<patchinfo incident="9">
  <!-- generated from request(s) 359003 -->
  <issue tracker="bnc" id="1229122">go1.23 release tracking</issue>
  <issue tracker="bnc" id="1236045">VUL-0: CVE-2024-45341: go1.22,go1.23: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints</issue>
  <issue tracker="bnc" id="1236046">VUL-0: CVE-2024-45336: go1.22,go1.23: net/http: sensitive headers incorrectly sent after cross-domain redirect</issue>
  <issue tracker="cve" id="2024-45336"/>
  <issue tracker="cve" id="2024-45341"/>
  <packager>jfkw</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for go1.23</summary>
  <description>This update for go1.23 fixes the following issues:

- go1.23.5 (released 2025-01-16) includes security fixes to the
  crypto/x509 and net/http packages, as well as bug fixes to the
  compiler, the runtime, and the net package.
  Refs bsc#1229122 go1.23 release tracking
  CVE-2024-45341 CVE-2024-45336
  * go#71208 go#71156 bsc#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
  * go#71211 go#70530 bsc#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect
  * go#69988 runtime: severe performance drop for cgo calls in go1.22.5
  * go#70517 cmd/compile/internal/importer: flip enable alias to true
  * go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input
  * go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures
  * go#71147 internal/trace: TestTraceCPUProfile/Stress failures

- Enable loongarch64 builds

- go1.23.4 (released 2024-12-03) includes fixes to the compiler,
  the runtime, the trace command, and the syscall package.
  Refs bsc#1229122 go1.23 release tracking
  * go#70644 crypto/rsa: new key generation prohibitively slow under race detector
  * go#70645 proposal: go/types: add Scope.Node convenience getter
  * go#70646 x/tools/gopls: unimported completion corrupts import decl (client=BBEdit)
  * go#70648 crypto/tls: TestHandshakeClientECDHEECDSAAESGCM/TLSv12 failures
  * go#70649 x/benchmarks/sweet/cmd/sweet: TestSweetEndToEnd failures
  * go#70650 crypto/tls: TestGetClientCertificate/TLSv13 failures
  * go#70651 x/tools/go/gcexportdata: simplify implementation assuming go &gt;= 1.21
  * go#70654 cmd/go: Incorrect output from go list
  * go#70655 x/build/cmd/relui: add workflows for some remaining manual recurring Go major release cycle tasks
  * go#70657 proposal: bufio: Scanner.IterText/Scanner.IterBytes
  * go#70658 x/net/http2: stuck extended CONNECT requests
  * go#70659 os: TestRootDirFS failures on linux-mips64 and linux-mips64le arch-mips
  * go#70660 crypto/ecdsa: TestRFC6979 failures on s390x
  * go#70664 x/mobile: target maccatalyst cannot find OpenGLES header
  * go#70665 x/tools/gopls: refactor.extract.variable fails at package level
  * go#70666 x/tools/gopls: panic in GetIfaceStubInfo
  * go#70667 proposal: crypto/x509: support extracting X25519 public keys from certificates
  * go#70668 proposal: x/mobile: better support for unrecovered panics
  * go#70669 cmd/go: local failure in TestScript/build_trimpath_cgo
  * go#70670 cmd/link: unused functions aren't getting deadcoded from the binary
  * go#70674 x/pkgsite: package removal request for https://pkg.go.dev/github.com/uisdevsquad/go-test/debugmate
  * go#70675 cmd/go/internal/lockedfile: mountrpc flake in TestTransform on plan9
  * go#70677 all: remote file server I/O flakiness with "Bad fid" errors on plan9
  * go#70678 internal/poll: deadlock on 'Intel(R) Xeon(R) Platinum' when an FD is closed
  * go#70679 mime/multipart: With go 1.23.3, mime/multipart does not link

- go1.23.3 (released 2024-11-06) includes fixes to the linker, the
  runtime, and the net/http, os, and syscall packages.
  Refs bsc#1229122 go1.23 release tracking
  * go#69258 runtime: corrupted GoroutineProfile stack traces
  * go#69259 runtime: multi-arch build via qemu fails to exec go binary
  * go#69640 os: os.checkPidfd() crashes with SIGSYS
  * go#69746 runtime: TestGdbAutotmpTypes failures
  * go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit
  * go#69865 runtime: MutexProfile missing root frames in go1.23
  * go#69882 time,runtime: too many concurrent timer firings for short time.Ticker
  * go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer
  * go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15
  * go#70001 net/http/pprof: coroutines + pprof makes the program panic
  * go#70020 net/http: short writes with FileServer on macos

- go1.23.2 (released 2024-10-01) includes fixes to the compiler,
  cgo, the runtime, and the maps, os, os/exec, time, and unique
  packages.
  Refs bsc#1229122 go1.23 release tracking
  * go#69119 os: double close pidfd if caller uses pidfd updated by os.StartProcess
  * go#69156 maps: segmentation violation in maps.Clone
  * go#69219 cmd/cgo: alignment issue with int128 inside of a struct
  * go#69240 unique: fatal error: found pointer to free object
  * go#69333 runtime,time: timer.Stop returns false even when no value is read from the channel
  * go#69383 unique: large string still referenced, after interning only a small substring
  * go#69402 os/exec: resource leak on exec failure
  * go#69511 cmd/compile: mysterious crashes and non-determinism with range over func

</description>
  <package>go1.23</package>
  <seperate_build_arch/>
</patchinfo>