go, branch go1.21.9

[release-branch.go1.21] go1.21.9

2024-04-03T15:35:16Z

Change-Id: I6c69376d434dcf310336a0344051037bf58a4cf7 Reviewed-on: https://go-review.googlesource.com/c/go/+/576117 Commit-Queue: Gopher Robot Reviewed-by: Than McIntosh TryBot-Bypass: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Auto-Submit: Gopher Robot

[release-branch.go1.21] net/http: update bundled golang.org/x/net/http2

2024-04-03T15:10:22Z

Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Fixes CVE-2023-45288 For #65051 Fixes #65387 Change-Id: I17da6da2fe0dd70062b49f94377875acb34829a1 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197267 Reviewed-by: Dmitri Shuralyov Run-TryBot: Damien Neil Reviewed-by: Tatiana Bradley Reviewed-on: https://go-review.googlesource.com/c/go/+/576075 TryBot-Bypass: Dmitri Shuralyov Commit-Queue: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov Reviewed-by: Than McIntosh

[release-branch.go1.21] all: update golang.org/x/net

2024-03-28T19:12:36Z

Pulls in one HTTP/2 fix: 0b0455d2c9 http2: reject DATA frames after 1xx and before final headers For golang/go#65927 Fixes golang/go#66254 Change-Id: I257b2634f63e8c6039c44dea24c345043c23c8d2 Reviewed-on: https://go-review.googlesource.com/c/go/+/574916 Reviewed-by: Than McIntosh Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI

[release-branch.go1.21] go/types, types2: don't do version checks for embedded types of imported interfaces

2024-03-27T19:24:11Z

[This is a re-apply of CL 571075] Imported interfaces don't have position information for embedded types. When computing the type set of such interfaces, doing a version check may fail because it will rely on the Go version of the current package. We must not do a version check for features of types from imported packages - those types have already been typechecked and are "correct". The version check code does look at packages to avoid such incorrect version checks, but we don't have the package information available in an interface type (divorced from its object). Instead, for now rely on the fact that imported interfaces don't have position information for embedded types: if the position is unknown, don't do a version check. We may want to assert that positions are known in all other cases, but since this is an older release, don't add such additional changes to avoid introducing other bugs. Fixes #66326. Updates #66064. Change-Id: I158cf51aa382f85d612ab958ba4b591de1c5fdb2 Reviewed-on: https://go-review.googlesource.com/c/go/+/574736 Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI

[release-branch.go1.21] cmd/internal/obj/ppc64: don't modify runtime.elf_* symbols

2024-03-26T19:16:20Z

The runtime.elf_* symbols are assembly functions which are used to support the gcc/llvm -Os option when used with cgo. When compiling Go for shared code, we attempt to strip out the TOC regenation code added by the go assembler for these symbols. This causes the symbol to no longer appear as an assembly function which causes problems later on when handling other implicit symbols. Avoid adding a TOC regeneration prologue to these functions to avoid this issue. Fixes #66411 Change-Id: Icbf8e4438d177082a57bb228e39b232e7a0d7ada Reviewed-on: https://go-review.googlesource.com/c/go/+/571835 Reviewed-by: Than McIntosh Run-TryBot: Paul Murphy Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Reviewed-by: Lynn Boger TryBot-Result: Gopher Robot Reviewed-on: https://go-review.googlesource.com/c/go/+/572876

[release-branch.go1.21] Revert "go/types, types2: don't do version checks for embedded types of imported interfaces"

2024-03-13T19:10:25Z

This reverts CL 571075. Reason for revert: We might want to do a security-only minor release. Back off the release branch to a clean state from the previous minor release. Sorry for the inconvenience. Change-Id: Ifc8c7e00e6faea3aa547b883eed44180ddb447de Reviewed-on: https://go-review.googlesource.com/c/go/+/571355 LUCI-TryBot-Result: Go LUCI Reviewed-by: Robert Findley

[release-branch.go1.21] go/types, types2: don't do version checks for embedded types of imported interfaces

2024-03-12T20:30:58Z

Imported interfaces don't have position information for embedded types. When computing the type set of such interfaces, doing a version check may fail because it will rely on the Go version of the current package. We must not do a version check for features of types from imported packages - those types have already been typechecked and are "correct". The version check code does look at packages to avoid such incorrect version checks, but we don't have the package information available in an interface type (divorced from its object). Instead, for now rely on the fact that imported interfaces don't have position information for embedded types: if the position is unknown, don't do a version check. We may want to assert that positions are known in all other cases, but since this is an older release, don't add such additional changes to avoid introducing other bugs. Fixes #66064. Change-Id: I773d57e5410c3d4a911ab3e018b3233c2972b3c9 Reviewed-on: https://go-review.googlesource.com/c/go/+/571075 Reviewed-by: Robert Findley Auto-Submit: Robert Griesemer LUCI-TryBot-Result: Go LUCI Reviewed-by: Robert Griesemer

[release-branch.go1.21] go1.21.8

2024-03-05T17:38:51Z

Change-Id: I44203158172ca3e66f8ce4ab84f54c9247dacb28 Reviewed-on: https://go-review.googlesource.com/c/go/+/569256 Reviewed-by: Carlos Amedee Reviewed-by: Michael Knyszek Auto-Submit: Gopher Robot LUCI-TryBot-Result: Go LUCI

[release-branch.go1.21] net/textproto, mime/multipart: avoid unbounded read in MIME header

2024-03-05T16:51:36Z

mime/multipart.Reader.ReadForm allows specifying the maximum amount of memory that will be consumed by the form. While this limit is correctly applied to the parsed form data structure, it was not being applied to individual header lines in a form. For example, when presented with a form containing a header line that never ends, ReadForm will continue to read the line until it runs out of memory. Limit the amount of data consumed when reading a header. Fixes CVE-2023-45290 Fixes #65389 For #65383 Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 Reviewed-by: Roland Shoemaker Reviewed-by: Tatiana Bradley Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776 Reviewed-by: Carlos Amedee Reviewed-on: https://go-review.googlesource.com/c/go/+/569240 Auto-Submit: Michael Knyszek LUCI-TryBot-Result: Go LUCI Reviewed-by: Carlos Amedee

[release-branch.go1.21] net/http, net/http/cookiejar: avoid subdomain matches on IPv6 zones

2024-03-05T16:51:34Z

When deciding whether to forward cookies or sensitive headers across a redirect, do not attempt to interpret an IPv6 address as a domain name. Avoids a case where a maliciously-crafted redirect to an IPv6 address with a scoped addressing zone could be misinterpreted as a within-domain redirect. For example, we could interpret "::1%.www.example.com" as a subdomain of "www.example.com". Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes CVE-2023-45289 Fixes #65385 For #65065 Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 Reviewed-by: Tatiana Bradley Reviewed-by: Roland Shoemaker Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 Reviewed-by: Carlos Amedee Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 Reviewed-by: Carlos Amedee Auto-Submit: Michael Knyszek TryBot-Bypass: Michael Knyszek