Subject: CVS commit: pkgsrc/lang
From: Benny Siegert
Date: 2025-05-08 20:55:53
Message id: 20250508185553.2F8AAFBE3@cvs.NetBSD.org

Log Message:
go: update go123 to 1.23.9 and go124 to 1.24.3.

The Go 1.24.3 minor release includes 1 security fix following the security
policy:

-   os: Root permits access to parent directory

    It was possible to improperly access the parent directory of an os.Root
    by opening a filename ending in "../". For example, \ 
Root.Open("../") would
    open the parent directory of the Root. This escape only permits opening
    the parent directory itself, not ancestors of the parent or files contained
    within the parent.

    Root now correctly returns an error in this case.

    This is CVE-2025-22873 and Go issue https://go.dev/issue/73555.

    Thanks to Dan Sebastian Thrane of SDU eScience Center for reporting this
    issue.

This security fix only applies to Go 1.24.x releases. Go 1.23.x releases are
not affected by this.

go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.

Files:
RevisionActionfile
1.231modifypkgsrc/lang/go/version.mk
1.9modifypkgsrc/lang/go123/PLIST
1.11modifypkgsrc/lang/go123/distinfo
1.4modifypkgsrc/lang/go124/PLIST
1.4modifypkgsrc/lang/go124/distinfo