From cefb7a67dd60dfc2f42adf5cc28a075be0cba52f Mon Sep 17 00:00:00 2001
From: wh02252983 <wh02252983@alibaba-inc.com>
Date: Mon, 3 Nov 2025 17:03:21 +0800
Subject: [PATCH] [CVE] add patch to fix CVE-2025-58189 To # N/A add patch to
 fix CVE-2025-58189 Project: TC2024080204 Signed-off-by: wh02252983
 <wh02252983@alibaba-inc.com>

---
 0049-Fix-CVE-2025-58189.patch | 43 +++++++++++++++++++++++++++++++++++
 golang.spec                   |  7 +++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 0049-Fix-CVE-2025-58189.patch

diff --git a/0049-Fix-CVE-2025-58189.patch b/0049-Fix-CVE-2025-58189.patch
new file mode 100644
index 0000000..bf8e453
--- /dev/null
+++ b/0049-Fix-CVE-2025-58189.patch
@@ -0,0 +1,43 @@
+From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 10:11:56 -0700
+Subject: [PATCH] [release-branch.go1.24] crypto/tls: quote protocols in ALPN
+ error message
+
+Quote the protocols sent by the client when returning the ALPN
+negotiation error message.
+
+Fixes CVE-2025-58189
+Updates #75652
+Fixes #75660
+
+Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330
+Reviewed-on: https://go-review.googlesource.com/c/go/+/707776
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Auto-Submit: Nicholas Husin <nsh@golang.org>
+Reviewed-by: Nicholas Husin <husin@google.com>
+TryBot-Bypass: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/708096
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+---
+ src/crypto/tls/handshake_server.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 7c75977ad3ffb2..6aebb742229a50 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -338,7 +338,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
+ 	if http11fallback {
+ 		return "", nil
+ 	}
+-	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
++	return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
+ }
+ 
+ // supportsECDHE returns whether ECDHE key exchanges can be used with this
diff --git a/golang.spec b/golang.spec
index 9209fd2..f63534e 100644
--- a/golang.spec
+++ b/golang.spec
@@ -1,4 +1,4 @@
-%define anolis_release 10
+%define anolis_release 11
 
 # Disable debuginfo packages
 %global debug_package %{nil}
@@ -135,6 +135,8 @@ Patch46:         0046-Fix-CVE-2025-22874.patch
 Patch47:         0047-Fix-CVE-2025-47906.patch
 # https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a
 Patch48:         0048-Fix-CVE-2025-22870.patch
+# https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9
+Patch49:         0049-Fix-CVE-2025-58189.patch
 
 # Part 1001-1999 for sw_64
 Patch1001: 0001-cmd-comile-Add-sw64-port.patch
@@ -630,6 +632,9 @@ fi
 %files docs -f go-docs.list
 
 %changelog
+* Mon Nov 3 2025 wh02252983 <wh02252983@alibaba-inc.com> - 1.24.0-11
+- add patch to fix CVE-2025-58189
+
 * Mon Oct 27 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.24.0-10
 - Add patch to fix CVE-2025-22870
 
-- 
Gitee