Log message:
Update go123 to 1.23.10 and go124 to 1.24.4 (security)

These minor releases include 3 security fixes following the security policy:

-   net/http: sensitive headers not cleared on cross-origin redirect

    Proxy-Authorization and Proxy-Authenticate headers persisted on
    cross-origin redirects potentially leaking sensitive information.

    Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
    this issue.

    This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

-   os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
    Windows systems when the target path was a dangling symlink. On Unix
    systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
    On Windows, when the target path was a symlink to a nonexistent location,
    OpenFile would create a file in that location.

    OpenFile now always returns an error when the O_CREATE and O_EXCL flags
    are both set and the target path is a symlink.

    Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for
    discovering this issue.

    This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

-   crypto/x509: usage of ExtKeyUsageAny disables policy validation

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
    unintentionally disabledpolicy validation. This only affected certificate
    chains which contain policy graphs, which are rather uncommon.

    Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this
    issue.

    This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.4

Log message:
go: update go123 to 1.23.9 and go124 to 1.24.3.

The Go 1.24.3 minor release includes 1 security fix following the security
policy:

-   os: Root permits access to parent directory

    It was possible to improperly access the parent directory of an os.Root
    by opening a filename ending in "../". For example, \ 
Root.Open("../") would
    open the parent directory of the Root. This escape only permits opening
    the parent directory itself, not ancestors of the parent or files contained
    within the parent.

    Root now correctly returns an error in this case.

    This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

    Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this
    issue.

This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are
not affected by this.

go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.

Log message:
go119, go121: remove

go124 is the current version. go123 is still supported.

To build go124 from source, the chain is
go14 - go118 - go120 - go122 - go124

Thus, nothing needs go119 and go121.

agreed by maya@ on tech-pkg

Log message:
Update go123 to 1.23.8 and go124 to 1.24.2

These minor releases include 1 security fixes following the security policy:

-   net/http: request smuggling through invalid chunked data

    The net/http package accepted data in the chunked transfer encoding
    containing an invalid chunk-size line terminated by a bare LF.
    When used in conjunction with a server or proxy which incorrectly
    interprets a bare LF in a chunk extension as part of the extension,
    this could permit request smuggling.

    The net/http package now rejects chunk-size lines containing a bare LF.

    Thanks to Jeppe Bonde Weikop for reporting this issue.

    This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.

View the release notes for more information.

Log message:
lang/go: Set GOMAXPROCS according to MAKE_JOBS.

Even though we set MAKE_JOBS_SAFE=no in go-module.mk (not really sure
why, wish we had a comment giving a reason!), golang itself may run
multiple threads internally up to the number of CPUs it finds unless
we sternly instruct it not to abuse resources it wasn't offered by
setting GOMAXPROCS.

Log message:
go123: update to 1.23.7 (security)

go1.23.7 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, and the reflect,
runtime, and syscall packages. See the Go 1.23.7 milestone on our issue
tracker for details.

Log message:
go124: update to 1.24.1 (security)

go1.24.1 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, the go command, and
the reflect, runtime, and syscall packages. See the Go 1.24.1 milestone
on our issue tracker for details.

Log message:
go: flip the default version to 1.24.

In a bulk build (bulk-test-go) on NetBSD-current/amd64, I found zero
packages with breakage. That's a first in a Go compiler update!

Log message:
go124: new package for 1.24.0, from wip.

The latest Go release, version 1.24, arrives six months after Go 1.23.
Most of its changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to compile
and run as before.

Go 1.24 now fully supports generic type aliases: a type alias may be
parameterized like a defined type.

Go modules can now track executable dependencies using tool directives
in go.mod.

Several performance improvements to the runtime have decreased CPU
overheads by 2-3% on average across a suite of representative
benchmarks. Results may vary by application. These improvements include
a new builtin map implementation based on Swiss Tables, more efficient
memory allocation of small objects, and a new runtime-internal mutex
implementation.

Log message:
Update go122 to 1.22.12 and go123 to 1.23.6.

This is a security update but it only applies on the ppc64le platform.

These minor releases include 1 security fix following the security policy:

-   crypto/elliptic: timing sidechannel for P-256 on ppc64le

    Due to the usage of a variable time instruction in the assembly
    implementation of an internal function, a small number of bits of secret
    scalars are leaked on the ppc64le architecture. Due to the way this
    function is used, we do not believe this leakage is enough to allow
    recovery of the private key when P-256 is used in any well known
    protocols.

    This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.