pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Thu May 7 18:40:37 UTC 2026
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go125: PLIST distinfo
pkgsrc/lang/go126: PLIST distinfo
Log Message:
go: update to 1.25.10 and 1.26.3 (security)
These releases include 11 security fixes following the security policy
<https://go.dev/doc/security/policy>:
- cmd/go: malicious module proxy can bypass checksum database
A malicious module proxy could exploit a flaw in the go command's
validation of module checksums to bypass checksum database validation.
This vulnerability affects any user using an untrusted module proxy
(GOMODPROXY) or checksum database (GOSUMDB).
A malicious module proxy can serve altered versions of the Go toolchain.
When selecting a different version of the Go toolchain than the
currently installed toolchain (due to the GOTOOLCHAIN environment variable,
or a go.work or go.mod with a toolchain line), the go command will download
and execute a toolchain provided by the module proxy. A malicious module
proxy can bypass checksum database validation for this downloaded
toolchain.
Since this vulnerability affects the security of toolchain downloads,
setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade
your base Go toolchain.
The go tool always validates the hash of a toolchain before executing it,
so fixed versions will refuse to execute any cached, altered versions of the
toolchain.
The go tool trusts go.sum files to contain accurate hashes of the current
module's dependencies. A malicious proxy exploiting this vulnerability to
serve an altered module will have caused an incorrect hash to be recorded
in the go.sum. Users who have configured a non-trusted GOPROXY can determine
if they have been affected by running
"rm go.sum ; go mod tidy ; go mod verify",
which will revalidate all dependencies of the current module.
The specific flaw in more detail:
The go command consults the checksum database to validate downloaded modules,
when a module is not listed in the go.sum file. It verifies that the module
hash reported by the checksum database matches the hash of the downloaded
module. If, however, the checksum database returns a successful response
that contains no entry for the module, the go command incorrectly permitted
validation to succeed.
A module proxy may mirror or proxy the checksum database, in which case the
go command will not connect to the checksum database directly. Checksums
reported by the checksum database are cryptographically signed, so a
malicious proxy cannot alter the reported checksum for a module. However, a
proxy which returns an empty checksum response, or a checksum response for
an unrelated module, could cause the go command to proceed as if a
downloaded module has been validated.
The go command now properly checks checksum database responses to ensure
that the expected module signature is present, not just that if a signature
is present it matches the expectation.
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
This is CVE-2026-42501 and Go issue https://go.dev/issue/79070.
- net/http/httputil: ReverseProxy forwards queries with more than
urlmaxqueryparams parameters
When used with a Rewrite function, or a Director function which parses query
parameters, ReverseProxy sanitizes the forwarded request to remove query
parameters which are not parsed by url.ParseQuery. ReverseProxy did not take
ParseQuery's limit on the total number of query parameters (controlled by
GODEBUG=urlmaxqueryparams=N) into account. This could permit ReverseProxy to
forward a request containing a query parameter that was not visible to the
Rewrite function.
For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" could forward the
parameter "hidden=y" while hiding it from the proxy's Rewrite function.
ReverseProxy now avoids forwarding parameters that exceed the ParseQuery
limit.
This is CVE-2026-39825 and Go issue https://go.dev/issue/78948.
- net: panic in Dial and LookupPort when handling NUL byte on Windows
The Dial and LookupPort functions would panic on Windows when provided
with an input containing a NUL (0). These functions now return an error
rather than panicking.
This is CVE-2026-39836 and Go issue https://go.dev/issue/79006.
- net/mail: quadratic string concatenation in consumePhrase
Pathological inputs could cause DoS through consumePhrase
when parsing an email address according to RFC 5322.
This is CVE-2026-42499 and Go issue https://go.dev/issue/78987.
- net/mail: quadratic string concatentation in consumeComment
Well-crafted inputs reaching ParseAddress, ParseAddressList,
and ParseDate were able to trigger excessive CPU exhaustion
and memory allocations.
This is CVE-2026-39820 and Go issue https://go.dev/issue/78566.
- cmd/go: "go bug" follows symlinks in predictable temporary filenames
The "go bug" command wrote to two files with predictable names in
the system temporary directory (for example, "/tmp").
An attacker with access to the temporary directory could create a
symlink in one of these names, causing "go bug" to overwrite the
target of the symlink.
The "go bug" command now uses os.MkdirTemp to create a safe
working directory.
Thanks to Harshit Gupta (Mr HAX) for reporting this issue.
This is CVE-2026-39819 and Go issue https://go.dev/issue/78584.
- cmd/go: "go tool pack" does not sanitize output paths
The "go tool pack" subcommand is a minimal version of the Unix ar utility.
It is used by the compiler as an internal tool with known-good inputs.
The "pack" subcommand did not sanitize output filenames.
When invoked to extract a malicious archive file, it could write
files to arbitrary locations on the filesystem.
The "pack" subcommand now refuses to extract files with names
containing any directory components.
Thanks to Harshit Gupta (Mr HAX) for reporting this issue.
This is CVE-2026-39817 and Go issue https://go.dev/issue/78778.
- net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of
writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a
value of 0.
This allows potential DoS against a client by a malicious server. HTTP/2
transport now properly checks that the received SETTINGS_MAX_FRAME_SIZE is
valid.
Thanks to Marwan Atia (marwansamir688%gmail.com@localhost) for reporting this issue.
This is CVE-2026-33814 and Go issue https://go.dev/issue/78476.
- html/template: escaper bypass leads to XSS
If a trusted template author were to write a
tag containing an empty type attribute or a type
attribute with an ASCII whitespace, the execution of
the template would incorrectly escape any data passed
into the block.
Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.
This is CVE-2026-39826 and Go issue https://go.dev/issue/78981.
- net: crash when handling long CNAME response
When using LookupCNAME with the cgo DNS resolver,
a very long CNAME response could trigger a double-free of C memory
and a crash. The double-free has been fixed.
Thanks to hamayanhamayan for reporting this issue.
This is CVE-2026-33811 and Go issue https://go.dev/issue/78803.
- html/template: bypass of meta content URL escaping causes XSS
CVE-2026-27142 fixed a vulnerability in which URLs were not
correctly escaped inside of a tag's attribute.
If the URL content were to insert ASCII whitespaces around the
= rune inside of the attribute, the escaper would
fail to similarly escape it, leading to XSS.
Dynamic inputs to a tag's attribute are now
whitespace sanitized prior to escaping.
Thanks to Samy Ghannad for reporting this issue.
This is CVE-2026-39823 and Go issue https://go.dev/issue/78913.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.3
To generate a diff of this commit:
cvs rdiff -u -r1.248 -r1.249 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/go125/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/lang/go125/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go126/PLIST pkgsrc/lang/go126/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.248 pkgsrc/lang/go/version.mk:1.249
--- pkgsrc/lang/go/version.mk:1.248 Mon Apr 13 09:52:34 2026
+++ pkgsrc/lang/go/version.mk Thu May 7 18:40:36 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.248 2026/04/13 09:52:34 tnn Exp $
+# $NetBSD: version.mk,v 1.249 2026/05/07 18:40:36 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
#
.include "go-vars.mk"
-GO126_VERSION= 1.26.2
-GO125_VERSION= 1.25.9
+GO126_VERSION= 1.26.3
+GO125_VERSION= 1.25.10
GO124_VERSION= 1.24.13
GO123_VERSION= 1.23.12
GO122_VERSION= 1.22.12
Index: pkgsrc/lang/go125/PLIST
diff -u pkgsrc/lang/go125/PLIST:1.6 pkgsrc/lang/go125/PLIST:1.7
--- pkgsrc/lang/go125/PLIST:1.6 Wed Apr 8 05:43:35 2026
+++ pkgsrc/lang/go125/PLIST Thu May 7 18:40:36 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2026/04/08 05:43:35 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.7 2026/05/07 18:40:36 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go125/CONTRIBUTING.md
@@ -55,6 +55,7 @@ go125/doc/initial/7-ports.md
go125/go.env
go125/lib/fips140/Makefile
go125/lib/fips140/README.md
+go125/lib/fips140/certified.txt
go125/lib/fips140/fips140.sum
go125/lib/fips140/inprocess.txt
go125/lib/fips140/v1.0.0-c2097c7c.zip
@@ -918,6 +919,7 @@ go125/src/cmd/compile/internal/loopvar/t
go125/src/cmd/compile/internal/loopvar/testdata/opt.go
go125/src/cmd/compile/internal/loopvar/testdata/range_esc_address.go
go125/src/cmd/compile/internal/loopvar/testdata/range_esc_closure.go
+go125/src/cmd/compile/internal/loopvar/testdata/range_esc_closure_linedir.go
go125/src/cmd/compile/internal/loopvar/testdata/range_esc_method.go
go125/src/cmd/compile/internal/loopvar/testdata/range_esc_minimal_closure.go
go125/src/cmd/compile/internal/mips/galign.go
@@ -2256,6 +2258,7 @@ go125/src/cmd/go/testdata/script/cover_r
go125/src/cmd/go/testdata/script/cover_single_vs_multiple.txt
go125/src/cmd/go/testdata/script/cover_statements.txt
go125/src/cmd/go/testdata/script/cover_swig.txt
+go125/src/cmd/go/testdata/script/cover_switch_toolchain.txt
go125/src/cmd/go/testdata/script/cover_sync_atomic_import.txt
go125/src/cmd/go/testdata/script/cover_test_localpkg_filepath.txt
go125/src/cmd/go/testdata/script/cover_test_pkgselect.txt
@@ -2685,6 +2688,7 @@ go125/src/cmd/go/testdata/script/mod_ski
go125/src/cmd/go/testdata/script/mod_stale.txt
go125/src/cmd/go/testdata/script/mod_std_vendor.txt
go125/src/cmd/go/testdata/script/mod_string_alias.txt
+go125/src/cmd/go/testdata/script/mod_sum_absent.txt
go125/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
go125/src/cmd/go/testdata/script/mod_sum_issue56222.txt
go125/src/cmd/go/testdata/script/mod_sum_lookup.txt
@@ -2797,6 +2801,8 @@ go125/src/cmd/go/testdata/script/test_bu
go125/src/cmd/go/testdata/script/test_buildinfo.txt
go125/src/cmd/go/testdata/script/test_buildinfo_godebug_issue68053.txt
go125/src/cmd/go/testdata/script/test_buildvcs.txt
+go125/src/cmd/go/testdata/script/test_cache_coverpkg_bug.txt
+go125/src/cmd/go/testdata/script/test_cache_coverpkg_no_profile.txt
go125/src/cmd/go/testdata/script/test_cache_inputs.txt
go125/src/cmd/go/testdata/script/test_chatty_fail.txt
go125/src/cmd/go/testdata/script/test_chatty_parallel_fail.txt
@@ -8082,6 +8088,7 @@ go125/src/internal/types/testdata/fixedb
go125/src/internal/types/testdata/fixedbugs/issue71198.go
go125/src/internal/types/testdata/fixedbugs/issue71284.go
go125/src/internal/types/testdata/fixedbugs/issue72936.go
+go125/src/internal/types/testdata/fixedbugs/issue78163.go
go125/src/internal/types/testdata/spec/assignability.go
go125/src/internal/types/testdata/spec/comparable.go
go125/src/internal/types/testdata/spec/comparable1.19.go
@@ -13613,6 +13620,7 @@ go125/test/fixedbugs/issue7760.go
go125/test/fixedbugs/issue77919.go
go125/test/fixedbugs/issue7794.go
go125/test/fixedbugs/issue7863.go
+go125/test/fixedbugs/issue78641.go
go125/test/fixedbugs/issue7867.go
go125/test/fixedbugs/issue7884.go
go125/test/fixedbugs/issue7921.go
Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.11 pkgsrc/lang/go125/distinfo:1.12
--- pkgsrc/lang/go125/distinfo:1.11 Wed Apr 8 05:43:35 2026
+++ pkgsrc/lang/go125/distinfo Thu May 7 18:40:36 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.11 2026/04/08 05:43:35 bsiegert Exp $
+$NetBSD: distinfo,v 1.12 2026/05/07 18:40:36 bsiegert Exp $
BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.9.src.tar.gz) = cb6479fc548f1786addd2758c263d1f978fcdd7a123fd4b9089aa70dd3395b4c
-SHA512 (go1.25.9.src.tar.gz) = b1a89da9f53db56f59716814adf412f10fcb7e72aa9fa0df216ad7200082731f18b449bc669d340f59b80355e66a6e2f156567a45ffd2e138df45bf8bce8dd8f
-Size (go1.25.9.src.tar.gz) = 31997830 bytes
+BLAKE2s (go1.25.10.src.tar.gz) = ad9ca5c85de58992571cb893a86099dd978c86015ed970606656c6cfddfbfea9
+SHA512 (go1.25.10.src.tar.gz) = 4a938b18d00af583d1ab8592386b8c71385997b1c8fab661549232ee84ac2f42716dc8304c38f1f462335a12048da19611bb614a7007d8201e6818a11f187487
+Size (go1.25.10.src.tar.gz) = 32000721 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Index: pkgsrc/lang/go126/PLIST
diff -u pkgsrc/lang/go126/PLIST:1.3 pkgsrc/lang/go126/PLIST:1.4
--- pkgsrc/lang/go126/PLIST:1.3 Wed Apr 8 05:43:35 2026
+++ pkgsrc/lang/go126/PLIST Thu May 7 18:40:36 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2026/04/08 05:43:35 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.4 2026/05/07 18:40:36 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go126/CONTRIBUTING.md
@@ -56,6 +56,7 @@ go126/doc/initial/7-ports.md
go126/go.env
go126/lib/fips140/Makefile
go126/lib/fips140/README.md
+go126/lib/fips140/certified.txt
go126/lib/fips140/fips140.sum
go126/lib/fips140/inprocess.txt
go126/lib/fips140/v1.0.0-c2097c7c.zip
@@ -937,6 +938,7 @@ go126/src/cmd/compile/internal/loopvar/t
go126/src/cmd/compile/internal/loopvar/testdata/opt.go
go126/src/cmd/compile/internal/loopvar/testdata/range_esc_address.go
go126/src/cmd/compile/internal/loopvar/testdata/range_esc_closure.go
+go126/src/cmd/compile/internal/loopvar/testdata/range_esc_closure_linedir.go
go126/src/cmd/compile/internal/loopvar/testdata/range_esc_method.go
go126/src/cmd/compile/internal/loopvar/testdata/range_esc_minimal_closure.go
go126/src/cmd/compile/internal/mips/galign.go
@@ -2290,6 +2292,7 @@ go126/src/cmd/go/testdata/script/cover_r
go126/src/cmd/go/testdata/script/cover_single_vs_multiple.txt
go126/src/cmd/go/testdata/script/cover_statements.txt
go126/src/cmd/go/testdata/script/cover_swig.txt
+go126/src/cmd/go/testdata/script/cover_switch_toolchain.txt
go126/src/cmd/go/testdata/script/cover_sync_atomic_import.txt
go126/src/cmd/go/testdata/script/cover_test_localpkg_filepath.txt
go126/src/cmd/go/testdata/script/cover_test_pkgselect.txt
@@ -2317,6 +2320,7 @@ go126/src/cmd/go/testdata/script/env_wri
go126/src/cmd/go/testdata/script/fileline.txt
go126/src/cmd/go/testdata/script/fips.txt
go126/src/cmd/go/testdata/script/fipssnap.txt
+go126/src/cmd/go/testdata/script/fix_diff_exitcode.txt
go126/src/cmd/go/testdata/script/fix_suite.txt
go126/src/cmd/go/testdata/script/fix_vendor.txt
go126/src/cmd/go/testdata/script/fmt_load_errors.txt
@@ -2730,6 +2734,7 @@ go126/src/cmd/go/testdata/script/mod_ski
go126/src/cmd/go/testdata/script/mod_stale.txt
go126/src/cmd/go/testdata/script/mod_std_vendor.txt
go126/src/cmd/go/testdata/script/mod_string_alias.txt
+go126/src/cmd/go/testdata/script/mod_sum_absent.txt
go126/src/cmd/go/testdata/script/mod_sum_ambiguous.txt
go126/src/cmd/go/testdata/script/mod_sum_issue56222.txt
go126/src/cmd/go/testdata/script/mod_sum_lookup.txt
@@ -2843,6 +2848,8 @@ go126/src/cmd/go/testdata/script/test_bu
go126/src/cmd/go/testdata/script/test_buildinfo.txt
go126/src/cmd/go/testdata/script/test_buildinfo_godebug_issue68053.txt
go126/src/cmd/go/testdata/script/test_buildvcs.txt
+go126/src/cmd/go/testdata/script/test_cache_coverpkg_bug.txt
+go126/src/cmd/go/testdata/script/test_cache_coverpkg_no_profile.txt
go126/src/cmd/go/testdata/script/test_cache_inputs.txt
go126/src/cmd/go/testdata/script/test_chatty_fail.txt
go126/src/cmd/go/testdata/script/test_chatty_parallel_fail.txt
@@ -4907,6 +4914,8 @@ go126/src/crypto/internal/fips140/check/
go126/src/crypto/internal/fips140/check/checktest/test.go
go126/src/crypto/internal/fips140/drbg/cast.go
go126/src/crypto/internal/fips140/drbg/ctrdrbg.go
+go126/src/crypto/internal/fips140/drbg/entropy_fips140.go
+go126/src/crypto/internal/fips140/drbg/entropy_wasm.go
go126/src/crypto/internal/fips140/drbg/rand.go
go126/src/crypto/internal/fips140/drbg/rand_test.go
go126/src/crypto/internal/fips140/ecdh/cast.go
@@ -8339,6 +8348,7 @@ go126/src/internal/types/testdata/fixedb
go126/src/internal/types/testdata/fixedbugs/issue76383.go
go126/src/internal/types/testdata/fixedbugs/issue76384.go
go126/src/internal/types/testdata/fixedbugs/issue76478.go
+go126/src/internal/types/testdata/fixedbugs/issue78163.go
go126/src/internal/types/testdata/spec/assignability.go
go126/src/internal/types/testdata/spec/comparable.go
go126/src/internal/types/testdata/spec/comparable1.19.go
@@ -14098,7 +14108,9 @@ go126/test/fixedbugs/issue77779.go
go126/test/fixedbugs/issue77815.go
go126/test/fixedbugs/issue77919.go
go126/test/fixedbugs/issue7794.go
+go126/test/fixedbugs/issue78404.go
go126/test/fixedbugs/issue7863.go
+go126/test/fixedbugs/issue78641.go
go126/test/fixedbugs/issue7867.go
go126/test/fixedbugs/issue7884.go
go126/test/fixedbugs/issue7921.go
Index: pkgsrc/lang/go126/distinfo
diff -u pkgsrc/lang/go126/distinfo:1.3 pkgsrc/lang/go126/distinfo:1.4
--- pkgsrc/lang/go126/distinfo:1.3 Wed Apr 8 05:43:35 2026
+++ pkgsrc/lang/go126/distinfo Thu May 7 18:40:37 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.3 2026/04/08 05:43:35 bsiegert Exp $
+$NetBSD: distinfo,v 1.4 2026/05/07 18:40:37 bsiegert Exp $
-BLAKE2s (go1.26.2.src.tar.gz) = ddc192dfd3d64112040448bce9d23d785ae50636826f5201f7bd518ee78831ff
-SHA512 (go1.26.2.src.tar.gz) = 370773727c0e6fbf0acd534726938aaaa03ff785f0634c258c94a7a896e9a27acc0ba57120967f711a942e9e275cec46251a194d6f84ba15f28b5dcf0efed673
-Size (go1.26.2.src.tar.gz) = 34120738 bytes
+BLAKE2s (go1.26.3.src.tar.gz) = a8a08bd81f151bc51df9f3b057502aae7bfc54952cbd913e7a3e5afa7097b576
+SHA512 (go1.26.3.src.tar.gz) = 9c673a9ec7783a345b6294984486a5c76ba52de3eb72c95cbd68626312d100c50adb7a3ed15c93d1dc9ce9969b0f6fb4b86c87771118091cc7b0297afaf74fec
+Size (go1.26.3.src.tar.gz) = 34119059 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index