Sync from SUSE:SLFO:1.1 go1.23 revision a11693b147a458766c8be1ecc94d5cfe

go1.23.changes

@@ -1,10 +1,82 @@
+-------------------------------------------------------------------
+Fri Aug  8 05:41:24 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- Packaging improvements:
+  * Update go_bootstrap_version to go1.21 from go1.20 to shorten
+    the bootstrap chain. go1.21 can optionally be bootstrapped with
+    gccgo and serve as the inital version of go1.x.
+  * Refs boo#1247816 bootstrap go1.21 with gccgo
+
+-------------------------------------------------------------------
+Wed Aug  6 18:08:58 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.23.12 (released 2025-08-06) includes security fixes to the
+  database/sql and os/exec packages, as well as bug fixes to the
+  runtime.
+  Refs boo#1229122 go1.23 release tracking
+  CVE-2025-47906 CVE-2025-47907
+  * go#74803 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
+  * go#74832 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
+  * go#74415 runtime: use-after-free of allpSnapshot in findRunnable
+  * go#74693 runtime: segfaults in runtime.(*unwinder).next
+  * go#74721 cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on release-branch.go1.23
+  * go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66
+
+-------------------------------------------------------------------
+Tue Jul  8 17:00:23 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.23.11 (released 2025-07-08) includes security fixes to the go
+  command, as well as bug fixes to the compiler, the linker, and
+  the runtime.
+  Refs boo#1229122 go1.23 release tracking
+  CVE-2025-4674
+  * go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module
+  * go#73907 runtime: bad frame pointer during panic during duffcopy
+  * go#74289 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
+  * go#74293 internal/trace: stress tests triggering suspected deadlock in tracer
+  * go#74362 runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile
+  * go#74402 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
+
+-------------------------------------------------------------------
+Thu Jun  5 18:34:47 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.23.10 (released 2025-06-05) includes security fixes to the
+  net/http and os packages, as well as bug fixes to the linker.
+  Refs boo#1229122 go1.23 release tracking
+  CVE-2025-0913 CVE-2025-4673
+  * go#73719 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
+  * go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect
+  * go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG
+  * go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
+
+-------------------------------------------------------------------
+Tue May  6 18:34:22 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.23.9 (released 2025-05-06) includes fixes to the runtime and
+  the linker.
+  Refs boo#1229122 go1.23 release tracking
+  * go#73091 cmd/link: linkname directive on userspace variable can override runtime variable
+  * go#73380 runtime, x/sys/unix: Connectx is broken on darwin/amd64
+
+-------------------------------------------------------------------
+Tue Apr  1 16:11:48 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.23.8 (released 2025-04-01) includes security fixes to the
+  net/http package, as well as bug fixes to the runtime and the go
+  command.
+  Refs boo#1229122 go1.23 release tracking
+  CVE-2025-22871
+  * go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
+  * go#72114 runtime: process hangs for mips hardware
+  * go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
+  * go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
+
 -------------------------------------------------------------------
 Tue Mar  4 19:14:49 UTC 2025 - Jeff Kowalczyk <jkowalczyk@suse.com>
 
 - go1.23.7 (released 2025-03-04) includes security fixes to the
-  net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
-  as bug fixes to the compiler, the runtime and the os and reflect
-  packages.
+  net/http package, as well as bug fixes to cgo, the compiler, and
+  the reflect, runtime, and syscall packages.
   Refs boo#1229122 go1.23 release tracking
   CVE-2025-22870
   * go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs

go1.23.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package go1.23
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,11 +24,11 @@
 # Usually ahead of bootstrap version specified by upstream Go
 # Use Tumbleweed default gccgo and N-1 go1.x for testing
 %define gcc_go_version 13
-%define go_bootstrap_version go1.20
+%define go_bootstrap_version go1.21
 %else
 # Use gccgo and go1.x specified by upstream Go
 %define gcc_go_version 11
-%define go_bootstrap_version go1.20
+%define go_bootstrap_version go1.21
 %endif
 
 # Bootstrap go toolchain using existing go package go_bootstrap_version
@@ -122,7 +122,7 @@
 %endif
 
 Name:           go1.23
-Version:        1.23.7
+Version:        1.23.12
 Release:        0
 Summary:        A compiled, garbage-collected, concurrent programming language
 License:        BSD-3-Clause