go126: update to 1.26 RC 3.

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: go126: update to 1.26 RC 3.
From: Benny Siegert (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Fri, 6 Feb 2026 20:22:27 +0000

Module Name:	pkgsrc-wip
Committed By:	Benny Siegert <bsiegert%gmail.com@localhost>
Pushed By:	bsiegert
Date:		Fri Feb 6 21:21:41 2026 +0100
Changeset:	6dc8b0e8d6fff8066b58b9d40e0c5604de28ebf9

Modified Files:
	go126/Makefile
	go126/PLIST
	go126/distinfo

Log Message:
go126: update to 1.26 RC 3.

This release includes 1 security fix following the security policy:

crypto/tls: unexpected session resumption when using Config.GetConfigForClient

Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected behavior if
the returned Config modifies authentication parameters, like ClientCAs: a
connection initially established with the parent (or a sibling) Config can be
resumed, bypassing the modified authentication requirements.

If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the
server) or InsecureSkipVerify is false (on the client), crypto/tls now checks
that the root of the previously-verified chain is still in ClientCAs/RootCAs
when resuming a connection.

Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue
related to session ticket keys being implicitly shared by Config.Clone. Since
this fix is broader, the Config.Clone behavior change has been reverted.

Note that VerifyPeerCertificate still behaves as documented: it does not apply
to resumed connections. Applications that use Config.GetConfigForClient or
Config.Clone and do not wish to blindly resume connections established with the
original Config must use VerifyConnection instead (or SetSessionTicketKeys or
SessionTicketsDisabled).

Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=6dc8b0e8d6fff8066b58b9d40e0c5604de28ebf9

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 go126/Makefile | 2 +-
 go126/PLIST    | 6 ++++--
 go126/distinfo | 6 +++---
 3 files changed, 8 insertions(+), 6 deletions(-)

diffs:
diff --git a/go126/Makefile b/go126/Makefile
index cd95bab234..8364528fd1 100644
--- a/go126/Makefile
+++ b/go126/Makefile
@@ -4,7 +4,7 @@
 GO_BOOTSTRAP_REQD=	124
 .include "../../lang/go/bootstrap.mk"
 
-GO126_VERSION=	1.26rc2
+GO126_VERSION=	1.26rc3
 GOVERSSUFFIX=	126
 
 DISTNAME=	go${GO${GOVERSSUFFIX}_VERSION}.src
diff --git a/go126/PLIST b/go126/PLIST
index 6527a44b59..56dc72ef82 100644
--- a/go126/PLIST
+++ b/go126/PLIST
@@ -5107,14 +5107,14 @@ go126/src/crypto/internal/fips140test/acvp_test.go
 go126/src/crypto/internal/fips140test/acvp_test_fips140v1.0.config.json
 go126/src/crypto/internal/fips140test/acvp_test_fips140v1.26.config.json
 go126/src/crypto/internal/fips140test/alias_test.go
-go126/src/crypto/internal/fips140test/cast_fips140v1.0_test.go
-go126/src/crypto/internal/fips140test/cast_fips140v1.26_test.go
 go126/src/crypto/internal/fips140test/cast_test.go
 go126/src/crypto/internal/fips140test/check_test.go
 go126/src/crypto/internal/fips140test/cmac_test.go
 go126/src/crypto/internal/fips140test/ctrdrbg_test.go
 go126/src/crypto/internal/fips140test/edwards25519_test.go
 go126/src/crypto/internal/fips140test/entropy_test.go
+go126/src/crypto/internal/fips140test/fips140v1.0_test.go
+go126/src/crypto/internal/fips140test/fips140v1.26_test.go
 go126/src/crypto/internal/fips140test/fips_test.go
 go126/src/crypto/internal/fips140test/indicator_test.go
 go126/src/crypto/internal/fips140test/mldsa_test.go
@@ -9210,6 +9210,7 @@ go126/src/os/exec/internal/fdtest/exists_test.go
 go126/src/os/exec/internal/fdtest/exists_unix.go
 go126/src/os/exec/internal/fdtest/exists_windows.go
 go126/src/os/exec/internal_test.go
+go126/src/os/exec/lookpath.go
 go126/src/os/exec/lp_linux_test.go
 go126/src/os/exec/lp_plan9.go
 go126/src/os/exec/lp_test.go
@@ -11851,6 +11852,7 @@ go126/test/escape5.go
 go126/test/escape6.go
 go126/test/escape_alias.go
 go126/test/escape_array.go
+go126/test/escape_bloop.go
 go126/test/escape_calls.go
 go126/test/escape_closure.go
 go126/test/escape_field.go
diff --git a/go126/distinfo b/go126/distinfo
index bfd5c0f016..b225555826 100644
--- a/go126/distinfo
+++ b/go126/distinfo
@@ -1,8 +1,8 @@
 $NetBSD: distinfo,v 1.7 2025/12/19 17:02:26 bsiegert Exp $
 
-BLAKE2s (go1.26rc2.src.tar.gz) = d488c2d453b5a4d5c8aaa48fa1445ccfc11608eba982c40f8d74070892cd56a5
-SHA512 (go1.26rc2.src.tar.gz) = 0db82bdd954bd43049f34b5d889ed423b4a4d74c803aaea0cd90d23f485d2c2ba654481b7038c1eab8c8c4df31ea7d6d9d894eafad1a32728dffdd732ef0c49a
-Size (go1.26rc2.src.tar.gz) = 34091929 bytes
+BLAKE2s (go1.26rc3.src.tar.gz) = f39d6348c5049b67e3a4d93a0e0caabb9f908f244450e8e6b4b1fea902221c53
+SHA512 (go1.26rc3.src.tar.gz) = 228258f5cfb2608b927594f5988b11dee4b0b8debe76a60af4a448981b50ef98cf25fd721548a3381fe6d25716cf81d79f879f73f24700094064239791fe0f02
+Size (go1.26rc3.src.tar.gz) = 34095482 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: portablexdr: try fixing compilation with gcc 15
Next by Date: emacs-git: merge mac change from emacs30
Previous by Thread: portablexdr: try fixing compilation with gcc 15
Next by Thread: emacs-git: merge mac change from emacs30
Indexes:

Home | Main Index | Thread Index | Old Index