CVS commit: pkgsrc/lang

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Fri Mar  6 20:57:34 UTC 2026

Modified Files:
        pkgsrc/lang/go: version.mk
        pkgsrc/lang/go125: PLIST distinfo
        pkgsrc/lang/go126: PLIST distinfo

Log Message:
go: update to 1.25.8 and 1.26.1 (security)

These releases include 5 security fixes following the security policy:

-   crypto/x509: incorrect enforcement of email constraints

    When verifying a certificate chain which contains a certificate
    containing multiple email address constraints (composed of the full
    email address) which share common local portions (the portion of the
    address before the '@' character) but different domain portions (the
    portion of the address after the '@' character), these constraints
    will not be properly applied, and only the last constraint will be
    considered.

    This can allow certificates in the chain containing email addresses
    which are either not permitted or excluded by the relevant
    constraints to be returned by calls to Certificate.Verify. Since the
    name constraint checks happen after chain building is complete, this
    only applies to certificate chains which chain to trusted roots
    (root certificates either in VerifyOptions.Roots or in the system
    root certificate pool), requiring a trusted CA to issue certificates
    containing either not permitted or excluded email addresses.

    This issue only affects Go 1.26.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.

-   crypto/x509: panic in name constraint checking for malformed
    certificates

    Certificate verification can panic when a certificate in the chain
    has an empty DNS name and another certificate in the chain has
    excluded name constraints. This can crash programs that are either
    directly verifying X.509 certificate chains, or those that use TLS.

    Since the name constraint checks happen after chain building is
    complete, this only applies to certificate chains which chain to
    trusted roots (root certificates either in VerifyOptions.Roots or in
    the system root certificate pool), requiring a trusted CA to issue
    certificates containing malformed DNS names.

    This issue only affects Go 1.26.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.

-   html/template: URLs in meta content attribute actions are not
    escaped

    Actions which insert URLs into the content attribute of HTML meta
    tags are not escaped. This can allow XSS if the meta tag also has an
    http-equiv attribute with the value "refresh".

    A new GODEBUG setting has been added, htmlmetacontenturlescape,
    which can be used to disable escaping URLs in actions in the meta
    content attribute which follow "url=" by setting
    htmlmetacontenturlescape=0.

    This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.

-   net/url: reject IPv6 literal not at start of host

    The Go standard library function net/url.Parse insufficiently
    validated the host/authority component and accepted some invalid
    URLs by effectively treating garbage before an IP-literal as
    ignorable. The function should have rejected this as invalid.

    To prevent this behavior, net/url.Parse now rejects IPv6 literals
    that do not appear at the start of the host subcomponent of a URL.

    Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

    This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.

-   os: FileInfo can escape from a Root

    On Unix platforms, when listing the contents of a directory using
    File.ReadDir or File.Readdir the returned FileInfo could reference a
    file outside of the Root in which the File was opened.

    The contents of the FileInfo were populated using the lstat system
    call, which takes the path to the file as a parameter. If a
    component of the full path of the file described by the FileInfo is
    replaced with a symbolic link, the target of the lstat can be
    directed to another location on the filesystem.

    The impact of this escape is limited to reading metadata provided by
    lstat from arbitrary locations on the filesystem. This could be used
    to probe for the presence or absence of files as well as gleaning
    metadata like file sizes, but does not permit reading or writing
    files outside the root.

    The FileInfo is now populated using fstatat.

    Thank you to Miloslav Trmač of Red Hat for reporting this issue.

    This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.


To generate a diff of this commit:
cvs rdiff -u -r1.245 -r1.246 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/go125/PLIST
cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/go125/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go126/PLIST pkgsrc/lang/go126/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.245 pkgsrc/lang/go/version.mk:1.246
--- pkgsrc/lang/go/version.mk:1.245     Tue Feb 24 08:42:08 2026
+++ pkgsrc/lang/go/version.mk   Fri Mar  6 20:57:33 2026
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.245 2026/02/24 08:42:08 bsiegert Exp $
+# $NetBSD: version.mk,v 1.246 2026/03/06 20:57:33 bsiegert Exp $
 
 #
 # If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
 #
 .include "go-vars.mk"
 
-GO126_VERSION= 1.26.0
-GO125_VERSION= 1.25.7
+GO126_VERSION= 1.26.1
+GO125_VERSION= 1.25.8
 GO124_VERSION= 1.24.13
 GO123_VERSION= 1.23.12
 GO122_VERSION= 1.22.12

Index: pkgsrc/lang/go125/PLIST
diff -u pkgsrc/lang/go125/PLIST:1.4 pkgsrc/lang/go125/PLIST:1.5
--- pkgsrc/lang/go125/PLIST:1.4 Thu Jan 15 19:46:57 2026
+++ pkgsrc/lang/go125/PLIST     Fri Mar  6 20:57:33 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2026/01/15 19:46:57 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.5 2026/03/06 20:57:33 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go125/CONTRIBUTING.md
@@ -7276,6 +7276,7 @@ go125/src/internal/poll/fd_windows_test.
 go125/src/internal/poll/fd_writev_libc.go
 go125/src/internal/poll/fd_writev_unix.go
 go125/src/internal/poll/file_plan9.go
+go125/src/internal/poll/fstatat_unix.go
 go125/src/internal/poll/hook_cloexec.go
 go125/src/internal/poll/hook_unix.go
 go125/src/internal/poll/hook_windows.go
@@ -9065,6 +9066,9 @@ go125/src/os/stat_test.go
 go125/src/os/stat_unix.go
 go125/src/os/stat_wasip1.go
 go125/src/os/stat_windows.go
+go125/src/os/statat.go
+go125/src/os/statat_other.go
+go125/src/os/statat_unix.go
 go125/src/os/sticky_bsd.go
 go125/src/os/sticky_notbsd.go
 go125/src/os/sys.go

Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.9 pkgsrc/lang/go125/distinfo:1.10
--- pkgsrc/lang/go125/distinfo:1.9      Fri Feb  6 20:23:00 2026
+++ pkgsrc/lang/go125/distinfo  Fri Mar  6 20:57:34 2026
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.9 2026/02/06 20:23:00 bsiegert Exp $
+$NetBSD: distinfo,v 1.10 2026/03/06 20:57:34 bsiegert Exp $
 
 BLAKE2s (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = e1cc8b23dd53ddb2e0d034b15afda2c5f83a5103a9536fd54d717b07f5fd9628
 SHA512 (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 0a0787b8ea302356b724c36baf0db0df4ba29e5c56a6facc7d5a86d159dd6de23817ca62c3446f7e134810b44ebd79b6758331630e2ba8b196e6b249f1871d33
 Size (9ba0948172cbb05308fb2a9db823a720f8ffb9ad.patch) = 1661 bytes
-BLAKE2s (go1.25.7.src.tar.gz) = 895d738c21ca97f50b38b2903175da9a8ac3d097fee185a8fd4c8222de1f6870
-SHA512 (go1.25.7.src.tar.gz) = 054fdb8219d18a7942c524d8acc3c942d0a7b8f1c01b96184fa79017b6548533798f5f48cc78f7ecfb70da504c5c66569377a35d517a0e3184c32fe84c9ee0b6
-Size (go1.25.7.src.tar.gz) = 31990868 bytes
+BLAKE2s (go1.25.8.src.tar.gz) = e9882b64493cf3f5eca80739862a90e9bda9d43f67f40d423de9070367d10036
+SHA512 (go1.25.8.src.tar.gz) = 2f5c9f314d18169985a9a4b19346e00dd5d4b396c8c17bfffe5719e51f27d834cc9649d0165f7eeb7367d3b6d384f49917325a40b49ba4da65e22f2c5362c739
+Size (go1.25.8.src.tar.gz) = 31991986 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35

Index: pkgsrc/lang/go126/PLIST
diff -u pkgsrc/lang/go126/PLIST:1.1 pkgsrc/lang/go126/PLIST:1.2
--- pkgsrc/lang/go126/PLIST:1.1 Sun Feb 22 15:20:08 2026
+++ pkgsrc/lang/go126/PLIST     Fri Mar  6 20:57:34 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2026/02/22 15:20:08 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.2 2026/03/06 20:57:34 bsiegert Exp $
 bin/go${GOVERSSUFFIX}
 bin/gofmt${GOVERSSUFFIX}
 go126/CONTRIBUTING.md
@@ -2631,7 +2631,6 @@ go126/src/cmd/go/testdata/script/mod_ini
 go126/src/cmd/go/testdata/script/mod_init_issue74784.txt
 go126/src/cmd/go/testdata/script/mod_init_path.txt
 go126/src/cmd/go/testdata/script/mod_init_tidy.txt
-go126/src/cmd/go/testdata/script/mod_init_version.txt
 go126/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
 go126/src/cmd/go/testdata/script/mod_install_hint.txt
 go126/src/cmd/go/testdata/script/mod_install_pkg_version.txt
@@ -2991,7 +2990,6 @@ go126/src/cmd/go/testdata/script/work_im
 go126/src/cmd/go/testdata/script/work_init_gowork.txt
 go126/src/cmd/go/testdata/script/work_init_path.txt
 go126/src/cmd/go/testdata/script/work_init_toolchain.txt
-go126/src/cmd/go/testdata/script/work_init_version.txt
 go126/src/cmd/go/testdata/script/work_install_submodule.txt
 go126/src/cmd/go/testdata/script/work_issue51204.txt
 go126/src/cmd/go/testdata/script/work_issue54048.txt
@@ -7456,6 +7454,7 @@ go126/src/internal/poll/fd_windows_test.
 go126/src/internal/poll/fd_writev_libc.go
 go126/src/internal/poll/fd_writev_unix.go
 go126/src/internal/poll/file_plan9.go
+go126/src/internal/poll/fstatat_unix.go
 go126/src/internal/poll/hook_cloexec.go
 go126/src/internal/poll/hook_unix.go
 go126/src/internal/poll/hook_windows.go
@@ -9329,6 +9328,9 @@ go126/src/os/stat_test.go
 go126/src/os/stat_unix.go
 go126/src/os/stat_wasip1.go
 go126/src/os/stat_windows.go
+go126/src/os/statat.go
+go126/src/os/statat_other.go
+go126/src/os/statat_unix.go
 go126/src/os/sticky_bsd.go
 go126/src/os/sticky_notbsd.go
 go126/src/os/sys.go
@@ -14072,7 +14074,11 @@ go126/test/fixedbugs/issue76950.go
 go126/test/fixedbugs/issue7740.go
 go126/test/fixedbugs/issue7742.go
 go126/test/fixedbugs/issue7746.go
+go126/test/fixedbugs/issue77534.go
 go126/test/fixedbugs/issue7760.go
+go126/test/fixedbugs/issue77604.go
+go126/test/fixedbugs/issue77613.go
+go126/test/fixedbugs/issue77779.go
 go126/test/fixedbugs/issue7794.go
 go126/test/fixedbugs/issue7863.go
 go126/test/fixedbugs/issue7867.go
Index: pkgsrc/lang/go126/distinfo
diff -u pkgsrc/lang/go126/distinfo:1.1 pkgsrc/lang/go126/distinfo:1.2
--- pkgsrc/lang/go126/distinfo:1.1      Sun Feb 22 15:20:08 2026
+++ pkgsrc/lang/go126/distinfo  Fri Mar  6 20:57:34 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.1 2026/02/22 15:20:08 bsiegert Exp $
+$NetBSD: distinfo,v 1.2 2026/03/06 20:57:34 bsiegert Exp $
 
-BLAKE2s (go1.26.0.src.tar.gz) = ba0872955f7f5ed46ff518c3c285bb34856d3568699254b2999dbe7a60e1a313
-SHA512 (go1.26.0.src.tar.gz) = 93858b64ef0f0963af4efa5f7a0465e76827b80a9926e965da6abeb2ad1b261bcfb3c1911364edd8bc2488fda47cc56e13816b4d7174413b17656b681c139964
-Size (go1.26.0.src.tar.gz) = 34095450 bytes
+BLAKE2s (go1.26.1.src.tar.gz) = f7d0d40cf99b132681c8736887316d983c43cee225fefe48e0f58b9e47b75481
+SHA512 (go1.26.1.src.tar.gz) = 7bab2a762b4aff1c2c3a3cf3ad20bce63fabff28c7ff63b18cb8b0ce427a7bc1781cfd3fa291f4bff499247b1f0fd56f1698bb19bc7c1be7d7d2f38716438d41
+Size (go1.26.1.src.tar.gz) = 34108253 bytes
 SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
 SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
 SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35