pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
go126: update to 1.26rc2.
Module Name: pkgsrc-wip
Committed By: Benny Siegert <bsiegert%gmail.com@localhost>
Pushed By: bsiegert
Date: Thu Jan 22 22:05:12 2026 +0100
Changeset: 7d1479038bf4018f654e96434a48c32241aff027
Modified Files:
go126/Makefile
go126/PLIST
go126/distinfo
Log Message:
go126: update to 1.26rc2.
This release includes 6 security fixes following the security policy:
- archive/zip: denial of service when parsing arbitrary ZIP archives
archive/zip used a super-linear file name indexing algorithm that is invoked
the first time a file in an archive is opened. This can lead to a denial of
service when consuming a maliciously constructed ZIP archive.
Thanks to Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.
- net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount of
memory when provided a large number of key-value pairs. This can result in a
denial of service due to memory exhaustion.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.
- crypto/tls: Config.Clone copies automatically generated session ticket keys,
session resumption does not account for the expiration of full certificate
chain
The Config.Clone methods allows cloning a Config which has already been passed
to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys
has not been called, crypto/tls will generate random session ticket keys and
automatically rotate them. Config.Clone would copy these automatically
generated keys into the returned Config, meaning that the two Configs would
share session ticket keys, allowing sessions created using one Config could be
used to resume sessions with the other Config. This can allow clients to
resume sessions even though the Config may be configured such that they should
not be able to do so.
Config.Clone no longer copies the automatically generated session ticket keys.
Config.Clone still copies keys which are explicitly provided, either by
setting Config.SessionTicketKey or by calling Config.SetSessionTicketKeys.
This issue was discoverd by the Go Security team while investigating another
issue reported by Coia Prant (github.com/rbqvq).
Additionally, on the server side only the expiration of the leaf certificate,
if one was provided during the initial handshake, was checked when considering
if a session could be resumed. This allowed sessions to be resumed if an
intermediate or root certificate in the chain had expired.
Session resumption now takes into account of the full chain when determining
if the session can be resumed.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-68121 and Go issue https://go.dev/issue/77113.
- cmd/go: bypass of flag sanitization can lead to arbitrary code execution
Usage of 'CgoPkgConfig' allowed execution of the pkg-config
binary with flags that are not explicitly safe-listed.
To prevent this behavior, compiler flags resulting from usage
of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.
Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.
This is CVE-2025-61731 and go.dev/issue/77100.
- cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules and
embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go get
or go mod download) from non-standard sources (e.g. custom domains) can cause
unexpected code execution due to how external VCS commands are constructed.
On systems with Git installed, downloading and building modules with malicious
version strings could allow an attacker to write to arbitrary files on the
system the user has access to. This can only be triggered by explicitly
providing the malicious version strings to the toolchain, and does not affect
usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this
issue.
This is CVE-2025-68119 and Go issue https://go.dev/issue/77099.
- crypto/tls: handshake messages may be processed at the incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that
span encryption level boundaries (for instance the Client Hello and Encrypted
Extensions messages), the subsequent messages may be processed before the
encryption level changes. This can cause some minor information disclosure if
a network-local attacker can inject messages during the handshake.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-61730 and Go issue https://go.dev/issue/76443
Please try your production load tests and unit tests with the new version.
Your help testing these pre-release versions is invaluable.
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=7d1479038bf4018f654e96434a48c32241aff027
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
go126/Makefile | 2 +-
go126/PLIST | 28 ++++++++++++++++++----------
go126/distinfo | 6 +++---
3 files changed, 22 insertions(+), 14 deletions(-)
diffs:
diff --git a/go126/Makefile b/go126/Makefile
index 8a135f3e42..cd95bab234 100644
--- a/go126/Makefile
+++ b/go126/Makefile
@@ -4,7 +4,7 @@
GO_BOOTSTRAP_REQD= 124
.include "../../lang/go/bootstrap.mk"
-GO126_VERSION= 1.26rc1
+GO126_VERSION= 1.26rc2
GOVERSSUFFIX= 126
DISTNAME= go${GO${GOVERSSUFFIX}_VERSION}.src
diff --git a/go126/PLIST b/go126/PLIST
index 613a91d4bb..6527a44b59 100644
--- a/go126/PLIST
+++ b/go126/PLIST
@@ -60,7 +60,7 @@ go126/lib/fips140/fips140.sum
go126/lib/fips140/inprocess.txt
go126/lib/fips140/v1.0.0-c2097c7c.zip
go126/lib/fips140/v1.0.0.txt
-go126/lib/fips140/v1.1.0-rc1.zip
+go126/lib/fips140/v1.26.0.zip
go126/lib/hg/goreposum.py
go126/lib/time/README
go126/lib/time/mkzip.go
@@ -433,6 +433,8 @@ go126/src/cmd/cgo/internal/test/issue6997_linux.c
go126/src/cmd/cgo/internal/test/issue6997_linux.go
go126/src/cmd/cgo/internal/test/issue7234_test.go
go126/src/cmd/cgo/internal/test/issue76023.go
+go126/src/cmd/cgo/internal/test/issue76861.go
+go126/src/cmd/cgo/internal/test/issue76861/a.go
go126/src/cmd/cgo/internal/test/issue8148.c
go126/src/cmd/cgo/internal/test/issue8148.go
go126/src/cmd/cgo/internal/test/issue8331.h
@@ -1525,6 +1527,7 @@ go126/src/cmd/compile/testdata/script/embedbad.txt
go126/src/cmd/compile/testdata/script/issue70173.txt
go126/src/cmd/compile/testdata/script/issue73947.txt
go126/src/cmd/compile/testdata/script/issue75461.txt
+go126/src/cmd/compile/testdata/script/issue77033.txt
go126/src/cmd/compile/testdata/script/script_test_basics.txt
go126/src/cmd/covdata/argsmerge.go
go126/src/cmd/covdata/covdata.go
@@ -4724,7 +4727,7 @@ go126/src/crypto/cipher/ctr_test.go
go126/src/crypto/cipher/example_test.go
go126/src/crypto/cipher/fuzz_test.go
go126/src/crypto/cipher/gcm.go
-go126/src/crypto/cipher/gcm_fips140v2.0_test.go
+go126/src/crypto/cipher/gcm_fips140v1.26_test.go
go126/src/crypto/cipher/gcm_test.go
go126/src/crypto/cipher/io.go
go126/src/crypto/cipher/modes_test.go
@@ -4772,8 +4775,8 @@ go126/src/crypto/hkdf/hkdf_test.go
go126/src/crypto/hmac/hmac.go
go126/src/crypto/hmac/hmac_test.go
go126/src/crypto/hpke/aead.go
-go126/src/crypto/hpke/aead_fipsv1.0.go
-go126/src/crypto/hpke/aead_fipsv2.0.go
+go126/src/crypto/hpke/aead_fips140v1.0.go
+go126/src/crypto/hpke/aead_fips140v1.26.go
go126/src/crypto/hpke/hpke.go
go126/src/crypto/hpke/hpke_test.go
go126/src/crypto/hpke/kdf.go
@@ -5094,17 +5097,18 @@ go126/src/crypto/internal/fips140deps/time/time.go
go126/src/crypto/internal/fips140deps/time/time_windows.go
go126/src/crypto/internal/fips140hash/hash.go
go126/src/crypto/internal/fips140only/fips140only.go
+go126/src/crypto/internal/fips140only/fips140only_test.go
go126/src/crypto/internal/fips140test/acvp_capabilities.entropy.json
go126/src/crypto/internal/fips140test/acvp_capabilities_fips140v1.0.json
-go126/src/crypto/internal/fips140test/acvp_capabilities_fips140v2.0.json
+go126/src/crypto/internal/fips140test/acvp_capabilities_fips140v1.26.json
go126/src/crypto/internal/fips140test/acvp_fips140v1.0_test.go
-go126/src/crypto/internal/fips140test/acvp_fips140v2.0_test.go
+go126/src/crypto/internal/fips140test/acvp_fips140v1.26_test.go
go126/src/crypto/internal/fips140test/acvp_test.go
go126/src/crypto/internal/fips140test/acvp_test_fips140v1.0.config.json
-go126/src/crypto/internal/fips140test/acvp_test_fips140v2.0.config.json
+go126/src/crypto/internal/fips140test/acvp_test_fips140v1.26.config.json
go126/src/crypto/internal/fips140test/alias_test.go
go126/src/crypto/internal/fips140test/cast_fips140v1.0_test.go
-go126/src/crypto/internal/fips140test/cast_fips140v2.0_test.go
+go126/src/crypto/internal/fips140test/cast_fips140v1.26_test.go
go126/src/crypto/internal/fips140test/cast_test.go
go126/src/crypto/internal/fips140test/check_test.go
go126/src/crypto/internal/fips140test/cmac_test.go
@@ -5120,8 +5124,8 @@ go126/src/crypto/internal/fips140test/sshkdf_test.go
go126/src/crypto/internal/fips140test/xaes_test.go
go126/src/crypto/internal/impl/impl.go
go126/src/crypto/internal/rand/rand.go
-go126/src/crypto/internal/rand/rand_fipsv1.0.go
-go126/src/crypto/internal/rand/rand_fipsv2.0.go
+go126/src/crypto/internal/rand/rand_fips140v1.0.go
+go126/src/crypto/internal/rand/rand_fips140v1.26.go
go126/src/crypto/internal/randutil/randutil.go
go126/src/crypto/internal/sysrand/internal/seccomp/seccomp_linux.go
go126/src/crypto/internal/sysrand/internal/seccomp/seccomp_unsupported.go
@@ -8001,6 +8005,7 @@ go126/src/internal/types/testdata/check/cycles3.go
go126/src/internal/types/testdata/check/cycles4.go
go126/src/internal/types/testdata/check/cycles5.go
go126/src/internal/types/testdata/check/cycles5a.go
+go126/src/internal/types/testdata/check/cycles6.go
go126/src/internal/types/testdata/check/decls0.go
go126/src/internal/types/testdata/check/decls1.go
go126/src/internal/types/testdata/check/decls2/decls2a.go
@@ -10203,9 +10208,11 @@ go126/src/runtime/runtime_unix_test.go
go126/src/runtime/rwmutex.go
go126/src/runtime/rwmutex_test.go
go126/src/runtime/secret.go
+go126/src/runtime/secret/alloc_test.go
go126/src/runtime/secret/asm_amd64.s
go126/src/runtime/secret/asm_arm64.s
go126/src/runtime/secret/crash_test.go
+go126/src/runtime/secret/doc.go
go126/src/runtime/secret/export.go
go126/src/runtime/secret/secret.go
go126/src/runtime/secret/secret_test.go
@@ -14059,6 +14066,7 @@ go126/test/fixedbugs/issue7648.go
go126/test/fixedbugs/issue76709.go
go126/test/fixedbugs/issue7675.go
go126/test/fixedbugs/issue7690.go
+go126/test/fixedbugs/issue76950.go
go126/test/fixedbugs/issue7740.go
go126/test/fixedbugs/issue7742.go
go126/test/fixedbugs/issue7746.go
diff --git a/go126/distinfo b/go126/distinfo
index bf746da238..bfd5c0f016 100644
--- a/go126/distinfo
+++ b/go126/distinfo
@@ -1,8 +1,8 @@
$NetBSD: distinfo,v 1.7 2025/12/19 17:02:26 bsiegert Exp $
-BLAKE2s (go1.26rc1.src.tar.gz) = 213b45b1615eeb4eda7fa296dc560a728d53648bb52999b1789b6f1587784fa7
-SHA512 (go1.26rc1.src.tar.gz) = 6696ee765dcde64b830b14e20a5fdf6324916211bff80a62d0db0cbef58bb0856f02e88e95b2f1a3ad6d9282ebd04a377a0b000d56849576caedbd526c9a7923
-Size (go1.26rc1.src.tar.gz) = 34069284 bytes
+BLAKE2s (go1.26rc2.src.tar.gz) = d488c2d453b5a4d5c8aaa48fa1445ccfc11608eba982c40f8d74070892cd56a5
+SHA512 (go1.26rc2.src.tar.gz) = 0db82bdd954bd43049f34b5d889ed423b4a4d74c803aaea0cd90d23f485d2c2ba654481b7038c1eab8c8c4df31ea7d6d9d894eafad1a32728dffdd732ef0c49a
+Size (go1.26rc2.src.tar.gz) = 34091929 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index