CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Tue, 2 Dec 2025 19:24:16 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Tue Dec  2 19:24:16 UTC 2025

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go124: Makefile distinfo
        pkgsrc/lang/go125: Makefile distinfo

Log Message:
go: update to 1.24.11 and 1.25.5 (security)

These releases include 2 security fixes following the security policy:

- crypto/x509: excessive resource consumption in printing error string for
  host certificate validation

  Within HostnameError.Error(), when constructing an error string, there is no
  limit to the number of hosts that will be printed out.
  Furthermore, the error string is constructed by repeated string
  concatenation, leading to quadratic runtime.

  Therefore, a certificate provided by a malicious actor can result in
  excessive resource consumption.
  HostnameError.Error() now limits the number of hosts and utilizes
  strings.Builder when constructing an error string.

  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

  This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.

- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

  An excluded subdomain constraint in a certificate chain does not restrict
  the usage of wildcard SANs in the leaf certificate. For example a constraint
  that excludes the subdomain test.example.com does not prevent a leaf
  certificate from claiming the SAN *.example.com.

  This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5


To generate a diff of this commit:
cvs rdiff -u -r1.240 -r1.241 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go124/Makefile
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go124/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go125/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/lang/go125/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.240 pkgsrc/lang/go/version.mk:1.241
--- pkgsrc/lang/go/version.mk:1.240     Sat Nov  8 02:26:15 2025
+++ pkgsrc/lang/go/version.mk   Tue Dec  2 19:24:15 2025
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.240 2025/11/08 02:26:15 bsiegert Exp $
+# $NetBSD: version.mk,v 1.241 2025/12/02 19:24:15 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO125_VERSION= 1.25.4
-GO124_VERSION= 1.24.10
+GO125_VERSION= 1.25.5
+GO124_VERSION= 1.24.11
 GO123_VERSION= 1.23.12
 GO122_VERSION= 1.22.12
 GO120_VERSION= 1.20.14

Index: pkgsrc/lang/go124/Makefile
diff -u pkgsrc/lang/go124/Makefile:1.1 pkgsrc/lang/go124/Makefile:1.2
--- pkgsrc/lang/go124/Makefile:1.1      Tue Feb 25 20:09:16 2025
+++ pkgsrc/lang/go124/Makefile  Tue Dec  2 19:24:16 2025
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1 2025/02/25 20:09:16 bsiegert Exp $
+# $NetBSD: Makefile,v 1.2 2025/12/02 19:24:16 bsiegert Exp $
 
 .include "../../lang/go/version.mk"
 GO_BOOTSTRAP_REQD=     122
@@ -9,7 +9,7 @@ GOVERSSUFFIX=   124
 DISTNAME=      go${GO${GOVERSSUFFIX}_VERSION}.src
 PKGNAME=       go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}
 CATEGORIES=    lang
-MASTER_SITES=  https://storage.googleapis.com/golang/
+MASTER_SITES=  https://go.dev/dl/
 
 MAINTAINER=    bsiegert%NetBSD.org@localhost
 HOMEPAGE=      https://golang.org/

Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.11 pkgsrc/lang/go124/distinfo:1.12
--- pkgsrc/lang/go124/distinfo:1.11     Sat Nov  8 02:26:15 2025
+++ pkgsrc/lang/go124/distinfo  Tue Dec  2 19:24:16 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.11 2025/11/08 02:26:15 bsiegert Exp $
+$NetBSD: distinfo,v 1.12 2025/12/02 19:24:16 bsiegert Exp $
 
-BLAKE2s (go1.24.10.src.tar.gz) = 3f7981d0dd364df8e65cdb72c75fd1b8fc045cb308061a8cde0084f6b038b9b9
-SHA512 (go1.24.10.src.tar.gz) = 4fa49b8948ecc9dfe8b18e098f0fef4226eeb59ea0bfd266e0bf207bfd06a51e2c4bbf8aa98482e1cdc4c892defa4de2afcbcd289cb5872dc9c62cd355fbcfbe
-Size (go1.24.10.src.tar.gz) = 30800718 bytes
+BLAKE2s (go1.24.11.src.tar.gz) = 41d1c9d42d5021a4cc84d55991789f59dfe015273e96d273c7903e8127adf9ef
+SHA512 (go1.24.11.src.tar.gz) = 9344039d231e50b63f52acbdd6cf2f483a4052d95b5fcc3e8a6d8fde80f0195f66ac5588302809ff0425de4d7c6b428ae842ec33b468c7020873acedbdea16ef
+Size (go1.24.11.src.tar.gz) = 30801851 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go125/Makefile
diff -u pkgsrc/lang/go125/Makefile:1.1 pkgsrc/lang/go125/Makefile:1.2
--- pkgsrc/lang/go125/Makefile:1.1      Sat Aug 16 15:52:03 2025
+++ pkgsrc/lang/go125/Makefile  Tue Dec  2 19:24:16 2025
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.1 2025/08/16 15:52:03 bsiegert Exp $
+# $NetBSD: Makefile,v 1.2 2025/12/02 19:24:16 bsiegert Exp $
 
 .include "../../lang/go/version.mk"
 GO_BOOTSTRAP_REQD=     122
@@ -9,7 +9,7 @@ GOVERSSUFFIX=   125
 DISTNAME=      go${GO${GOVERSSUFFIX}_VERSION}.src
 PKGNAME=       go${GOVERSSUFFIX}-${GO${GOVERSSUFFIX}_VERSION}
 CATEGORIES=    lang
-MASTER_SITES=  https://storage.googleapis.com/golang/
+MASTER_SITES=  https://go.dev/dl/
 
 MAINTAINER=    bsiegert%NetBSD.org@localhost
 HOMEPAGE=      https://golang.org/

Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.5 pkgsrc/lang/go125/distinfo:1.6
--- pkgsrc/lang/go125/distinfo:1.5      Sat Nov  8 02:26:15 2025
+++ pkgsrc/lang/go125/distinfo  Tue Dec  2 19:24:16 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.5 2025/11/08 02:26:15 bsiegert Exp $
+$NetBSD: distinfo,v 1.6 2025/12/02 19:24:16 bsiegert Exp $
 
-BLAKE2s (go1.25.4.src.tar.gz) = f8c7bb92c10ff2d314eebf14165d5654591bac4e23ffc618f759057d3750c7fb
-SHA512 (go1.25.4.src.tar.gz) = 6892c2cadc22bce82250f52c754053a70e9e594ec53754a1bed6b9594e8faffda1a6b052d6e298692948740ac0079697294430a4138a842ea298877449cf01cd
-Size (go1.25.4.src.tar.gz) = 31981767 bytes
+BLAKE2s (go1.25.5.src.tar.gz) = a91a3c9dcfba4ff41b95c2371166b5913f870b8ff136feba7f0abe6d34b0e537
+SHA512 (go1.25.5.src.tar.gz) = 97ec368521253bce610e1e3a6f10460f4a38eba440289553a40ab27afcdf2bb9b426d150ffaa3be8db50e84a00a4eb723a631ebc4f39168bc133bf7b2f1ccf66
+Size (go1.25.5.src.tar.gz) = 31983405 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc
Indexes:

Home | Main Index | Thread Index | Old Index