gostls13.git log

commit fefb02adf45c4bcc879bd406a8d61f2a292c26a9 [browse]
Author: Gopher Robot
Date: 2025-12-02 08:00:45 -08:00

[release-branch.go1.25] go1.25.5

Change-Id: If484d63fd8cc5ea0872780019535368afcf4ec5b
Reviewed-on: https://go-review.googlesource.com/c/go/+/725842
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>

commit f7bce4bd6f7b13de8d9f06f7f262e3b60381e7e9 [browse]
Author: Nicholas S. Husin
Date: 2025-11-24 14:56:23 -05:00

[release-branch.go1.25] crypto/x509: prevent HostnameError.Error() from consuming excessive resource

Constructing HostnameError.Error() takes O(N^2) runtime due to using a
string concatenation in a loop. Additionally, there is no limit on how
many names are included in the error message. As a result, a malicious
attacker could craft a certificate with an infinite amount of names to
unfairly consume resource.

To remediate this, we will now use strings.Builder to construct the
error message, preventing O(N^2) runtime. When a certificate has 100 or
more names, we will also not print each name individually.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Updates #76445
Fixes #76461
Fixes CVE-2025-61729

Change-Id: I6343776ec3289577abc76dad71766c491c1a7c81
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3000
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3200
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/725800
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>

commit 287017acebd27203aa3218abbd11ed65c2280cf8 [browse]
Author: Roland Shoemaker
Date: 2025-11-24 08:46:08 -08:00

[release-branch.go1.25] crypto/x509: excluded subdomain constraints preclude wildcard SANs

When evaluating name constraints in a certificate chain, the presence of
an excluded subdomain constraint (e.g., excluding "test.example.com")
should preclude the use of a wildcard SAN (e.g., "*.example.com").

Fixes #76442
Fixes #76464
Fixes CVE-2025-61727

Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba
Reviewed-on: https://go-review.googlesource.com/c/go/+/724400
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>

commit e1ce1bfa7f0d44e864d8ea6d6cec62c09668ad66 [browse]
Author: Julien Cretel
Date: 2025-11-10 21:20:09 Z

[release-branch.go1.25] mime: parse media types that contain braces

This CL fixes a bug introduced by CL 666655: isTokenChar would no longer
(but should) report true for '{' and '}'.

Fixes #76245

Change-Id: Ifc0953c30d7cae7bfba9bc4b6bb6951a83c52576
GitHub-Last-Rev: c91a75c2c8778a9a8343c6bb4fa89eb1f978059f
GitHub-Pull-Request: golang/go#76243
Reviewed-on: https://go-review.googlesource.com/c/go/+/719380
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit c761b26b56eec36390885e5373aab2fd17dc67ef)
Reviewed-on: https://go-review.googlesource.com/c/go/+/721000
Reviewed-by: Junyang Shao <shaojunyang@google.com>

commit 433c01e94efe72f985096839d0631103b3163be6 [browse]
Author: qmuntal
Date: 2025-11-03 16:29:06 +01:00

[release-branch.go1.25] internal/syscall/windows: fix ReOpenFile sentinel error value

ReOpenFile is documented to return INVALID_HANDLE_VALUE on error,
but the previous definition was checking for 0 instead.

ReOpenFile was added to the go1.25 release branch in CL 715360. This new CL amends it.

Fixes #76360
Updates #75989

Change-Id: Idec5e75e40b9f6c409e068d63a9b606781e80a46
Reviewed-on: https://go-review.googlesource.com/c/go/+/717320
Auto-Submit: Quim Muntal <quimmuntal@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
(cherry picked from commit CL 717320)
Reviewed-on: https://go-review.googlesource.com/c/go/+/718000
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

clone the repository to get more history