diff -Nru golang-1.20-1.20.3/debian/changelog golang-1.20-1.20.3/debian/changelog
--- golang-1.20-1.20.3/debian/changelog	2023-06-15 12:55:15.000000000 +0000
+++ golang-1.20-1.20.3/debian/changelog	2024-01-10 05:58:05.000000000 +0000
@@ -1,3 +1,32 @@
+golang-1.20 (1.20.3-1ubuntu0.1~22.04.1) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: XSS issue
+    - debian/patches/CVE-2023-39318.patch: support HTML-like comments in
+      script contexts
+    - debian/patches/CVE-2023-39319.patch: roperly handle special tags
+      within the script context
+    - CVE-2023-39318
+    - CVE-2023-39319
+  * SECURITY UPDATE: bypass directives restrictions
+    - debian/patches/CVE-2023-39323.patch: cmd/compile: use absolute file
+      name in isCgo check
+    - CVE-2023-39323
+  * SECURITY UPDATE: denial of service
+    - debian/patches/CVE-2023-39325_44487.patch: http2: limit maximum
+      handler goroutines to MaxConcurrentStreams
+    - CVE-2023-39325
+    - CVE-2023-44487
+  * SECURITY UPDATE: out-of-bound read
+    - debian/patches/CVE-2023-39326.patch: net/http: limit chunked data
+      overhead
+    - CVE-2023-39326
+  * SECURITY UPDATE: bypass secure protocol
+    - debian/patches/CVE-2023-45285.patch: error out if the requested repo
+      does not support a secure protocol
+    - CVE-2023-45285
+
+ -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 10 Jan 2024 11:28:05 +0530
+
 golang-1.20 (1.20.3-1ubuntu0.1~22.04) jammy; urgency=medium
 
   * Backport to Jammy (LP: #2020658)
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-39318.patch golang-1.20-1.20.3/debian/patches/CVE-2023-39318.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-39318.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-39318.patch	2024-01-10 05:50:10.000000000 +0000
@@ -0,0 +1,245 @@
+From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:24:13 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
+ comments in script contexts
+
+Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
+comments in script contexts. Also per section 12.5, support hashbang
+comments. This brings our parsing in-line with how browsers treat these
+comment types.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62196
+Fixes #62395
+Fixes CVE-2023-39318
+
+Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ src/html/template/context.go      |  6 ++-
+ src/html/template/escape.go       |  5 +-
+ src/html/template/escape_test.go  | 10 ++++
+ src/html/template/state_string.go | 26 +++++-----
+ src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
+ 5 files changed, 84 insertions(+), 43 deletions(-)
+
+--- golang-1.20-1.20.3.orig/src/html/template/context.go
++++ golang-1.20-1.20.3/src/html/template/context.go
+@@ -128,6 +128,10 @@ const (
+ 	stateJSBlockCmt
+ 	// stateJSLineCmt occurs inside a JavaScript // line comment.
+ 	stateJSLineCmt
++	// stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
++	stateJSHTMLOpenCmt
++	// stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
++	stateJSHTMLCloseCmt
+ 	// stateCSS occurs inside a <style> element or style attribute.
+ 	stateCSS
+ 	// stateCSSDqStr occurs inside a CSS double quoted string.
+@@ -155,7 +159,7 @@ const (
+ // authors & maintainers, not for end-users or machines.
+ func isComment(s state) bool {
+ 	switch s {
+-	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
++	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
+ 		return true
+ 	}
+ 	return false
+--- golang-1.20-1.20.3.orig/src/html/template/escape.go
++++ golang-1.20-1.20.3/src/html/template/escape.go
+@@ -776,9 +776,12 @@ func (e *escaper) escapeText(c context,
+ 		if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
+ 			// Preserve the portion between written and the comment start.
+ 			cs := i1 - 2
+-			if c1.state == stateHTMLCmt {
++			if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
+ 				// "<!--" instead of "/*" or "//"
+ 				cs -= 2
++			} else if c1.state == stateJSHTMLCloseCmt {
++				// "-->" instead of "/*" or "//"
++				cs -= 1
+ 			}
+ 			b.Write(s[written:cs])
+ 			written = i1
+--- golang-1.20-1.20.3.orig/src/html/template/escape_test.go
++++ golang-1.20-1.20.3/src/html/template/escape_test.go
+@@ -504,6 +504,16 @@ func TestEscape(t *testing.T) {
+ 			"<script>var a \nd</script>",
+ 		},
+ 		{
++			"JS HTML-like comments",
++			"<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
++			"<script>before \nbetween\nbefore\n</script>",
++		},
++		{
++			"JS hashbang comment",
++			"<script>#! beep\n</script>",
++			"<script>\n</script>",
++		},
++		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+ 				`{border: 1px/* color */{{"#00f"}}}</style>`,
+--- golang-1.20-1.20.3.orig/src/html/template/state_string.go
++++ golang-1.20-1.20.3/src/html/template/state_string.go
+@@ -25,21 +25,23 @@ func _() {
+ 	_ = x[stateJSRegexp-14]
+ 	_ = x[stateJSBlockCmt-15]
+ 	_ = x[stateJSLineCmt-16]
+-	_ = x[stateCSS-17]
+-	_ = x[stateCSSDqStr-18]
+-	_ = x[stateCSSSqStr-19]
+-	_ = x[stateCSSDqURL-20]
+-	_ = x[stateCSSSqURL-21]
+-	_ = x[stateCSSURL-22]
+-	_ = x[stateCSSBlockCmt-23]
+-	_ = x[stateCSSLineCmt-24]
+-	_ = x[stateError-25]
+-	_ = x[stateDead-26]
++	_ = x[stateJSHTMLOpenCmt-17]
++	_ = x[stateJSHTMLCloseCmt-18]
++	_ = x[stateCSS-19]
++	_ = x[stateCSSDqStr-20]
++	_ = x[stateCSSSqStr-21]
++	_ = x[stateCSSDqURL-22]
++	_ = x[stateCSSSqURL-23]
++	_ = x[stateCSSURL-24]
++	_ = x[stateCSSBlockCmt-25]
++	_ = x[stateCSSLineCmt-26]
++	_ = x[stateError-27]
++	_ = x[stateDead-28]
+ }
+ 
+-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
+ 
+-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
+ 
+ func (i state) String() string {
+ 	if i >= state(len(_state_index)-1) {
+--- golang-1.20-1.20.3.orig/src/html/template/transition.go
++++ golang-1.20-1.20.3/src/html/template/transition.go
+@@ -14,32 +14,34 @@ import (
+ // the updated context and the number of bytes consumed from the front of the
+ // input.
+ var transitionFunc = [...]func(context, []byte) (context, int){
+-	stateText:        tText,
+-	stateTag:         tTag,
+-	stateAttrName:    tAttrName,
+-	stateAfterName:   tAfterName,
+-	stateBeforeValue: tBeforeValue,
+-	stateHTMLCmt:     tHTMLCmt,
+-	stateRCDATA:      tSpecialTagEnd,
+-	stateAttr:        tAttr,
+-	stateURL:         tURL,
+-	stateSrcset:      tURL,
+-	stateJS:          tJS,
+-	stateJSDqStr:     tJSDelimited,
+-	stateJSSqStr:     tJSDelimited,
+-	stateJSBqStr:     tJSDelimited,
+-	stateJSRegexp:    tJSDelimited,
+-	stateJSBlockCmt:  tBlockCmt,
+-	stateJSLineCmt:   tLineCmt,
+-	stateCSS:         tCSS,
+-	stateCSSDqStr:    tCSSStr,
+-	stateCSSSqStr:    tCSSStr,
+-	stateCSSDqURL:    tCSSStr,
+-	stateCSSSqURL:    tCSSStr,
+-	stateCSSURL:      tCSSStr,
+-	stateCSSBlockCmt: tBlockCmt,
+-	stateCSSLineCmt:  tLineCmt,
+-	stateError:       tError,
++	stateText:           tText,
++	stateTag:            tTag,
++	stateAttrName:       tAttrName,
++	stateAfterName:      tAfterName,
++	stateBeforeValue:    tBeforeValue,
++	stateHTMLCmt:        tHTMLCmt,
++	stateRCDATA:         tSpecialTagEnd,
++	stateAttr:           tAttr,
++	stateURL:            tURL,
++	stateSrcset:         tURL,
++	stateJS:             tJS,
++	stateJSDqStr:        tJSDelimited,
++	stateJSSqStr:        tJSDelimited,
++	stateJSBqStr:        tJSDelimited,
++	stateJSRegexp:       tJSDelimited,
++	stateJSBlockCmt:     tBlockCmt,
++	stateJSLineCmt:      tLineCmt,
++	stateJSHTMLOpenCmt:  tLineCmt,
++	stateJSHTMLCloseCmt: tLineCmt,
++	stateCSS:            tCSS,
++	stateCSSDqStr:       tCSSStr,
++	stateCSSSqStr:       tCSSStr,
++	stateCSSDqURL:       tCSSStr,
++	stateCSSSqURL:       tCSSStr,
++	stateCSSURL:         tCSSStr,
++	stateCSSBlockCmt:    tBlockCmt,
++	stateCSSLineCmt:     tLineCmt,
++	stateError:          tError,
+ }
+ 
+ var commentStart = []byte("<!--")
+@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context,
+ 
+ // tJS is the context transition function for the JS state.
+ func tJS(c context, s []byte) (context, int) {
+-	i := bytes.IndexAny(s, "\"`'/")
++	i := bytes.IndexAny(s, "\"`'/<-#")
+ 	if i == -1 {
+ 		// Entire input is non string, comment, regexp tokens.
+ 		c.jsCtx = nextJSCtx(s, c.jsCtx)
+@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context,
+ 				err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
+ 			}, len(s)
+ 		}
++	// ECMAScript supports HTML style comments for legacy reasons, see Appendix
++	// B.1.1 "HTML-like Comments". The handling of these comments is somewhat
++	// confusing. Multi-line comments are not supported, i.e. anything on lines
++	// between the opening and closing tokens is not considered a comment, but
++	// anything following the opening or closing token, on the same line, is
++	// ignored. As such we simply treat any line prefixed with "<!--" or "-->"
++	// as if it were actually prefixed with "//" and move on.
++	case '<':
++		if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
++			c.state, i = stateJSHTMLOpenCmt, i+3
++		}
++	case '-':
++		if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
++			c.state, i = stateJSHTMLCloseCmt, i+2
++		}
++	// ECMAScript also supports "hashbang" comment lines, see Section 12.5.
++	case '#':
++		if i+1 < len(s) && s[i+1] == '!' {
++			c.state, i = stateJSLineCmt, i+1
++		}
+ 	default:
+ 		panic("unreachable")
+ 	}
+@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (con
+ 	return c, i + 2
+ }
+ 
+-// tLineCmt is the context transition function for //comment states.
++// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
+ func tLineCmt(c context, s []byte) (context, int) {
+ 	var lineTerminators string
+ 	var endState state
+ 	switch c.state {
+-	case stateJSLineCmt:
++	case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
+ 		lineTerminators, endState = "\n\r\u2028\u2029", stateJS
+ 	case stateCSSLineCmt:
+ 		lineTerminators, endState = "\n\f\r", stateCSS
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-39319.patch golang-1.20-1.20.3/debian/patches/CVE-2023-39319.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-39319.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-39319.patch	2024-01-10 05:53:22.000000000 +0000
@@ -0,0 +1,237 @@
+From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 3 Aug 2023 12:28:28 -0700
+Subject: [PATCH] [release-branch.go1.20] html/template: properly handle
+ special tags within the script context
+
+The HTML specification has incredibly complex rules for how to handle
+"<!--", "<script", and "</script" when they appear within literals in
+the script context. Rather than attempting to apply these restrictions
+(which require a significantly more complex state machine) we apply
+the workaround suggested in section 4.12.1.3 of the HTML specification [1].
+
+More precisely, when "<!--", "<script", and "</script" appear within
+literals (strings and regular expressions, ignoring comments since we
+already elide their content) we replace the "<" with "\x3C". This avoids
+the unintuitive behavior that using these tags within literals can cause,
+by simply preventing the rendered content from triggering it. This may
+break some correct usages of these tags, but on balance is more likely
+to prevent XSS attacks where users are unknowingly either closing or not
+closing the script blocks where they think they are.
+
+Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
+reporting this issue.
+
+Fixes #62197
+Fixes #62397
+Fixes CVE-2023-39319
+
+[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
+
+Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/526099
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Cherry Mui <cherryyz@google.com>
+---
+ src/go/build/deps_test.go        |  6 ++--
+ src/html/template/context.go     | 14 ++++++++++
+ src/html/template/escape.go      | 26 ++++++++++++++++++
+ src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++-
+ src/html/template/transition.go  | 15 ++++++++++
+ 5 files changed, 104 insertions(+), 4 deletions(-)
+
+--- golang-1.20-1.20.3.orig/src/go/build/deps_test.go
++++ golang-1.20-1.20.3/src/go/build/deps_test.go
+@@ -236,15 +236,15 @@ var depsRules = `
+ 	< text/template
+ 	< internal/lazytemplate;
+ 
+-	encoding/json, html, text/template
+-	< html/template;
+-
+ 	# regexp
+ 	FMT
+ 	< regexp/syntax
+ 	< regexp
+ 	< internal/lazyregexp;
+ 
++	encoding/json, html, text/template, regexp
++	< html/template;
++
+ 	# suffix array
+ 	encoding/binary, regexp
+ 	< index/suffixarray;
+--- golang-1.20-1.20.3.orig/src/html/template/context.go
++++ golang-1.20-1.20.3/src/html/template/context.go
+@@ -174,6 +174,20 @@ func isInTag(s state) bool {
+ 	return false
+ }
+ 
++// isInScriptLiteral returns true if s is one of the literal states within a
++// <script> tag, and as such occurances of "<!--", "<script", and "</script"
++// need to be treated specially.
++func isInScriptLiteral(s state) bool {
++	// Ignore the comment states (stateJSBlockCmt, stateJSLineCmt,
++	// stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already
++	// omitted from the output.
++	switch s {
++	case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp:
++		return true
++	}
++	return false
++}
++
+ // delim is the delimiter that will end the current HTML attribute.
+ type delim uint8
+ 
+--- golang-1.20-1.20.3.orig/src/html/template/escape.go
++++ golang-1.20-1.20.3/src/html/template/escape.go
+@@ -10,6 +10,7 @@ import (
+ 	"html"
+ 	"internal/godebug"
+ 	"io"
++	"regexp"
+ 	"text/template"
+ 	"text/template/parse"
+ )
+@@ -728,6 +729,26 @@ var delimEnds = [...]string{
+ 	delimSpaceOrTagEnd: " \t\n\f\r>",
+ }
+ 
++var (
++	// Per WHATWG HTML specification, section 4.12.1.3, there are extremely
++	// complicated rules for how to handle the set of opening tags <!--,
++	// <script, and </script when they appear in JS literals (i.e. strings,
++	// regexs, and comments). The specification suggests a simple solution,
++	// rather than implementing the arcane ABNF, which involves simply escaping
++	// the opening bracket with \x3C. We use the below regex for this, since it
++	// makes doing the case-insensitive find-replace much simpler.
++	specialScriptTagRE          = regexp.MustCompile("(?i)<(script|/script|!--)")
++	specialScriptTagReplacement = []byte("\\x3C$1")
++)
++
++func containsSpecialScriptTag(s []byte) bool {
++	return specialScriptTagRE.Match(s)
++}
++
++func escapeSpecialScriptTags(s []byte) []byte {
++	return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement)
++}
++
+ var doctypeBytes = []byte("<!DOCTYPE")
+ 
+ // escapeText escapes a text template node.
+@@ -786,6 +807,11 @@ func (e *escaper) escapeText(c context,
+ 			b.Write(s[written:cs])
+ 			written = i1
+ 		}
++		if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) {
++			b.Write(s[written:i])
++			b.Write(escapeSpecialScriptTags(s[i:i1]))
++			written = i1
++		}
+ 		if i == i1 && c.state == c1.state {
+ 			panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
+ 		}
+--- golang-1.20-1.20.3.orig/src/html/template/escape_test.go
++++ golang-1.20-1.20.3/src/html/template/escape_test.go
+@@ -514,6 +514,21 @@ func TestEscape(t *testing.T) {
+ 			"<script>\n</script>",
+ 		},
+ 		{
++			"Special tags in <script> string literals",
++			`<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
++			`<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`,
++		},
++		{
++			"Special tags in <script> string literals (mixed case)",
++			`<script>var a = "<!-- <ScripT </ScripT"</script>`,
++			`<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`,
++		},
++		{
++			"Special tags in <script> regex literals (mixed case)",
++			`<script>var a = /<!-- <ScripT </ScripT/</script>`,
++			`<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`,
++		},
++		{
+ 			"CSS comments",
+ 			"<style>p// paragraph\n" +
+ 				`{border: 1px/* color */{{"#00f"}}}</style>`,
+@@ -1533,8 +1548,38 @@ func TestEscapeText(t *testing.T) {
+ 			context{state: stateJS, element: elementScript},
+ 		},
+ 		{
++			// <script and </script tags are escaped, so </script> should not
++			// cause us to exit the JS state.
+ 			`<script>document.write("<script>alert(1)</script>");`,
+-			context{state: stateText},
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</script>`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)<!--`,
++			context{state: stateJSDqStr, element: elementScript},
++		},
++		{
++			`<script>document.write("<script>alert(1)</Script>");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>document.write("<!--");`,
++			context{state: stateJS, element: elementScript},
++		},
++		{
++			`<script>let a = /</script`,
++			context{state: stateJSRegexp, element: elementScript},
++		},
++		{
++			`<script>let a = /</script/`,
++			context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
+ 		},
+ 		{
+ 			`<script type="text/template">`,
+--- golang-1.20-1.20.3.orig/src/html/template/transition.go
++++ golang-1.20-1.20.3/src/html/template/transition.go
+@@ -214,6 +214,11 @@ var (
+ // element states.
+ func tSpecialTagEnd(c context, s []byte) (context, int) {
+ 	if c.element != elementNone {
++		// script end tags ("</script") within script literals are ignored, so that
++		// we can properly escape them.
++		if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) {
++			return c, len(s)
++		}
+ 		if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 {
+ 			return context{}, i
+ 		}
+@@ -353,6 +358,16 @@ func tJSDelimited(c context, s []byte) (
+ 			inCharset = true
+ 		case ']':
+ 			inCharset = false
++		case '/':
++			// If "</script" appears in a regex literal, the '/' should not
++			// close the regex literal, and it will later be escaped to
++			// "\x3C/script" in escapeText.
++			if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 {
++				i++
++			} else if !inCharset {
++				c.state, c.jsCtx = stateJS, jsCtxDivOp
++				return c, i + 1
++			}
+ 		default:
+ 			// end delimiter
+ 			if !inCharset {
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-39323.patch golang-1.20-1.20.3/debian/patches/CVE-2023-39323.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-39323.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-39323.patch	2024-01-10 05:58:05.000000000 +0000
@@ -0,0 +1,106 @@
+From 31d5b604ac0adb58aec4870ac1b974c08312fd49 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor <iant@golang.org>
+Date: Wed, 20 Sep 2023 16:16:29 -0700
+Subject: [PATCH] [release-branch.go1.20] cmd/compile: use absolute file name
+ in isCgo check
+
+For #23672
+Updates #63211
+Fixes #63213
+Fixes CVE-2023-39323
+
+Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
+Reviewed-by: Matthew Dempsky <mdempsky@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Reviewed-by: Than McIntosh <thanm@google.com>
+---
+ misc/cgo/errors/errors_test.go          | 24 ++++++++++++++++--------
+ misc/cgo/errors/testdata/err5.go        | 11 +++++++++++
+ src/cmd/compile/internal/noder/noder.go |  8 +++++++-
+ 3 files changed, 34 insertions(+), 9 deletions(-)
+ create mode 100644 misc/cgo/errors/testdata/err5.go
+
+--- golang-1.20-1.20.3.orig/misc/cgo/errors/errors_test.go
++++ golang-1.20-1.20.3/misc/cgo/errors/errors_test.go
+@@ -36,16 +36,23 @@ func check(t *testing.T, file string) {
+ 				continue
+ 			}
+ 
+-			_, frag, ok := bytes.Cut(line, []byte("ERROR HERE: "))
+-			if !ok {
+-				continue
++			if _, frag, ok := bytes.Cut(line, []byte("ERROR HERE: ")); ok {
++				re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
+-			if err != nil {
+-				t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
+-				continue
++
++			if _, frag, ok := bytes.Cut(line, []byte("ERROR MESSAGE: ")); ok {
++				re, err := regexp.Compile(string(frag))
++				if err != nil {
++					t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
++					continue
++				}
++				errors = append(errors, re)
+ 			}
+-			errors = append(errors, re)
+ 		}
+ 		if len(errors) == 0 {
+ 			t.Fatalf("cannot find ERROR HERE")
+@@ -106,6 +113,7 @@ func TestReportsTypeErrors(t *testing.T)
+ 	for _, file := range []string{
+ 		"err1.go",
+ 		"err2.go",
++		"err5.go",
+ 		"issue11097a.go",
+ 		"issue11097b.go",
+ 		"issue18452.go",
+--- /dev/null
++++ golang-1.20-1.20.3/misc/cgo/errors/testdata/err5.go
+@@ -0,0 +1,11 @@
++// Copyright 2023 The Go Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style
++// license that can be found in the LICENSE file.
++
++package main
++
++//line /tmp/_cgo_.go:1
++//go:cgo_dynamic_linker "/elf/interp"
++// ERROR MESSAGE: only allowed in cgo-generated code
++
++func main() {}
+--- golang-1.20-1.20.3.orig/src/cmd/compile/internal/noder/noder.go
++++ golang-1.20-1.20.3/src/cmd/compile/internal/noder/noder.go
+@@ -359,8 +359,14 @@ func (p *noder) pragma(pos syntax.Pos, b
+ // contain cgo directives, and for security reasons
+ // (primarily misuse of linker flags), other files are not.
+ // See golang.org/issue/23672.
++// Note that cmd/go ignores files whose names start with underscore,
++// so the only _cgo_ files we will see from cmd/go are generated by cgo.
++// It's easy to bypass this check by calling the compiler directly;
++// we only protect against uses by cmd/go.
+ func isCgoGeneratedFile(pos syntax.Pos) bool {
+-	return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_")
++	// We need the absolute file, independent of //line directives,
++	// so we call pos.Base().Pos().
++	return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_")
+ }
+ 
+ // safeArg reports whether arg is a "safe" command-line argument,
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-39325_44487.patch golang-1.20-1.20.3/debian/patches/CVE-2023-39325_44487.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-39325_44487.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-39325_44487.patch	2024-01-10 05:58:05.000000000 +0000
@@ -0,0 +1,155 @@
+From e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 6 Oct 2023 14:16:27 -0700
+Subject: [PATCH] [release-branch.go1.20] net/http: regenerate h2_bundle.go
+
+Pull in a security fix from x/net/http2:
+http2: limit maximum handler goroutines to MaxConcurrentStreamso
+
+For #63417
+Fixes #63426
+Fixes CVE-2023-39325
+
+Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+---
+ src/cmd/internal/moddeps/moddeps_test.go |  2 +
+ src/net/http/h2_bundle.go                | 66 +++++++++++++++++++++++-
+ 2 files changed, 66 insertions(+), 2 deletions(-)
+
+--- golang-1.20-1.20.3.orig/src/cmd/internal/moddeps/moddeps_test.go
++++ golang-1.20-1.20.3/src/cmd/internal/moddeps/moddeps_test.go
+@@ -31,6 +31,8 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++	t.Skip("TODO(#63427): 1.21.3 contains unreleased changes from vendored modules")
++
+ 	goBin := testenv.GoToolPath(t)
+ 
+ 	// Ensure that all packages imported within GOROOT
+--- golang-1.20-1.20.3.orig/src/net/http/h2_bundle.go
++++ golang-1.20-1.20.3/src/net/http/h2_bundle.go
+@@ -4320,9 +4320,11 @@ type http2serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*http2stream
++	unstartedHandlers           []http2unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
+@@ -4718,6 +4720,8 @@ func (sc *http2serverConn) serve() {
+ 					return
+ 				case http2gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case http2handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -4765,6 +4769,7 @@ var (
+ 	http2idleTimerMsg        = new(http2serverMessage)
+ 	http2shutdownTimerMsg    = new(http2serverMessage)
+ 	http2gracefulShutdownMsg = new(http2serverMessage)
++	http2handlerDoneMsg      = new(http2serverMessage)
+ )
+ 
+ func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
+@@ -5759,8 +5764,7 @@ func (sc *http2serverConn) processHeader
+ 		}
+ 	}
+ 
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+ 
+ func (sc *http2serverConn) upgradeRequest(req *Request) {
+@@ -5780,6 +5784,10 @@ func (sc *http2serverConn) upgradeReques
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+ 
++	// This is the first request on the connection,
++	// so start the handler directly rather than going
++	// through scheduleHandler.
++	sc.curHandlers++
+ 	go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ }
+ 
+@@ -6021,8 +6029,62 @@ func (sc *http2serverConn) newResponseWr
+ 	return &http2responseWriter{rws: rws}
+ }
+ 
++type http2unstartedHandler struct {
++	streamID uint32
++	rw       *http2responseWriter
++	req      *Request
++	handler  func(ResponseWriter, *Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return sc.countError("too_many_early_resets", http2ConnectionError(http2ErrCodeEnhanceYourCalm))
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *http2serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
++	defer sc.sendServeMsg(http2handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-39326.patch golang-1.20-1.20.3/debian/patches/CVE-2023-39326.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-39326.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-39326.patch	2024-01-10 05:58:05.000000000 +0000
@@ -0,0 +1,170 @@
+From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 7 Nov 2023 10:47:56 -0800
+Subject: [PATCH] [release-branch.go1.20] net/http: limit chunked data overhead
+
+The chunked transfer encoding adds some overhead to
+the content transferred. When writing one byte per
+chunk, for example, there are five bytes of overhead
+per byte of data transferred: "1\r\nX\r\n" to send "X".
+
+Chunks may include "chunk extensions",
+which we skip over and do not use.
+For example: "1;chunk extension here\r\nX\r\n".
+
+A malicious sender can use chunk extensions to add
+about 4k of overhead per byte of data.
+(The maximum chunk header line size we will accept.)
+
+Track the amount of overhead read in chunked data,
+and produce an error if it seems excessive.
+
+Updates #64433
+Fixes #64434
+Fixes CVE-2023-39326
+
+Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ src/net/http/internal/chunked.go      | 36 +++++++++++++---
+ src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+--- golang-1.20-1.20.3.orig/src/net/http/internal/chunked.go
++++ golang-1.20-1.20.3/src/net/http/internal/chunked.go
+@@ -39,7 +39,8 @@ type chunkedReader struct {
+ 	n        uint64 // unread bytes in chunk
+ 	err      error
+ 	buf      [2]byte
+-	checkEnd bool // whether need to check for \r\n chunk footer
++	checkEnd bool  // whether need to check for \r\n chunk footer
++	excess   int64 // "excessive" chunk overhead, for malicious sender detection
+ }
+ 
+ func (cr *chunkedReader) beginChunk() {
+@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
+ 	if cr.err != nil {
+ 		return
+ 	}
++	cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data
++	line = trimTrailingWhitespace(line)
++	line, cr.err = removeChunkExtension(line)
++	if cr.err != nil {
++		return
++	}
+ 	cr.n, cr.err = parseHexUint(line)
+ 	if cr.err != nil {
+ 		return
+ 	}
++	// A sender who sends one byte per chunk will send 5 bytes of overhead
++	// for every byte of data. ("1\r\nX\r\n" to send "X".)
++	// We want to allow this, since streaming a byte at a time can be legitimate.
++	//
++	// A sender can use chunk extensions to add arbitrary amounts of additional
++	// data per byte read. ("1;very long extension\r\nX\r\n" to send "X".)
++	// We don't want to disallow extensions (although we discard them),
++	// but we also don't want to allow a sender to reduce the signal/noise ratio
++	// arbitrarily.
++	//
++	// We track the amount of excess overhead read,
++	// and produce an error if it grows too large.
++	//
++	// Currently, we say that we're willing to accept 16 bytes of overhead per chunk,
++	// plus twice the amount of real data in the chunk.
++	cr.excess -= 16 + (2 * int64(cr.n))
++	if cr.excess < 0 {
++		cr.excess = 0
++	}
++	if cr.excess > 16*1024 {
++		cr.err = errors.New("chunked encoding contains too much non-data")
++	}
+ 	if cr.n == 0 {
+ 		cr.err = io.EOF
+ 	}
+@@ -140,11 +169,6 @@ func readChunkLine(b *bufio.Reader) ([]b
+ 	if len(p) >= maxLineLength {
+ 		return nil, ErrLineTooLong
+ 	}
+-	p = trimTrailingWhitespace(p)
+-	p, err = removeChunkExtension(p)
+-	if err != nil {
+-		return nil, err
+-	}
+ 	return p, nil
+ }
+ 
+--- golang-1.20-1.20.3.orig/src/net/http/internal/chunked_test.go
++++ golang-1.20-1.20.3/src/net/http/internal/chunked_test.go
+@@ -239,3 +239,62 @@ func TestChunkEndReadError(t *testing.T)
+ 		t.Errorf("expected %v, got %v", readErr, err)
+ 	}
+ }
++
++func TestChunkReaderTooMuchOverhead(t *testing.T) {
++	// If the sender is sending 100x as many chunk header bytes as chunk data,
++	// we should reject the stream at some point.
++	chunk := []byte("1;")
++	for i := 0; i < 100; i++ {
++		chunk = append(chunk, 'a') // chunk extension
++	}
++	chunk = append(chunk, "\r\nX\r\n"...)
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return chunk, nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	_, err := io.ReadAll(r)
++	if err == nil {
++		t.Fatalf("successfully read body with excessive overhead; want error")
++	}
++}
++
++func TestChunkReaderByteAtATime(t *testing.T) {
++	// Sending one byte per chunk should not trip the excess-overhead detection.
++	const bodylen = 1 << 20
++	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
++		if i < bodylen {
++			return []byte("1\r\nX\r\n"), nil
++		}
++		return []byte("0\r\n"), nil
++	}})
++	got, err := io.ReadAll(r)
++	if err != nil {
++		t.Errorf("unexpected error: %v", err)
++	}
++	if len(got) != bodylen {
++		t.Errorf("read %v bytes, want %v", len(got), bodylen)
++	}
++}
++
++type funcReader struct {
++	f   func(iteration int) ([]byte, error)
++	i   int
++	b   []byte
++	err error
++}
++
++func (r *funcReader) Read(p []byte) (n int, err error) {
++	if len(r.b) == 0 && r.err == nil {
++		r.b, r.err = r.f(r.i)
++		r.i++
++	}
++	n = copy(p, r.b)
++	r.b = r.b[n:]
++	if len(r.b) > 0 {
++		return n, nil
++	}
++	return n, r.err
++}
diff -Nru golang-1.20-1.20.3/debian/patches/CVE-2023-45285.patch golang-1.20-1.20.3/debian/patches/CVE-2023-45285.patch
--- golang-1.20-1.20.3/debian/patches/CVE-2023-45285.patch	1970-01-01 00:00:00.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/CVE-2023-45285.patch	2024-01-10 05:58:05.000000000 +0000
@@ -0,0 +1,96 @@
+From 46bc33819ac86a9596b8059235842f0e0c7469bd Mon Sep 17 00:00:00 2001
+From: "Bryan C. Mills" <bcmills@google.com>
+Date: Thu, 2 Nov 2023 15:06:35 -0400
+Subject: [PATCH] [release-branch.go1.20] cmd/go/internal/vcs: error out if the
+ requested repo does not support a secure protocol
+
+Updates #63845.
+Fixes #63972.
+
+Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
+Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
+Reviewed-by: Michael Matloob <matloob@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Auto-Submit: Bryan Mills <bcmills@google.com>
+(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+---
+ src/cmd/go/internal/vcs/vcs.go                | 25 +++++++++++++----
+ .../script/mod_insecure_issue63845.txt        | 28 +++++++++++++++++++
+ 2 files changed, 47 insertions(+), 6 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt
+
+--- golang-1.20-1.20.3.orig/src/cmd/go/internal/vcs/vcs.go
++++ golang-1.20-1.20.3/src/cmd/go/internal/vcs/vcs.go
+@@ -1179,18 +1179,31 @@ func repoRootFromVCSPaths(importPath str
+ 			var ok bool
+ 			repoURL, ok = interceptVCSTest(repo, vcs, security)
+ 			if !ok {
+-				scheme := vcs.Scheme[0] // default to first scheme
+-				if vcs.PingCmd != "" {
+-					// If we know how to test schemes, scan to find one.
++				scheme, err := func() (string, error) {
+ 					for _, s := range vcs.Scheme {
+ 						if security == web.SecureOnly && !vcs.isSecureScheme(s) {
+ 							continue
+ 						}
+-						if vcs.Ping(s, repo) == nil {
+-							scheme = s
+-							break
++
++						// If we know how to ping URL schemes for this VCS,
++						// check that this repo works.
++						// Otherwise, default to the first scheme
++						// that meets the requested security level.
++						if vcs.PingCmd == "" {
++							return s, nil
+ 						}
++						if err := vcs.Ping(s, repo); err == nil {
++							return s, nil
++						}
++					}
++					securityFrag := ""
++					if security == web.SecureOnly {
++						securityFrag = "secure "
+ 					}
++					return "", fmt.Errorf("no %sprotocol found for repository", securityFrag)
++				}()
++				if err != nil {
++					return nil, err
+ 				}
+ 				repoURL = scheme + "://" + repo
+ 			}
+--- /dev/null
++++ golang-1.20-1.20.3/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
+@@ -0,0 +1,28 @@
++# Regression test for https://go.dev/issue/63845:
++# If 'git ls-remote' fails for all secure protocols,
++# we should fail instead of falling back to an arbitrary protocol.
++#
++# Note that this test does not use the local vcweb test server
++# (vcs-test.golang.org), because the hook for redirecting to that
++# server bypasses the "ping to determine protocol" logic
++# in cmd/go/internal/vcs.
++
++[!net] skip
++[!git] skip
++[short] skip 'tries to access a nonexistent external Git repo'
++
++env GOPRIVATE=golang.org
++env CURLOPT_TIMEOUT_MS=100
++env GIT_SSH_COMMAND=false
++
++! go get -x golang.org/nonexist.git@latest
++stderr '^git ls-remote https://golang.org/nonexist$'
++stderr '^git ls-remote git\+ssh://golang.org/nonexist'
++stderr '^git ls-remote ssh://golang.org/nonexist$'
++! stderr 'git://'
++stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$'
++
++-- go.mod --
++module example
++
++go 1.19
diff -Nru golang-1.20-1.20.3/debian/patches/series golang-1.20-1.20.3/debian/patches/series
--- golang-1.20-1.20.3/debian/patches/series	2023-05-31 04:20:43.000000000 +0000
+++ golang-1.20-1.20.3/debian/patches/series	2024-01-10 05:58:05.000000000 +0000
@@ -5,3 +5,9 @@
 CVE-2023-24539.patch
 CVE-2023-24540.patch
 CVE-2023-29400.patch
+CVE-2023-39318.patch
+CVE-2023-39319.patch
+CVE-2023-39323.patch
+CVE-2023-39325_44487.patch
+CVE-2023-39326.patch
+CVE-2023-45285.patch