SUSE-SU-2025:03159-1

This update for go1.23-openssl fixes the following issues:

Update to version 1.23.12 cut from the go1.23-fips-release branch at the revision tagged go1.23.12-1-openssl-fips. ( jsc#SLE-18320)

• Rebase to 1.23.12
• Fix HKDF-Extract The latest OpenSSL in c9s/c10s requires nil salt to be passed as a hash length buffer of zeros.

Packaging improvements:

• Update gobootstrapversion to go1.21 from go1.20 to shorten the bootstrap chain. go1.21 can optionally be bootstrapped with gccgo and serve as the inital version of go1.x.
• Refs boo#1247816 bootstrap go1.21 with gccgo

go1.23.12 (released 2025-08-06) includes security fixes to the database/sql and os/exec packages, as well as bug fixes to the runtime.

CVE-2025-47906 CVE-2025-47907: * go#74803 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of '', '.' and '..' in some PATH configurations * go#74832 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan

• go#74415 runtime: use-after-free of allpSnapshot in findRunnable
• go#74693 runtime: segfaults in runtime.(*unwinder).next
• go#74721 cmd/go: TestScript/buildtrimpathcgo fails to decode dwarf on release-branch.go1.23
• go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66

go1.23.11 (released 2025-07-08) includes security fixes to the go command, as well as bug fixes to the compiler, the linker, and the runtime.

CVE-2025-4674: * go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module

• go#73907 runtime: bad frame pointer during panic during duffcopy
• go#74289 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
• go#74293 internal/trace: stress tests triggering suspected deadlock in tracer
• go#74362 runtime/pprof: crash 'cannot read stack of running goroutine' in goroutine profile
• go#74402 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN

go1.23.10 (released 2025-06-05) includes security fixes to the net/http and os packages, as well as bug fixes to the linker. (boo#1229122 go1.23 release tracking)

CVE-2025-0913 CVE-2025-4673: * go#73719 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of OCREATE|OEXCL on Unix and Windows * go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect

• go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG
• go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen

go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker. (boo#1229122 go1.23 release tracking)

• go#73091 cmd/link: linkname directive on userspace variable can override runtime variable
• go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64

go1.23.8 (released 2025-04-01) includes security fixes to the net/http package, as well as bug fixes to the runtime and the go command.

CVE-2025-22871: * go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding

• go#72114 runtime: process hangs for mips hardware
• go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
• go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22

go1.23.7 (released 2025-03-04) includes security fixes to the net/http package, as well as bug fixes to cgo, the compiler, and the reflect, runtime, and syscall packages.

CVE-2025-22870: * go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

• go#71727 runtime: usleep computes wrong tv_nsec on s390x
• go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
• go#71848 os: spurious SIGCHILD on running child process
• go#71875 reflect: Value.Seq panicking on functional iterator methods
• go#71915 reflect: Value.Seq iteration value types not matching the type of given int types
• go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement

go1.23.6 (released 2025-02-04) includes security fixes to the crypto/elliptic package, as well as bug fixes to the compiler and the go command.

CVE-2025-22866 * go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le

• go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1
• go#71230 cmd/compile: broken write barrier

go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package.

CVE-2024-45341 CVE-2024-45336: * go#71208 go#71156 boo#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints * go#71211 go#70530 boo#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect

• go#69988 runtime: severe performance drop for cgo calls in go1.22.5
• go#70517 cmd/compile/internal/importer: flip enable alias to true
• go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input
• go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures
• go#71147 internal/trace: TestTraceCPUProfile/Stress failures

go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime, the trace command, and the syscall package.

• go#70644 crypto/rsa: new key generation prohibitively slow under race detector
• go#70645 proposal: go/types: add Scope.Node convenience getter
• go#70646 x/tools/gopls: unimported completion corrupts import decl (client=BBEdit)
• go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures
• go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures
• go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures
• go#70651 x/tools/go/gcexportdata: simplify implementation assuming go >= 1.21
• go#70654 cmd/go: Incorrect output from go list
• go#70655 x/build/cmd/relui: add workflows for some remaining manual recurring Go major release cycle tasks
• go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes
• go#70658 x/net/http2: stuck extended CONNECT requests
• go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-mips
• go#70660 crypto/ecdsa: TestRFC6979 failures on s390x
• go#70664 x/mobile: target maccatalyst cannot find OpenGLES header
• go#70665 x/tools/gopls: refactor.extract.variable fails at package level
• go#70666 x/tools/gopls: panic in GetIfaceStubInfo
• go#70667 proposal: crypto/x509: support extracting X25519 public keys from certificates
• go#70668 proposal: x/mobile: better support for unrecovered panics
• go#70669 cmd/go: local failure in TestScript/buildtrimpathcgo
• go#70670 cmd/link: unused functions aren't getting deadcoded from the binary
• go#70674 x/pkgsite: package removal request for https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate
• go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on plan9
• go#70677 all: remote file server I/O flakiness with 'Bad fid' errors on plan9
• go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD is closed
• go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link

Update to version 1.23.2.3 cut from the go1.23-fips-release branch at the revision tagged go1.23.2-3-openssl-fips. ( jsc#SLE-18320)

• Add negative tests for openssl (#243)

go1.23.3 (released 2024-11-06) includes fixes to the linker, the runtime, and the net/http, os, and syscall packages.

• go#69258 runtime: corrupted GoroutineProfile stack traces
• go#69259 runtime: multi-arch build via qemu fails to exec go binary
• go#69640 os: os.checkPidfd() crashes with SIGSYS
• go#69746 runtime: TestGdbAutotmpTypes failures
• go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit
• go#69865 runtime: MutexProfile missing root frames in go1.23
• go#69882 time,runtime: too many concurrent timer firings for short time.Ticker
• go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer
• go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15
• go#70001 net/http/pprof: coroutines + pprof makes the program panic
• go#70020 net/http: short writes with FileServer on macos