commit 6796ebb2cb66b316a07998cdcd69b1c486b8579e [browse]
Author: Gopher Robot
Date: 2025-06-05 11:16:22 -07:00

[release-branch.go1.24] go1.24.4

Change-Id: Iec14150cd12e445c3bd927c26f2a54387ba18577
Reviewed-on: https://go-review.googlesource.com/c/go/+/679218
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>

commit 85897ca220a149333a88b1e4d63f3b751f1141f5 [browse]
Author: Neal Patel
Date: 2025-05-21 14:11:44 -04:00

[release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates golang/go#73816
Fixes golang/go#73906
Fixes CVE-2025-4673

Change-Id: I8a0f30d5d6bff6c71689bba6efa0b747947e7eb0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679256
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

commit 9f9cf28f8fe67e6c17123cae2d89f116504f2be1 [browse]
Author: Damien Neil
Date: 2025-05-13 15:35:19 -07:00

[release-branch.go1.24] os: don't follow symlinks on Windows when O_CREATE|O_EXCL

(This cherry-pick includes both CL 672396 and CL 676655.)

Match standard Unix behavior: Symlinks are not followed when
O_CREATE|O_EXCL is passed to open.

Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab
for discovering this issue.

For #73702
Fixed #73720
Fixes CVE-2025-0913

Change-Id: Ieb46a6780c5e9a6090b09cd34290f04a8e3b0ca5
Reviewed-on: https://go-review.googlesource.com/c/go/+/672396
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/677215
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>

commit a31c931adf4cba81b8e7f8bd9772b81699955749 [browse]
Author: Cherry Mui
Date: 2025-05-21 14:32:21 -04:00

[release-branch.go1.24] cmd/link: allow linkname reference to a TEXT symbol regardless of size

In CL 660696, we made the linker to choose the symbol of the
larger size in case there are multiple contentless declarations of
the same symbol. We also made it emit an error in the case that
there are a contentless declaration of a larger size and a
definition with content of a smaller size. In this case, we should
choose the definition with content, but the code accesses it
through the declaration of the larger size could fall into the
next symbol, potentially causing data corruption. So we disallowed
it.

There is one spcial case, though, that some code uses a linknamed
variable declaration to reference a function in assembly, in order
to take its address. The variable is often declared as uintptr.
The function symbol is the definition, which could sometimes be
shorter. This would trigger the error case above, causing existing
code failing to build.

This CL allows it as a special case. It is still not safe to
access the variable's content. But it is actually okay to just
take its address, which the existing code often do.

Updates #73617.
Fixes #73832.

Change-Id: I467381bc5f6baa16caee6752a0a824c7185422f6
Reviewed-on: https://go-review.googlesource.com/c/go/+/676636
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 70109eb32625487d9c774d602a4fa2422e218f1b)
Reviewed-on: https://go-review.googlesource.com/c/go/+/676957

commit 03811ab1b31525e8d779997db169c6fedab7c505 [browse]
Author: Roland Shoemaker
Date: 2025-05-06 09:27:10 -07:00

[release-branch.go1.24] crypto/x509: decouple key usage and policy validation

Disabling key usage validation (by passing ExtKeyUsageAny)
unintentionally disabled policy validation. This change decouples these
two checks, preventing the user from unintentionally disabling policy
validation.

Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this
issue.

Updates #73612
Fixes #73700
Fixes CVE-2025-22874

Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40
Reviewed-on: https://go-review.googlesource.com/c/go/+/670375
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 9bba799955e68972041c4f340ee4ea2d267e5c0e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/672316
Reviewed-by: Michael Knyszek <mknyszek@google.com>