CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Fri, 5 Jun 2026 10:18:24 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Jun  5 10:18:24 UTC 2026

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go125: PLIST distinfo
        pkgsrc/lang/go126: PLIST distinfo

Log Message:
go: update to 1.26.4 and 1.25.11 (security).

These releases include 3 security fixes following the security policy:

-       mime: quadratic complexity in WordDecoder.DecodeHeader

        Decoding a maliciously-crafted MIME header containing many invalid
        encoded-words could consume excessive CPU.
        The MIME decoder now better handles this case.

        Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.

        This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.

-       net/textproto: arbitrary input are included in errors without any escaping

        When returning errors, functions in the net/textproto package would
        include its input as part of the error, without any escaping. Note that
        said input is often controlled by external parties when using this
        package naturally. For example, a net/http client uses ReadMIMEHeader
        when parsing the headers it receive from a server.

        As a result, an attacker could inject arbitrary content into the error.
        Practically, this can result in an attacker injecting misleading
        content, terminal control bytes, etc. into a victim's output or logs.

        This is CVE-2026-42507 and Go issue https://go.dev/issue/79346

-       crypto/x509: split candidate hostname only once

        (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop
        over all DNS Subject Alternative Name (SAN) entries. This caused
        strings.Split(host, ".") to execute repeatedly on the same input hostname.

        With a large DNS SAN list, verification costs scaled quadratically based on the
        number of SAN entries multiplied by the hostname's label count. Because
        x509.Verify validates hostnames before building the certificate chain, this
        overhead occurred even for untrusted certificates.

        Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue.

        This is CVE-2026-27145 and https://go.dev/issue/79694.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.26.4


To generate a diff of this commit:
cvs rdiff -u -r1.249 -r1.250 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go125/PLIST
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/go125/distinfo
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go126/PLIST pkgsrc/lang/go126/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.249 pkgsrc/lang/go/version.mk:1.250
--- pkgsrc/lang/go/version.mk:1.249     Thu May  7 18:40:36 2026
+++ pkgsrc/lang/go/version.mk   Fri Jun  5 10:18:24 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.249 2026/05/07 18:40:36 bsiegert Exp $
+# $NetBSD: version.mk,v 1.250 2026/06/05 10:18:24 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO126_VERSION= 1.26.3
-GO125_VERSION= 1.25.10
+GO126_VERSION= 1.26.4
+GO125_VERSION= 1.25.11
 GO124_VERSION= 1.24.13
 GO123_VERSION= 1.23.12
 GO122_VERSION= 1.22.12

Index: pkgsrc/lang/go125/PLIST
diff -u pkgsrc/lang/go125/PLIST:1.7 pkgsrc/lang/go125/PLIST:1.8
--- pkgsrc/lang/go125/PLIST:1.7 Thu May  7 18:40:36 2026
+++ pkgsrc/lang/go125/PLIST     Fri Jun  5 10:18:24 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.7 2026/05/07 18:40:36 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.8 2026/06/05 10:18:24 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go125/CONTRIBUTING.md
@@ -13623,6 +13623,7 @@ go125/test/fixedbugs/issue7863.go
 go125/test/fixedbugs/issue78641.go
 go125/test/fixedbugs/issue7867.go
 go125/test/fixedbugs/issue7884.go
+go125/test/fixedbugs/issue79182.go
 go125/test/fixedbugs/issue7921.go
 go125/test/fixedbugs/issue7944.go
 go125/test/fixedbugs/issue7995.go

Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.12 pkgsrc/lang/go125/distinfo:1.13
--- pkgsrc/lang/go125/distinfo:1.12     Thu May  7 18:40:36 2026
+++ pkgsrc/lang/go125/distinfo  Fri Jun  5 10:18:24 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.12 2026/05/07 18:40:36 bsiegert Exp $
+$NetBSD: distinfo,v 1.13 2026/06/05 10:18:24 bsiegert Exp $
 
 BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
 SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
 Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.10.src.tar.gz) = ad9ca5c85de58992571cb893a86099dd978c86015ed970606656c6cfddfbfea9
-SHA512 (go1.25.10.src.tar.gz) = 4a938b18d00af583d1ab8592386b8c71385997b1c8fab661549232ee84ac2f42716dc8304c38f1f462335a12048da19611bb614a7007d8201e6818a11f187487
-Size (go1.25.10.src.tar.gz) = 32000721 bytes
+BLAKE2s (go1.25.11.src.tar.gz) = c3d61476d3e97aad9a9be8a1dcc6f8aa5189c50fa6ef8e203db3db71899a7fb3
+SHA512 (go1.25.11.src.tar.gz) = d1fa0d267ee8ba55aacbe47562c128cccabb757dc1f5c553ac0fe70eec9edc49cf66133df6f88997c752e89f9d24b77bf4b6448f73fdd7d05f8bca88951eea26
+Size (go1.25.11.src.tar.gz) = 31999704 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go126/PLIST
diff -u pkgsrc/lang/go126/PLIST:1.4 pkgsrc/lang/go126/PLIST:1.5
--- pkgsrc/lang/go126/PLIST:1.4 Thu May  7 18:40:36 2026
+++ pkgsrc/lang/go126/PLIST     Fri Jun  5 10:18:24 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2026/05/07 18:40:36 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.5 2026/06/05 10:18:24 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go126/CONTRIBUTING.md
@@ -14113,6 +14113,7 @@ go126/test/fixedbugs/issue7863.go
 go126/test/fixedbugs/issue78641.go
 go126/test/fixedbugs/issue7867.go
 go126/test/fixedbugs/issue7884.go
+go126/test/fixedbugs/issue79182.go
 go126/test/fixedbugs/issue7921.go
 go126/test/fixedbugs/issue7944.go
 go126/test/fixedbugs/issue7995.go
Index: pkgsrc/lang/go126/distinfo
diff -u pkgsrc/lang/go126/distinfo:1.4 pkgsrc/lang/go126/distinfo:1.5
--- pkgsrc/lang/go126/distinfo:1.4      Thu May  7 18:40:37 2026
+++ pkgsrc/lang/go126/distinfo  Fri Jun  5 10:18:24 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.4 2026/05/07 18:40:37 bsiegert Exp $
+$NetBSD: distinfo,v 1.5 2026/06/05 10:18:24 bsiegert Exp $
 
-BLAKE2s (go1.26.3.src.tar.gz) = a8a08bd81f151bc51df9f3b057502aae7bfc54952cbd913e7a3e5afa7097b576
-SHA512 (go1.26.3.src.tar.gz) = 9c673a9ec7783a345b6294984486a5c76ba52de3eb72c95cbd68626312d100c50adb7a3ed15c93d1dc9ce9969b0f6fb4b86c87771118091cc7b0297afaf74fec
-Size (go1.26.3.src.tar.gz) = 34119059 bytes
+BLAKE2s (go1.26.4.src.tar.gz) = af9799bf289a45cb65b4327dad325d32abc1ffbc0a3fdedaf1f7bbcf10079b17
+SHA512 (go1.26.4.src.tar.gz) = adacc6a34ad239d98277acd2ac8da867110da0b184dbbafb82e8a06d2b7fd23434f878a8a8cd550172c21bd31ac6391d01a0bd095c9f5c1250be66b459c8de88
+Size (go1.26.4.src.tar.gz) = 34118246 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index