Log message:
go: update to 1.23.11 and 1.24.5

These minor releases include 1 security fixes following the security policy:

    cmd/go: unexpected command execution in untrusted VCS repositories

    Various uses of the Go toolchain in untrusted VCS repositories can result in
    unexpected code execution. When using the Go toolchain in directories fetched
    using various VCS tools (such as directly cloning Git or Mercurial repositories)
    can cause the toolchain to execute unexpected commands, if said directory
    contains multiple VCS configuration metadata (such as a ".hg" \ 
directory in a Git
    repository). This is due to how the Go toolchain attempts to resolve which VCS
    is being used in order to embed build information in binaries and determine
    module versions.

    The toolchain will now abort attempting to resolve which VCS is being used if it
    detects multiple VCS configuration metadata in a module directory or nested VCS
    configuration metadata (such as a ".git" directoy in a parent \ 
directory and a
    ".hg" directory in a child directory). This will not prevent the \ 
toolchain from
    building modules, but will result in binaries omitting VCS related build
    information.

    If this behavior is expected by the user, the old behavior can be re-enabled by
    setting GODEBUG=allowmultiplevcs=1. This should only be done in trusted
    repositories.

    Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for reporting
    this issue.

    This is CVE-2025-4674 and https://go.dev/issue/74380.

Log message:
Update go123 to 1.23.10 and go124 to 1.24.4 (security)

These minor releases include 3 security fixes following the security policy:

-   net/http: sensitive headers not cleared on cross-origin redirect

    Proxy-Authorization and Proxy-Authenticate headers persisted on
    cross-origin redirects potentially leaking sensitive information.

    Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting
    this issue.

    This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

-   os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
    Windows systems when the target path was a dangling symlink. On Unix
    systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
    On Windows, when the target path was a symlink to a nonexistent location,
    OpenFile would create a file in that location.

    OpenFile now always returns an error when the O_CREATE and O_EXCL flags
    are both set and the target path is a symlink.

    Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for
    discovering this issue.

    This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

-   crypto/x509: usage of ExtKeyUsageAny disables policy validation

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
    unintentionally disabledpolicy validation. This only affected certificate
    chains which contain policy graphs, which are rather uncommon.

    Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this
    issue.

    This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.24.4

Log message:
go: update go123 to 1.23.9 and go124 to 1.24.3.

The Go 1.24.3 minor release includes 1 security fix following the security
policy:

-   os: Root permits access to parent directory

    It was possible to improperly access the parent directory of an os.Root
    by opening a filename ending in "../". For example, \ 
Root.Open("../") would
    open the parent directory of the Root. This escape only permits opening
    the parent directory itself, not ancestors of the parent or files contained
    within the parent.

    Root now correctly returns an error in this case.

    This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

    Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this
    issue.

This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are
not affected by this.

go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.

Log message:
Update go123 to 1.23.8 and go124 to 1.24.2

These minor releases include 1 security fixes following the security policy:

-   net/http: request smuggling through invalid chunked data

    The net/http package accepted data in the chunked transfer encoding
    containing an invalid chunk-size line terminated by a bare LF.
    When used in conjunction with a server or proxy which incorrectly
    interprets a bare LF in a chunk extension as part of the extension,
    this could permit request smuggling.

    The net/http package now rejects chunk-size lines containing a bare LF.

    Thanks to Jeppe Bonde Weikop for reporting this issue.

    This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.

View the release notes for more information.

Log message:
go123: update to 1.23.7 (security)

go1.23.7 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, and the reflect,
runtime, and syscall packages. See the Go 1.23.7 milestone on our issue
tracker for details.

Log message:
Update go122 to 1.22.12 and go123 to 1.23.6.

This is a security update but it only applies on the ppc64le platform.

These minor releases include 1 security fix following the security policy:

-   crypto/elliptic: timing sidechannel for P-256 on ppc64le

    Due to the usage of a variable time instruction in the assembly
    implementation of an internal function, a small number of bits of secret
    scalars are leaked on the ppc64le architecture. Due to the way this
    function is used, we do not believe this leakage is enough to allow
    recovery of the private key when P-256 is used in any well known
    protocols.

    This is CVE-2025-22866 and Go issue https://go.dev/issue/71383.

Log message:
lang/go: Add cross-build support.

This adds cross-build support for lang/go123 and for the Go-related
infrastructure in pkgsrc.  (We could do older versions of Go too with
a little more work.)

Noteworthy changes that are not conditional on USE_CROSS_COMPILE:

1. lang/go/version.mk is rearranged to be more data-driven than
   conditional-driven.  Making it data-driven makes it easier to
   define both GOARCH and GOHOSTARCH from the same tables when
   MACHINE_ARCH and NATIVE_MACHINE_ARCH are not the same.

   This is a likely source of broken edge cases.  I went through the
   old conditional logic and hand-checked all the conditions but I
   could have made a mistake.

2. go-module.mk and go-package.mk define GOPATH_BIN to be `bin' for
   native builds, and `bin/${GO_PLATFORM}' for cross builds -- this
   is the subdirectory of GOPATH where the Go toolchain puts binaries
   so that packages with custom do-install targets can avoid any need
   for USE_CROSS_COMPILE conditionals.

   The default do-install targets use pax slightly differently now to
   avoid the need for USE_CROSS_COMPILE conditionals.  I think the
   logic is equivalent for native builds but this is worth reviewing.

3. lang/go123 no longer depends on bash and Perl at runtime.  As far
   as I can tell, this was just a kludge to pacify check-interpreter
   complaints in the copy of the source code that Go ships under
   ${PREFIX}/go123/src.  We don't need to replace the interpreter at
   build-time -- most of these scripts are not run at all during the
   build, and the handful that remain (make.bash, run.bash) are run
   with ${BASH}.  Instead, we CHECK_INTERPRETER_SKIP them in the
   installed copy of the source code.

Proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2025/01/19/msg030395.html

Log message:
Update go122 to 1.22.11 and go123 to 1.23.5.

These minor releases include 2 security fixes following the security policy:

- crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints

  A certificate with a URI which has a IPv6 address with a zone ID may
  incorrectly satisfy a URI name constraint that applies to the certificate
  chain.

  Certificates containing URIs are not permitted in the web PKI, so this
  only affects users of private PKIs which make use of URIs.

  Thanks to Juho Forsén of Mattermost for reporting this issue.

  This is CVE-2024-45341 and Go issue https://go.dev/issue/71156.

- net/http: sensitive headers incorrectly sent after cross-domain redirect

  The HTTP client drops sensitive headers after following a cross-domain
  redirect.  For example, a request to a.com/ containing an
  Authorization header which is redirected to b.com/ will not send that
  header to b.com.

  In the event that the client received a subsequent same-domain
  redirect, however, the sensitive headers would be restored. For
  example, a chain of redirects from a.com/, to b.com/1, and finally to
  b.com/2 would incorrectly send the Authorization header to b.com/2.

  Thanks to Kyle Seely for reporting this issue.

  This is CVE-2024-45336 and Go issue https://go.dev/issue/70530.

Log message:
go123: stop requiring /proc on NetBSD

This adds a patch (taken from Go 1.24 development) to use a sysctl
instead of /proc to find the path of the executable, and thus the
files for the standard library.

Earlier versions of Go (including 1.22) had the directory where the
standard library is installed baked in to the binaries as
GOROOT_FINAL. In the interest of portability, this is now determined
at runtime. In NetBSD, this used to use /proc/self/exe, however many
build sandboxes do not have /proc mounted.

With this change, /proc is no longer required for building Go code.

Log message:
Update Go to 1.22.10, 1.23.4

go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the
trace command, and the syscall package. See the Go 1.23.4 milestone on our
issue tracker for details.

go1.22.10 (released 2024-12-03) includes fixes to the runtime and the syscall
package. See the Go 1.22.10 milestone on our issue tracker for details.