -r1.242 -r1.243 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.13 -r1.14 pkgsrc/lang/go124/distinfo
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go125/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.242 pkgsrc/lang/go/version.mk:1.243
--- pkgsrc/lang/go/version.mk:1.242     Thu Jan 15 19:46:56 2026
+++ pkgsrc/lang/go/version.mk   Fri Feb  6 20:23:00 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.242 2026/01/15 19:46:56 bsiegert Exp $
+# $NetBSD: version.mk,v 1.243 2026/02/06 20:23:00 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO125_VERSION= 1.25.6
-GO124_VERSION= 1.24.12
+GO125_VERSION= 1.25.7
+GO124_VERSION= 1.24.13
 GO123_VERSION= 1.23.12
 GO122_VERSION= 1.22.12
 GO120_VERSION= 1.20.14

Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.13 pkgsrc/lang/go124/distinfo:1.14
--- pkgsrc/lang/go124/distinfo:1.13     Thu Jan 15 19:46:57 2026
+++ pkgsrc/lang/go124/distinfo  Fri Feb  6 20:23:00 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.13 2026/01/15 19:46:57 bsiegert Exp $
+$NetBSD: distinfo,v 1.14 2026/02/06 20:23:00 bsiegert Exp $
 
-BLAKE2s (go1.24.12.src.tar.gz) = 47f24c01adfcb6d7472c86d2b62755ed150d50fb9ac32e5f6650d66526b50152
-SHA512 (go1.24.12.src.tar.gz) = 2de51c56f7ca04003b16d0fecc4cb35a3c5a42bd54f4da1f1e49d45b702d7a872057756d389f2283b4f7283fb33f0618465e231a6333b7cb6cfff98f67b2454e
-Size (go1.24.12.src.tar.gz) = 30803950 bytes
+BLAKE2s (go1.24.13.src.tar.gz) = 7ab5e8245a94a9e216a5931272d6f2da7af54f141805b2428da8ed0ed12acb31
+SHA512 (go1.24.13.src.tar.gz) = 049de4ea4be669853b2c567f1d93a4e0607815ebb57c2ca0c4802134a3613ef489b77434c83ab01e2a257b3eb4ee651b167b98ffb84d38b957d62ae933ebb243
+Size (go1.24.13.src.tar.gz) = 30802752 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.8 pkgsrc/lang/go125/distinfo:1.9
--- pkgsrc/lang/go125/distinfo:1.8      Thu Jan 15 19:46:57 2026
+++ pkgsrc/lang/go125/distinfo  Fri Feb  6 20:23:00 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.8 2026/01/15 19:46:57 bsiegert Exp $
+$NetBSD: distinfo,v 1.9 2026/02/06 20:23:00 bsiegert Exp $
 
 BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
 SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
 Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.6.src.tar.gz) = cc2ab6f98fb1eabe18d7fde522a2058c46dab79336ea40c70e15570f8c3b4a8a
-SHA512 (go1.25.6.src.tar.gz) = 214b2d82b5322d544e80d7202db9169c24e5f097338f2d0e6d34189bd5bde9e7c1656f06611062c78a156181f03956181971b346172fc14617726bfece5e61e9
-Size (go1.25.6.src.tar.gz) = 31987986 bytes
+BLAKE2s (go1.25.7.src.tar.gz) = 895d738c21ca97f50b38b2903175da9a8ac3d097fee185a8fd4c8222de1f6870
+SHA512 (go1.25.7.src.tar.gz) = 054fdb8219d18a7942c524d8acc3c942d0a7b8f1c01b96184fa79017b6548533798f5f48cc78f7ecfb70da504c5c66569377a35d517a0e3184c32fe84c9ee0b6
+Size (go1.25.7.src.tar.gz) = 31990868 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35



Home | Main Index | Thread Index | Old Index