gostls13.git log

commit 7dc919d80ec54886bd5291cde26300f4662a39f5 [browse]
Author: Sergey Matveev
Date: 2024-03-05 21:12:03 +03:00

Autogenerated TLS-related strings

go install golang.org/x/tools/cmd/stringer@latest
cd src/crypto/tls ; go generate

commit 2f28e4630de86513bf549c4ba9274de9a256b3c6 [browse]
Author: Sergey Matveev
Date: 2023-02-02 00:19:57 +03:00

GOST X.509 and TLS 1.3 support via GoGOST

commit db6097f8cbaceaed02051850d2411c88b763a0c3 [browse]
Author: Gopher Robot
Date: 2024-03-05 17:00:20 Z

[release-branch.go1.22] go1.22.1

Change-Id: I9db641e2a029c4c9fa72d7b423b2b6b7f113d9a2
Reviewed-on: https://go-review.googlesource.com/c/go/+/569257
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

commit 041a47712e765e94f86d841c3110c840e76d8f82 [browse]
Author: Damien Neil
Date: 2024-01-16 15:37:52 -08:00

[release-branch.go1.22] net/textproto, mime/multipart: avoid unbounded read in MIME header

mime/multipart.Reader.ReadForm allows specifying the maximum amount
of memory that will be consumed by the form. While this limit is
correctly applied to the parsed form data structure, it was not
being applied to individual header lines in a form.

For example, when presented with a form containing a header line
that never ends, ReadForm will continue to read the line until it
runs out of memory.

Limit the amount of data consumed when reading a header.

Fixes CVE-2023-45290
Fixes #65850
For #65383

Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569237
Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>

commit 3a855208e3efed2e9d7c20ad023f1fa78afcc0be [browse]
Author: Damien Neil
Date: 2024-01-11 11:31:57 -08:00

[release-branch.go1.22] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

When deciding whether to forward cookies or sensitive headers
across a redirect, do not attempt to interpret an IPv6 address
as a domain name.

Avoids a case where a maliciously-crafted redirect to an
IPv6 address with a scoped addressing zone could be
misinterpreted as a within-domain redirect. For example,
we could interpret "::1%.www.example.com" as a subdomain
of "www.example.com".

Thanks to Juho Nurminen of Mattermost for reporting this issue.

Fixes CVE-2023-45289
Fixes #65859
For #65065

Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344
Reviewed-by: Carlos Amedee <amedee@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569236
Reviewed-by: Carlos Amedee <carlos@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>

clone the repository to get more history