go, branch go1.24.13

[release-branch.go1.24] go1.24.13

2026-02-04T15:46:48Z

Change-Id: I7747d3feed88695eeebbefcbcefc28f9a730d7db Reviewed-on: https://go-review.googlesource.com/c/go/+/741961 Reviewed-by: Michael Pratt Reviewed-by: Dmitri Shuralyov Auto-Submit: Gopher Robot TryBot-Bypass: Gopher Robot

[release-branch.go1.24] crypto/tls: document resumption behavior across Configs

2026-02-03T19:53:17Z

Updates #77113 Updates #77217 Updates CVE-2025-68121 Change-Id: Ia47904a9ed001275aad0243a6a0ce57e6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/740240 LUCI-TryBot-Result: Go LUCI Reviewed-by: Roland Shoemaker Reviewed-by: Michael Pratt Auto-Submit: Filippo Valsorda (cherry picked from commit 1c9abbdc8e9032cd613bd147c78b166ebacc8a2e) Reviewed-on: https://go-review.googlesource.com/c/go/+/741180 Auto-Submit: Michael Pratt

[release-branch.go1.24] crypto/tls: revalidate whole chain on resumption on Windows and macOS

2026-02-03T19:12:58Z

TestHandshakeChangeRootCAsResumption and TestHandshakeGetConfigForClientDifferentClientCAs changed because previously rootA and rootB shared Subject and SPKI, which made the new full-chain revalidation check succeed, as the same leaf would verify against both roots. Updates #77376 Fixes #77424 Cq-Include-Trybots: luci.golang.try:go1.24-darwin-arm64-longtest Change-Id: I60bed694bdc621c9e83f1bd8a8224c016a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/741361 Auto-Submit: Filippo Valsorda Reviewed-by: Dmitri Shuralyov Reviewed-by: Roland Shoemaker LUCI-TryBot-Result: Go LUCI Auto-Submit: Roland Shoemaker (cherry picked from commit b691a2edc7f5863f61a07c4a4f087eef1a15a704) Reviewed-on: https://go-review.googlesource.com/c/go/+/741245 Reviewed-by: Michael Pratt Auto-Submit: Michael Pratt

[release-branch.go1.24] crypto/tls: check verifiedChains roots when resuming sessions

2026-01-28T22:10:33Z

When resuming TLS sessions, on the server and client verify that the chains stored in the session state (verifiedChains) are still acceptable with regards to the Config by checking for the inclusion of the root in either ClientCAs (server) or RootCAs (client). This prevents resuming a session with a certificate chain that would be rejected during a full handshake due to an untrusted root. Updates #77113 Updates #77355 Updates CVE-2025-68121 Change-Id: I11fe00909ef1961c24ecf80bf5b97f7b1121d359 Reviewed-on: https://go-review.googlesource.com/c/go/+/737700 Auto-Submit: Roland Shoemaker Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI Reviewed-by: Coia Prant Reviewed-by: Filippo Valsorda Reviewed-on: https://go-review.googlesource.com/c/go/+/740062 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-by: Nicholas Husin Auto-Submit: Dmitri Shuralyov

[release-branch.go1.24] crypto/tls: add verifiedChains expiration checking during resumption

2026-01-28T22:03:19Z

When resuming a session, check that the verifiedChains contain at least one chain that is still valid at the time of resumption. If not, trigger a new handshake. Updates #77113 Updates #77355 Updates CVE-2025-68121 Change-Id: I14f585c43da17802513cbdd5b10c552d7a38b34e Reviewed-on: https://go-review.googlesource.com/c/go/+/739321 Reviewed-by: Coia Prant Reviewed-by: Filippo Valsorda Auto-Submit: Roland Shoemaker LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-on: https://go-review.googlesource.com/c/go/+/740061 Reviewed-by: Nicholas Husin Reviewed-by: Nicholas Husin Auto-Submit: Dmitri Shuralyov Reviewed-by: Damien Neil

[release-branch.go1.24] Revert "crypto/tls: don't copy auto-rotated session ticket keys in Config.Clone"

2026-01-28T22:03:15Z

This reverts CL 736709 (commit bba24719a4cad5cc8d771fc9cfff5a38019d554a). Updates #77113 Updates #77355 Updates CVE-2025-68121 Change-Id: I0261cb75e9adf9d0ac9890dc91ae8476b8988ba0 Reviewed-on: https://go-review.googlesource.com/c/go/+/739320 Reviewed-by: Coia Prant Reviewed-by: Filippo Valsorda LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-on: https://go-review.googlesource.com/c/go/+/740060 Reviewed-by: Damien Neil Auto-Submit: Dmitri Shuralyov Reviewed-by: Nicholas Husin Reviewed-by: Nicholas Husin

[release-branch.go1.24] cmd/go: update VCS commands to use safer flag/argument syntax

2026-01-28T21:58:41Z

In various situations, the toolchain invokes VCS commands. Some of these commands take arbitrary input, either provided by users or fetched from external sources. To prevent potential command injection vulnerabilities or misinterpretation of arguments as flags, this change updates the VCS commands to use various techniques to separate flags from positional arguments, and to directly associate flags with their values. Additionally, we update the environment variable for Mercurial to use `HGPLAIN=+strictflags`, which is the more explicit way to disable user configurations (intended or otherwise) that might interfere with command execution. We also now disallow version strings from being prefixed with '-' or '/', as doing so opens us up to making the same mistake again in the future. As far as we know there are currently ~0 public modules affected by this. While I was working on cmd/go/internal/vcs, I also noticed that a significant portion of the commands being implemented were dead code. In order to reduce the maintenance burden and surface area for potential issues, I removed the dead code for unused commands. We should probably follow up with a more structured change to make it harder to accidentally re-introduce these issues in the future, but for now this addresses the issue at hand. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. Fixes CVE-2025-68119 Updates #77099 Fixes #77103 Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-review.googlesource.com/c/go/+/736710 Auto-Submit: Michael Pratt Reviewed-by: Junyang Shao LUCI-TryBot-Result: Go LUCI (cherry picked from commit 94a1296a457387d1fd6eca1a9bcd44e89bdd9d55) Reviewed-on: https://go-review.googlesource.com/c/go/+/739421 Auto-Submit: Dmitri Shuralyov

[release-branch.go1.24] crypto/x509: fix single label excluded name constraints handling

2026-01-28T21:37:59Z

Only strip labels when both the domain and constraint have more than one label. Fixes #76935 Fixes #77322 Change-Id: I1144c9f03cbfc3b858af153a839b193bb934618d Reviewed-on: https://go-review.googlesource.com/c/go/+/739420 Reviewed-by: Dmitri Shuralyov Auto-Submit: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI Reviewed-by: Damien Neil

[release-branch.go1.24] cmd/go: remove user-content from doc strings in cgo ASTs.

2026-01-28T20:29:22Z

Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Updates #76697 Fixes #77128 Fixes CVE-2025-61732 Change-Id: Ie2a96b79a813e362cbf8e6cb0e3c2d0c022bcb29 Reviewed-on: https://go-review.googlesource.com/c/go/+/740001 LUCI-TryBot-Result: Go LUCI Auto-Submit: Dmitri Shuralyov Reviewed-by: Roland Shoemaker

[release-branch.go1.24] go1.24.12

2026-01-15T18:28:38Z

Change-Id: I10f61b9036c64c5cbd760cc9f8db67344d373686 Reviewed-on: https://go-review.googlesource.com/c/go/+/736762 Reviewed-by: Michael Pratt Auto-Submit: Gopher Robot TryBot-Bypass: Gopher Robot Reviewed-by: Junyang Shao