Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang/go
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: go1.24.3
Choose a base ref
...
head repository: golang/go
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: go1.24.4
Choose a head ref
  • 9 commits
  • 18 files changed
  • 9 contributors

Commits on May 12, 2025

  1. [release-branch.go1.24] os: fix Root.Mkdir permission bits on OpenBSD 

    Pass missing mode bits in the mkdirat() syscall wrapper.

For #73559
Fixes #73570

Change-Id: I54b1985bd77b1fe5d1a48acab9f2597f8c931854
GitHub-Last-Rev: 669c173
GitHub-Pull-Request: #73565
Reviewed-on: https://go-review.googlesource.com/c/go/+/669375
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
(cherry picked from commit f0a9ed7dd89f35c187830742402cfebba9d6d33a)
Reviewed-on: https://go-review.googlesource.com/c/go/+/669397
Reviewed-by: Joel Sing <joel@sing.id.au>
    @jrick @mknyszek
    jrick authored and mknyszek committed May 12, 2025
    Configuration menu
    Copy the full SHA
    431f75a View commit details
    Browse the repository at this point in the history

Commits on May 28, 2025

  1. [release-branch.go1.24] runtime/debug: document DefaultGODEBUG as a B… 

    …uildSetting

For #66465
Fixes #73678

Change-Id: I60c017ddba29fa5b452b665d8521cd6c8e20438c
Reviewed-on: https://go-review.googlesource.com/c/go/+/597979
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: qiu laidongfeng2 <2645477756@qq.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit c4136a4)
Reviewed-on: https://go-review.googlesource.com/c/go/+/671995
Reviewed-by: Sean Liao <sean@liao.dev>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
    @seankhliao @mknyszek
    seankhliao authored and mknyszek committed May 28, 2025
    Configuration menu
    Copy the full SHA
    664cf83 View commit details
    Browse the repository at this point in the history

  2. [release-branch.go1.24] hash/maphash: hash channels in purego version… 

    … of maphash.Comparable

This change makes purego implementation of maphash.Comparable consistent
with the one in runtime and fixes hashing of channels.

For #73657
Fixes #73669

Change-Id: If78a21d996f0c20c0224d4014e4a4177b09c3aa3
GitHub-Last-Rev: 2537216
GitHub-Pull-Request: #73660
Reviewed-on: https://go-review.googlesource.com/c/go/+/671655
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: qiu laidongfeng2 <2645477756@qq.com>
(cherry picked from commit 1635aed)
Reviewed-on: https://go-review.googlesource.com/c/go/+/676817
Auto-Submit: Michael Knyszek <mknyszek@google.com>
    @Snawoot @gopherbot
    Snawoot authored and gopherbot committed May 28, 2025
    Configuration menu
    Copy the full SHA
    db8f1dc View commit details
    Browse the repository at this point in the history

  3. [release-branch.go1.24] lib/fips140: set inprocess.txt to v1.0.0 

    Updates #70200
Fixes #73809

Change-Id: I6a6a46567ce0834fb4b7f28bf06646326f8e5105
Reviewed-on: https://go-review.googlesource.com/c/go/+/674935
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
    @FiloSottile @mknyszek
    FiloSottile authored and mknyszek committed May 28, 2025
    Configuration menu
    Copy the full SHA
    04a9473 View commit details
    Browse the repository at this point in the history

  4. [release-branch.go1.24] crypto/x509: decouple key usage and policy va… 

    …lidation

Disabling key usage validation (by passing ExtKeyUsageAny)
unintentionally disabled policy validation. This change decouples these
two checks, preventing the user from unintentionally disabling policy
validation.

Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this
issue.

Updates #73612
Fixes #73700
Fixes CVE-2025-22874

Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40
Reviewed-on: https://go-review.googlesource.com/c/go/+/670375
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 9bba799)
Reviewed-on: https://go-review.googlesource.com/c/go/+/672316
Reviewed-by: Michael Knyszek <mknyszek@google.com>
    @rolandshoemaker @mknyszek
    rolandshoemaker authored and mknyszek committed May 28, 2025
    Configuration menu
    Copy the full SHA
    03811ab View commit details
    Browse the repository at this point in the history

Commits on May 29, 2025

  1. [release-branch.go1.24] cmd/link: allow linkname reference to a TEXT … 

    …symbol regardless of size

In CL 660696, we made the linker to choose the symbol of the
larger size in case there are multiple contentless declarations of
the same symbol. We also made it emit an error in the case that
there are a contentless declaration of a larger size and a
definition with content of a smaller size. In this case, we should
choose the definition with content, but the code accesses it
through the declaration of the larger size could fall into the
next symbol, potentially causing data corruption. So we disallowed
it.

There is one spcial case, though, that some code uses a linknamed
variable declaration to reference a function in assembly, in order
to take its address. The variable is often declared as uintptr.
The function symbol is the definition, which could sometimes be
shorter. This would trigger the error case above, causing existing
code failing to build.

This CL allows it as a special case. It is still not safe to
access the variable's content. But it is actually okay to just
take its address, which the existing code often do.

Updates #73617.
Fixes #73832.

Change-Id: I467381bc5f6baa16caee6752a0a824c7185422f6
Reviewed-on: https://go-review.googlesource.com/c/go/+/676636
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 70109eb)
Reviewed-on: https://go-review.googlesource.com/c/go/+/676957
    @cherrymui @mknyszek
    cherrymui authored and mknyszek committed May 29, 2025
    Configuration menu
    Copy the full SHA
    a31c931 View commit details
    Browse the repository at this point in the history

  2. [release-branch.go1.24] os: don't follow symlinks on Windows when O_C… 

    …REATE|O_EXCL

(This cherry-pick includes both CL 672396 and CL 676655.)

Match standard Unix behavior: Symlinks are not followed when
O_CREATE|O_EXCL is passed to open.

Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab
for discovering this issue.

For #73702
Fixed #73720
Fixes CVE-2025-0913

Change-Id: Ieb46a6780c5e9a6090b09cd34290f04a8e3b0ca5
Reviewed-on: https://go-review.googlesource.com/c/go/+/672396
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/677215
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
    @neild @mknyszek
    neild authored and mknyszek committed May 29, 2025
    Configuration menu
    Copy the full SHA
    9f9cf28 View commit details
    Browse the repository at this point in the history

Commits on Jun 5, 2025

  1. [release-branch.go1.24] net/http: strip sensitive proxy headers from … 

    …redirect requests

Similarly to Authentication entries, Proxy-Authentication entries should be stripped to ensure sensitive information is not leaked on redirects outside of the original domain.

https://fetch.spec.whatwg.org/#authentication-entries

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

Updates #73816
Fixes #73906
Fixes CVE-2025-4673

Change-Id: I8a0f30d5d6bff6c71689bba6efa0b747947e7eb0
Reviewed-on: https://go-review.googlesource.com/c/go/+/679256
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
    @thatnealpatel @cagedmantis
    thatnealpatel authored and cagedmantis committed Jun 5, 2025
    Configuration menu
    Copy the full SHA
    85897ca View commit details
    Browse the repository at this point in the history

  2. [release-branch.go1.24] go1.24.4 

    Change-Id: Iec14150cd12e445c3bd927c26f2a54387ba18577
Reviewed-on: https://go-review.googlesource.com/c/go/+/679218
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Bypass: Carlos Amedee <carlos@golang.org>
    @gopherbot @cagedmantis
    gopherbot authored and cagedmantis committed Jun 5, 2025
    Configuration menu
    Copy the full SHA
    6796ebb View commit details
    Browse the repository at this point in the history
Loading