gostls13.git log

commit 28622c19591d95c9a83f706f2ed1b303d58da85f [browse]
Author: Gopher Robot
Date: 2025-10-13 14:05:25 -07:00

[release-branch.go1.25] go1.25.3

Change-Id: Ibb61bf455e8ec92bb10038b1de0ce79ee771c53a
Reviewed-on: https://go-review.googlesource.com/c/go/+/711481
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>

commit e05b2c92d973ecf5a8042fd9605501b842e18369 [browse]
Author: Roland Shoemaker
Date: 2025-10-09 13:35:24 -07:00

[release-branch.go1.25] crypto/x509: rework fix for CVE-2025-58187

In CL 709854 we enabled strict validation for a number of properties of
domain names (and their constraints). This caused significant breakage,
since we didn't previously disallow the creation of certificates which
contained these malformed domains.

Rollback a number of the properties we enforced, making domainNameValid
only enforce the same properties that domainToReverseLabels does. Since
this also undoes some of the DoS protections our initial fix enabled,
this change also adds caching of constraints in isValid (which perhaps
is the fix we should've initially chosen).

Updates #75835
Updates #75828
Fixes #75861

Change-Id: Ie6ca6b4f30e9b8a143692b64757f7bbf4671ed0e
Reviewed-on: https://go-review.googlesource.com/c/go/+/710735
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 1cd71689f2ed8f07031a0cc58fc3586ca501839f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/710677
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

commit 79ec0c94f32b0fedd0a4e9aacbe0b305b2a66762 [browse]
Author: Robert Griesemer
Date: 2025-10-06 10:36:13 -07:00

[release-branch.go1.25] spec: update spec date to match release date

Ths spec date in the 1.25 release branch dates back to Feb 2025
which is rather confusing. Moving it forward to 1.25 release date.

This is a roll forward of CL 709515 which was rolled back by CL 709535.

For #75743.
Fixes #75777.

Change-Id: I18d7ccfc343aa1f8fba78a896fb69ad6eeb182e7
Reviewed-on: https://go-review.googlesource.com/c/go/+/710215
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

commit bed6c81c2dceeb19c7f9e46fc173671abcda7cfd [browse]
Author: Gopher Robot
Date: 2025-10-07 11:10:28 -07:00

[release-branch.go1.25] go1.25.2

Change-Id: I0a685789be057167e6d40fbdaee29ebdbc6a2164
Reviewed-on: https://go-review.googlesource.com/c/go/+/709916
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>

commit 2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 [browse]
Author: Damien Neil
Date: 2025-09-11 13:32:10 -07:00

[release-branch.go1.25] archive/tar: set a limit on the size of GNU sparse file 1.0 regions

Sparse files in tar archives contain only the non-zero components
of the file. There are several different encodings for sparse
files. When reading GNU tar pax 1.0 sparse files, archive/tar did
not set a limit on the size of the sparse region data. A malicious
archive containing a large number of sparse blocks could cause
archive/tar to read an unbounded amount of data from the archive
into memory.

Since a malicious input can be highly compressable, a small
compressed input could cause very large allocations.

Cap the size of the sparse block data to the same limit used
for PAX headers (1 MiB).

Thanks to Harshit Gupta (Mr HAX) (https://www.linkedin.com/in/iam-harshit-gupta/)
for reporting this issue.

Fixes CVE-2025-58183
For #75677
Fixes #75711

Change-Id: I70b907b584a7b8676df8a149a1db728ae681a770
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2800
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2987
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709852
TryBot-Bypass: Michael Pratt <mpratt@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Pratt <mpratt@google.com>

clone the repository to get more history