Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang/go
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: go1.22.10
Choose a base ref
...
head repository: golang/go
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: go1.22.11
Choose a head ref
  • 5 commits
  • 11 files changed
  • 5 contributors

Commits on Jan 8, 2025

  1. [release-branch.go1.22] crypto/tls: fix Config.Time in tests using ex… 

    …pired certificates

Updates #71077
Fixes #71103

Change-Id: I6a6a465685f3bd50a5bb35a160f87b59b74fa6af
Reviewed-on: https://go-review.googlesource.com/c/go/+/639655
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Joel Sing <joel@sing.id.au>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/640237
    @FiloSottile @prattmic
    FiloSottile authored and prattmic committed Jan 8, 2025
    Configuration menu
    Copy the full SHA
    223260b View commit details
    Browse the repository at this point in the history

  2. [release-branch.go1.22] runtime: hold traceAcquire across casgstatus … 

    …in injectglist

Currently injectglist emits all the trace events before actually calling
casgstatus on each goroutine. This is a problem, since tracing can
observe an inconsistent state (gstatus does not match tracer's 'emitted
an event' state).

This change fixes the problem by having injectglist do what every other
scheduler function does, and that's wrap each call to casgstatus in
traceAcquire/traceRelease.

For #70883.
Fixes #71146.

Change-Id: I857e96cec01688013597e8efc0c4c3d0b72d3a70
Reviewed-on: https://go-review.googlesource.com/c/go/+/638558
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit f025d19)
Reviewed-on: https://go-review.googlesource.com/c/go/+/641356
Auto-Submit: Michael Pratt <mpratt@google.com>
    @mknyszek @gopherbot
    mknyszek authored and gopherbot committed Jan 8, 2025
    Configuration menu
    Copy the full SHA
    ae9996f View commit details
    Browse the repository at this point in the history

Commits on Jan 16, 2025

  1. [release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in… 

    … URIs

When checking URI constraints, use netip.ParseAddr, which understands
zones, unlike net.ParseIP which chokes on them. This prevents zone IDs
from mistakenly satisfying URI constraints.

Thanks to Juho Forsén of Mattermost for reporting this issue.

For #71156
Fixes #71207
Fixes CVE-2024-45341

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1700
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Change-Id: I1d97723e0f29fcf1404fb868ba0495282da70f6e
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1780
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/643105
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
    @rolandshoemaker @gopherbot
    rolandshoemaker authored and gopherbot committed Jan 16, 2025
    Configuration menu
    Copy the full SHA
    19d2103 View commit details
    Browse the repository at this point in the history

  2. [release-branch.go1.22] net/http: persist header stripping across rep… 

    …eated redirects

When an HTTP redirect changes the host of a request, we drop
sensitive headers such as Authorization from the redirected request.
Fix a bug where a chain of redirects could result in sensitive
headers being sent to the wrong host:

  1. request to a.tld with Authorization header
  2. a.tld redirects to b.tld
  3. request to b.tld with no Authorization header
  4. b.tld redirects to b.tld
  3. request to b.tld with Authorization header restored

Thanks to Kyle Seely for reporting this issue.

Fixes #70530
For #71210
Fixes CVE-2024-45336

Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1641
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Roland Shoemaker <bracewell@google.com>
Change-Id: Id7b1e3c90345566b8ee1a51f65dbb179da6eb427
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1765
Reviewed-on: https://go-review.googlesource.com/c/go/+/643106
Reviewed-by: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
    @neild @gopherbot
    neild authored and gopherbot committed Jan 16, 2025
    Configuration menu
    Copy the full SHA
    b72d56f View commit details
    Browse the repository at this point in the history

  3. [release-branch.go1.22] go1.22.11 

    Change-Id: I7ab7e0219977de1fc313a684c48b78fd0219de81
Reviewed-on: https://go-review.googlesource.com/c/go/+/643156
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
    @gopherbot
    gopherbot committed Jan 16, 2025
    Configuration menu
    Copy the full SHA
    f072884 View commit details
    Browse the repository at this point in the history
Loading