[Buildroot] [PATCH] package/go: security bump to version 1.23.10

[Buildroot] [PATCH] package/go: security bump to version 1.23.10

[Peter Korsgaard via buildroot]

go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.

go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
os packages, as well as bug fixes to the linker.

Fixes the following security vulnerabilities:

- CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
  redirect

  Proxy-Authorization and Proxy-Authenticate headers persisted on
  cross-origin redirects potentially leaking sensitive information

- CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
  Windows

  os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
  Windows systems when the target path was a dangling symlink.  On Unix
  systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
  On Windows, when the target path was a symlink to a nonexistent location,
  OpenFile would create a file in that location.

- CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation

  Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
  unintentionally disabled policy validation.  This only affected
  certificate chains which contain policy graphs, which are rather uncommon.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/go/go.hash | 14 +++++++-------
 package/go/go.mk   |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/package/go/go.hash b/package/go/go.hash
index 48ba6b7fd9..62e0772e2e 100644
--- a/package/go/go.hash
+++ b/package/go/go.hash
@@ -1,9 +1,9 @@
 # sha256 checksum from https://go.dev/dl/
-sha256  0ca1f1e37ea255e3ce283af3f4e628502fb444587da987a5bb96d6c6f15930d4  go1.23.8.src.tar.gz
-sha256  714b9d004063bfa27686f9ff0e5648bb190b3a5bc1e86b0aa16c134d8d8c315f  go1.23.8.linux-386.tar.gz
-sha256  45b87381172a58d62c977f27c4683c8681ef36580abecd14fd124d24ca306d3f  go1.23.8.linux-amd64.tar.gz
-sha256  9d6d938422724a954832d6f806d397cf85ccfde8c581c201673e50e634fdc992  go1.23.8.linux-arm64.tar.gz
-sha256  d14e0bea9fb25344a0460f395880d5589bbcd413ffd5555be48e46c0de084437  go1.23.8.linux-armv6l.tar.gz
-sha256  0cadab469e612b159f5f68b1a30d75aa7b7e1ed5292746005a6a3c8ff04e6f35  go1.23.8.linux-ppc64le.tar.gz
-sha256  cbe954ee534eb02aa782639716d8c25706dd171445f7c8336bd2fc0b8f6fe38e  go1.23.8.linux-s390x.tar.gz
+sha256  800a7ae1bff179a227b653a2f644517c800443b8b4abf3273af5e1cb7113de59  go1.23.10.src.tar.gz
+sha256  ded3c0a8d6d2a0ea5e7599c49678efa05cda139d31baaaf7d8d536a9e4cc19b2  go1.23.10.linux-386.tar.gz
+sha256  535f9f81802499f2a7dbfa70abb8fda3793725fcc29460f719815f6e10b5fd60  go1.23.10.linux-amd64.tar.gz
+sha256  bfb1f1df7173f44648ee070a39ab0481068632f595305a699d89cd56a33b8081  go1.23.10.linux-arm64.tar.gz
+sha256  b6e00c9a72406d394b9f167e74670e28b72ed559cca8115b21be1cb9d5316cb4  go1.23.10.linux-armv6l.tar.gz
+sha256  8fb94455cfa5e9a5e8af2bfbc7323a6fed2dabaffda1a69dae5dd41b669bbb57  go1.23.10.linux-ppc64le.tar.gz
+sha256  7d0e8651eb54fce5cfe2d4b412ddfa50144ce21907f72192a6549ffe03db4e1f  go1.23.10.linux-s390x.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/package/go/go.mk b/package/go/go.mk
index d618a7a262..744bb0d3ba 100644
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GO_VERSION = 1.23.8
+GO_VERSION = 1.23.10
 
 HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
 HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/go: security bump to version 1.23.10

[Peter Korsgaard via buildroot]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
 > go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
 > os packages, as well as bug fixes to the linker.

 > Fixes the following security vulnerabilities:

 > - CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
 >   redirect

 >   Proxy-Authorization and Proxy-Authenticate headers persisted on
 >   cross-origin redirects potentially leaking sensitive information

 > - CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
 >   Windows

 >   os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
 >   Windows systems when the target path was a dangling symlink.  On Unix
 >   systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
 >   On Windows, when the target path was a symlink to a nonexistent location,
 >   OpenFile would create a file in that location.

 > - CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation

 >   Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
 >   unintentionally disabled policy validation.  This only affected
 >   certificate chains which contain policy graphs, which are rather uncommon.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/go: security bump to version 1.23.10

[Arnout Vandecappelle via buildroot]

On 07/06/2025 14:19, Peter Korsgaard via buildroot wrote:
> go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
> 
> go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
> os packages, as well as bug fixes to the linker.
> 
> Fixes the following security vulnerabilities:
> 
> - CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
>    redirect
> 
>    Proxy-Authorization and Proxy-Authenticate headers persisted on
>    cross-origin redirects potentially leaking sensitive information
> 
> - CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
>    Windows
> 
>    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
>    Windows systems when the target path was a dangling symlink.  On Unix
>    systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
>    On Windows, when the target path was a symlink to a nonexistent location,
>    OpenFile would create a file in that location.
> 
> - CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation
> 
>    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
>    unintentionally disabled policy validation.  This only affected
>    certificate chains which contain policy graphs, which are rather uncommon.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

  Applied to 2025.02.x, thanks.

  Regards,
  Arnout

> ---
>   package/go/go.hash | 14 +++++++-------
>   package/go/go.mk   |  2 +-
>   2 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/package/go/go.hash b/package/go/go.hash
> index 48ba6b7fd9..62e0772e2e 100644
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,9 +1,9 @@
>   # sha256 checksum from https://go.dev/dl/
> -sha256  0ca1f1e37ea255e3ce283af3f4e628502fb444587da987a5bb96d6c6f15930d4  go1.23.8.src.tar.gz
> -sha256  714b9d004063bfa27686f9ff0e5648bb190b3a5bc1e86b0aa16c134d8d8c315f  go1.23.8.linux-386.tar.gz
> -sha256  45b87381172a58d62c977f27c4683c8681ef36580abecd14fd124d24ca306d3f  go1.23.8.linux-amd64.tar.gz
> -sha256  9d6d938422724a954832d6f806d397cf85ccfde8c581c201673e50e634fdc992  go1.23.8.linux-arm64.tar.gz
> -sha256  d14e0bea9fb25344a0460f395880d5589bbcd413ffd5555be48e46c0de084437  go1.23.8.linux-armv6l.tar.gz
> -sha256  0cadab469e612b159f5f68b1a30d75aa7b7e1ed5292746005a6a3c8ff04e6f35  go1.23.8.linux-ppc64le.tar.gz
> -sha256  cbe954ee534eb02aa782639716d8c25706dd171445f7c8336bd2fc0b8f6fe38e  go1.23.8.linux-s390x.tar.gz
> +sha256  800a7ae1bff179a227b653a2f644517c800443b8b4abf3273af5e1cb7113de59  go1.23.10.src.tar.gz
> +sha256  ded3c0a8d6d2a0ea5e7599c49678efa05cda139d31baaaf7d8d536a9e4cc19b2  go1.23.10.linux-386.tar.gz
> +sha256  535f9f81802499f2a7dbfa70abb8fda3793725fcc29460f719815f6e10b5fd60  go1.23.10.linux-amd64.tar.gz
> +sha256  bfb1f1df7173f44648ee070a39ab0481068632f595305a699d89cd56a33b8081  go1.23.10.linux-arm64.tar.gz
> +sha256  b6e00c9a72406d394b9f167e74670e28b72ed559cca8115b21be1cb9d5316cb4  go1.23.10.linux-armv6l.tar.gz
> +sha256  8fb94455cfa5e9a5e8af2bfbc7323a6fed2dabaffda1a69dae5dd41b669bbb57  go1.23.10.linux-ppc64le.tar.gz
> +sha256  7d0e8651eb54fce5cfe2d4b412ddfa50144ce21907f72192a6549ffe03db4e1f  go1.23.10.linux-s390x.tar.gz
>   sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index d618a7a262..744bb0d3ba 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -GO_VERSION = 1.23.8
> +GO_VERSION = 1.23.10
>   
>   HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
>   HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot