CVS commit: pkgsrc/lang

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang
From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
Date: Thu, 15 Jan 2026 19:46:57 +0000

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Jan 15 19:46:57 UTC 2026

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go124: PLIST distinfo
        pkgsrc/lang/go125: PLIST distinfo

Log Message:
go: update to 1.24.12, 1.25.6 (security)

These releases include 6 security fixes following the security policy:

-   archive/zip: denial of service when parsing arbitrary ZIP archives

    archive/zip used a super-linear file name indexing algorithm that is
    invoked the first time a file in an archive is opened. This can lead
    to a denial of service when consuming a maliciously constructed ZIP
    archive.

    Thanks to Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.

-   net/http: memory exhaustion in Request.ParseForm

    When parsing a URL-encoded form net/http may allocate an unexpected
    amount of memory when provided a large number of key-value pairs.
    This can result in a denial of service due to memory exhaustion.

    Thanks to jub0bs for reporting this issue.

    This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.

-   crypto/tls: Config.Clone copies automatically generated session
    ticket keys, session resumption does not account for the expiration
    of full certificate chain

    The Config.Clone methods allows cloning a Config which has already
    been passed to a TLS function, allowing it to be mutated and reused.

    If Config.SessionTicketKey has not been set, and
    Config.SetSessionTicketKeys has not been called, crypto/tls will
    generate random session ticket keys and automatically rotate them.
    Config.Clone would copy these automatically generated keys into the
    returned Config, meaning that the two Configs would share session
    ticket keys, allowing sessions created using one Config could be
    used to resume sessions with the other Config. This can allow
    clients to resume sessions even though the Config may be configured
    such that they should not be able to do so.

    Config.Clone no longer copies the automatically generated session
    ticket keys.  Config.Clone still copies keys which are explicitly
    provided, either by setting Config.SessionTicketKey or by calling
    Config.SetSessionTicketKeys.

    This issue was discoverd by the Go Security team while investigating
    another issue reported by Coia Prant (github.com/rbqvq).

    Additionally, on the server side only the expiration of the leaf
    certificate, if one was provided during the initial handshake, was
    checked when considering if a session could be resumed. This allowed
    sessions to be resumed if an intermediate or root certificate in the
    chain had expired.

    Session resumption now takes into account of the full chain when
    determining if the session can be resumed.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2025-68121 and Go issue https://go.dev/issue/77113.

-   cmd/go: bypass of flag sanitization can lead to arbitrary code
    execution

    Usage of 'CgoPkgConfig' allowed execution of the pkg-config
    binary with flags that are not explicitly safe-listed.

    To prevent this behavior, compiler flags resulting from usage
    of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.

    Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
    for reporting this issue.

    This is CVE-2025-61731 and go.dev/issue/77100.

-   cmd/go: unexpected code execution when invoking toolchain

    The Go toolchain supports multiple VCS which are used retrieving
    modules and embedding build information into binaries.

    On systems with Mercurial installed (hg) downloading modules (e.g.
    via go get or go mod download) from non-standard sources (e.g.
    custom domains) can cause unexpected code execution due to how
    external VCS commands are constructed.

    On systems with Git installed, downloading and building modules with
    malicious version strings could allow an attacker to write to
    arbitrary files on the system the user has access to. This can only
    be triggered by explicitly providing the malicious version strings
    to the toolchain, and does not affect usage of @latest or bare
    module paths.

    The toolchain now uses safer VCS options to prevent
    misinterpretation of untrusted inputs. In addition, the toolchain
    now disallows module version strings prefixed with a "-" or "/"
    character.

    Thanks to splitline (@splitline) from DEVCORE Research Team for
    reporting this issue.

    This is CVE-2025-68119 and Go issue https://go.dev/issue/77099.

-   crypto/tls: handshake messages may be processed at the incorrect
    encryption level

    During the TLS 1.3 handshake if multiple messages are sent in
    records that span encryption level boundaries (for instance the
    Client Hello and Encrypted Extensions messages), the subsequent
    messages may be processed before the encryption level changes. This
    can cause some minor information disclosure if a network-local
    attacker can inject messages during the handshake.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2025-61730 and Go issue https://go.dev/issue/76443


To generate a diff of this commit:
cvs rdiff -u -r1.241 -r1.242 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go124/PLIST
cvs rdiff -u -r1.12 -r1.13 pkgsrc/lang/go124/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/lang/go125/PLIST
cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go125/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.241 pkgsrc/lang/go/version.mk:1.242
--- pkgsrc/lang/go/version.mk:1.241     Tue Dec  2 19:24:15 2025
+++ pkgsrc/lang/go/version.mk   Thu Jan 15 19:46:56 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.241 2025/12/02 19:24:15 bsiegert Exp $
+# $NetBSD: version.mk,v 1.242 2026/01/15 19:46:56 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO125_VERSION= 1.25.5
-GO124_VERSION= 1.24.11
+GO125_VERSION= 1.25.6
+GO124_VERSION= 1.24.12
 GO123_VERSION= 1.23.12
 GO122_VERSION= 1.22.12
 GO120_VERSION= 1.20.14

Index: pkgsrc/lang/go124/PLIST
diff -u pkgsrc/lang/go124/PLIST:1.7 pkgsrc/lang/go124/PLIST:1.8
--- pkgsrc/lang/go124/PLIST:1.7 Tue Oct  7 20:26:56 2025
+++ pkgsrc/lang/go124/PLIST     Thu Jan 15 19:46:57 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.7 2025/10/07 20:26:56 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.8 2026/01/15 19:46:57 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go124/CONTRIBUTING.md
@@ -13269,6 +13269,7 @@ go124/test/fixedbugs/issue7648.dir/b.go
 go124/test/fixedbugs/issue7648.go
 go124/test/fixedbugs/issue7675.go
 go124/test/fixedbugs/issue7690.go
+go124/test/fixedbugs/issue76950.go
 go124/test/fixedbugs/issue7740.go
 go124/test/fixedbugs/issue7742.go
 go124/test/fixedbugs/issue7746.go

Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.12 pkgsrc/lang/go124/distinfo:1.13
--- pkgsrc/lang/go124/distinfo:1.12     Tue Dec  2 19:24:16 2025
+++ pkgsrc/lang/go124/distinfo  Thu Jan 15 19:46:57 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.12 2025/12/02 19:24:16 bsiegert Exp $
+$NetBSD: distinfo,v 1.13 2026/01/15 19:46:57 bsiegert Exp $
 
-BLAKE2s (go1.24.11.src.tar.gz) = 41d1c9d42d5021a4cc84d55991789f59dfe015273e96d273c7903e8127adf9ef
-SHA512 (go1.24.11.src.tar.gz) = 9344039d231e50b63f52acbdd6cf2f483a4052d95b5fcc3e8a6d8fde80f0195f66ac5588302809ff0425de4d7c6b428ae842ec33b468c7020873acedbdea16ef
-Size (go1.24.11.src.tar.gz) = 30801851 bytes
+BLAKE2s (go1.24.12.src.tar.gz) = 47f24c01adfcb6d7472c86d2b62755ed150d50fb9ac32e5f6650d66526b50152
+SHA512 (go1.24.12.src.tar.gz) = 2de51c56f7ca04003b16d0fecc4cb35a3c5a42bd54f4da1f1e49d45b702d7a872057756d389f2283b4f7283fb33f0618465e231a6333b7cb6cfff98f67b2454e
+Size (go1.24.12.src.tar.gz) = 30803950 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go125/PLIST
diff -u pkgsrc/lang/go125/PLIST:1.3 pkgsrc/lang/go125/PLIST:1.4
--- pkgsrc/lang/go125/PLIST:1.3 Sat Nov  8 02:26:15 2025
+++ pkgsrc/lang/go125/PLIST     Thu Jan 15 19:46:57 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2025/11/08 02:26:15 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.4 2026/01/15 19:46:57 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go125/CONTRIBUTING.md
@@ -13588,6 +13588,7 @@ go125/test/fixedbugs/issue7648.dir/b.go
 go125/test/fixedbugs/issue7648.go
 go125/test/fixedbugs/issue7675.go
 go125/test/fixedbugs/issue7690.go
+go125/test/fixedbugs/issue76950.go
 go125/test/fixedbugs/issue7740.go
 go125/test/fixedbugs/issue7742.go
 go125/test/fixedbugs/issue7746.go

Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.7 pkgsrc/lang/go125/distinfo:1.8
--- pkgsrc/lang/go125/distinfo:1.7      Fri Dec 19 17:02:26 2025
+++ pkgsrc/lang/go125/distinfo  Thu Jan 15 19:46:57 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.7 2025/12/19 17:02:26 bsiegert Exp $
+$NetBSD: distinfo,v 1.8 2026/01/15 19:46:57 bsiegert Exp $
 
 BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
 SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
 Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.5.src.tar.gz) = a91a3c9dcfba4ff41b95c2371166b5913f870b8ff136feba7f0abe6d34b0e537
-SHA512 (go1.25.5.src.tar.gz) = 97ec368521253bce610e1e3a6f10460f4a38eba440289553a40ab27afcdf2bb9b426d150ffaa3be8db50e84a00a4eb723a631ebc4f39168bc133bf7b2f1ccf66
-Size (go1.25.5.src.tar.gz) = 31983405 bytes
+BLAKE2s (go1.25.6.src.tar.gz) = cc2ab6f98fb1eabe18d7fde522a2058c46dab79336ea40c70e15570f8c3b4a8a
+SHA512 (go1.25.6.src.tar.gz) = 214b2d82b5322d544e80d7202db9169c24e5f097338f2d0e6d34189bd5bde9e7c1656f06611062c78a156181f03956181971b346172fc14617726bfece5e61e9
+Size (go1.25.6.src.tar.gz) = 31987986 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Prev by Date: CVS commit: pkgsrc/editors/reovim
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/editors/reovim
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index