commit 1296453960bac0fb5675853c40e3747e5237e16e [browse]
Author: Gopher Robot
Date: 2025-12-02 07:59:53 -08:00

[release-branch.go1.24] go1.24.11

Change-Id: Iae7d7cf17bf31ac6aaf145993d0b857a3ddbcacb
Reviewed-on: https://go-review.googlesource.com/c/go/+/725841
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

commit 3a842bd5c6aa8eefa13c0174de3ab361e50bd672 [browse]
Author: Nicholas S. Husin
Date: 2025-11-24 14:56:23 -05:00

[release-branch.go1.24] crypto/x509: prevent HostnameError.Error() from consuming excessive resource

Constructing HostnameError.Error() takes O(N^2) runtime due to using a
string concatenation in a loop. Additionally, there is no limit on how
many names are included in the error message. As a result, a malicious
attacker could craft a certificate with an infinite amount of names to
unfairly consume resource.

To remediate this, we will now use strings.Builder to construct the
error message, preventing O(N^2) runtime. When a certificate has 100 or
more names, we will also not print each name individually.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Updates #76445
Fixes #76460
Fixes CVE-2025-61729

Change-Id: I6343776ec3289577abc76dad71766c491c1a7c81
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3000
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3220
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/725820
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>

commit 04db77a423cac75bb82cc9a6859991ae9c016344 [browse]
Author: Roland Shoemaker
Date: 2025-11-24 08:46:08 -08:00

[release-branch.go1.24] crypto/x509: excluded subdomain constraints preclude wildcard SANs

When evaluating name constraints in a certificate chain, the presence of
an excluded subdomain constraint (e.g., excluding "test.example.com")
should preclude the use of a wildcard SAN (e.g., "*.example.com").

Fixes #76442
Fixes #76463
Fixes CVE-2025-61727

Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba
Reviewed-on: https://go-review.googlesource.com/c/go/+/724401
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Neal Patel <nealpatel@google.com>

commit 23743a8d2b1347eaf6279f401f743eeafab399a2 [browse]
Author: Guoqi Chen
Date: 2025-03-06 20:07:24 +08:00

[release-branch.go1.24] internal/cpu: use correct variable when parsing CPU features lamcas and lam_bh on loong64

Fixes #76378

Change-Id: I5019f4e32243911f735f775bcb3c0dba5adb4162
Reviewed-on: https://go-review.googlesource.com/c/go/+/655395
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Meidan Li <limeidan@loongson.cn>
Reviewed-by: sophie zhao <zhaoxiaolin@loongson.cn>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit bcd0ebbd2abcd3e2e876862f287c46a2de56eaab)
Reviewed-on: https://go-review.googlesource.com/c/go/+/722400
Reviewed-by: abner chenc <chenguoqi@loongson.cn>
Reviewed-by: Mark Freeman <markfreeman@google.com>

commit 0259df17feb288f1e24517516939b67876c2627b [browse]
Author: Gopher Robot
Date: 2025-11-05 10:58:48 -08:00

[release-branch.go1.24] go1.24.10

Change-Id: I74370108e95298bec0fe0f7738867072ece0d0ff
Reviewed-on: https://go-review.googlesource.com/c/go/+/718063
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>