Comparing changes

…Pv6 addresses The security fix we applied in CL709857 was overly broad. It applied rules from RFC 2732, which disallowed IPv4-mapped IPv6 addresses, but these were later allowed in RFC 3986, which is the canonical URI syntax RFC. Revert the portion of CL709857 which restricted IPv4-mapped addresses, and update the related tests. Updates #75815 Fixes #75831 Change-Id: I3192f2275ad5c386f5c15006a6716bdb5282919d Reviewed-on: https://go-review.googlesource.com/c/go/+/710375 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Ethan Lee <[email protected]> Auto-Submit: Roland Shoemaker <[email protected]> (cherry picked from commit 9db7e30) Reviewed-on: https://go-review.googlesource.com/c/go/+/712142 Reviewed-by: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]>

When the passed byte slice has leading garbage, properly handle ignoring it and continuing to parse the slice until we find a valid block (or nothing). Fixes #75951 Change-Id: I07e937d9c754fd71b028b99450b48f57b4464457 Reviewed-on: https://go-review.googlesource.com/c/go/+/712140 Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 0983090) Reviewed-on: https://go-review.googlesource.com/c/go/+/712641 Reviewed-by: Dmitri Shuralyov <[email protected]>

When a block is missing the END line trailer, calculate the indexes of the end and end trailer _before_ continuing the loop, making the reslicing at the start of the loop work as expected. Fixes #76028 Change-Id: If45c8cb473315623618f02cc7609f517a72d232d Reviewed-on: https://go-review.googlesource.com/c/go/+/714200 Auto-Submit: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit 839da71) Reviewed-on: https://go-review.googlesource.com/c/go/+/714680 Reviewed-by: David Chase <[email protected]>

Change-Id: I74370108e95298bec0fe0f7738867072ece0d0ff Reviewed-on: https://go-review.googlesource.com/c/go/+/718063 TryBot-Bypass: Gopher Robot <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Michael Knyszek <[email protected]> Reviewed-by: Michael Pratt <[email protected]>

…ng CPU features lamcas and lam_bh on loong64 Fixes #76378 Change-Id: I5019f4e32243911f735f775bcb3c0dba5adb4162 Reviewed-on: https://go-review.googlesource.com/c/go/+/655395 Reviewed-by: David Chase <[email protected]> Reviewed-by: Junyang Shao <[email protected]> Reviewed-by: Meidan Li <[email protected]> Reviewed-by: sophie zhao <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> (cherry picked from commit bcd0ebb) Reviewed-on: https://go-review.googlesource.com/c/go/+/722400 Reviewed-by: abner chenc <[email protected]> Reviewed-by: Mark Freeman <[email protected]>

…reclude wildcard SANs When evaluating name constraints in a certificate chain, the presence of an excluded subdomain constraint (e.g., excluding "test.example.com") should preclude the use of a wildcard SAN (e.g., "*.example.com"). Fixes #76442 Fixes #76463 Fixes CVE-2025-61727 Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba Reviewed-on: https://go-review.googlesource.com/c/go/+/724401 Reviewed-by: Nicholas Husin <[email protected]> Reviewed-by: Daniel McCarney <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Nicholas Husin <[email protected]> Reviewed-by: Neal Patel <[email protected]>

…om consuming excessive resource Constructing HostnameError.Error() takes O(N^2) runtime due to using a string concatenation in a loop. Additionally, there is no limit on how many names are included in the error message. As a result, a malicious attacker could craft a certificate with an infinite amount of names to unfairly consume resource. To remediate this, we will now use strings.Builder to construct the error message, preventing O(N^2) runtime. When a certificate has 100 or more names, we will also not print each name individually. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Updates #76445 Fixes #76460 Fixes CVE-2025-61729 Change-Id: I6343776ec3289577abc76dad71766c491c1a7c81 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3000 Reviewed-by: Neal Patel <[email protected]> Reviewed-by: Damien Neil <[email protected]> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3220 Reviewed-by: Roland Shoemaker <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/725820 Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Bypass: Dmitri Shuralyov <[email protected]> Auto-Submit: Dmitri Shuralyov <[email protected]> Reviewed-by: Mark Freeman <[email protected]>

Change-Id: Iae7d7cf17bf31ac6aaf145993d0b857a3ddbcacb Reviewed-on: https://go-review.googlesource.com/c/go/+/725841 TryBot-Bypass: Gopher Robot <[email protected]> Reviewed-by: Mark Freeman <[email protected]> Auto-Submit: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>

Provide feedback