diff --git a/0001-Modify-go.env.patch b/0001-Modify-go.env.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d0b18c78d8f99a0a58d5e2caf09dcaf2e280f5f8
--- /dev/null
+++ b/0001-Modify-go.env.patch
@@ -0,0 +1,30 @@
+From 52d9cfec8124a9c7382bed5284246d9b18a21eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Wed, 16 Aug 2023 07:06:38 +0200
+Subject: [PATCH] Modify go.env
+
+Change GOPROXY, GOSUMDB, and GOTOOLCHAIN
+---
+ go.env | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/go.env b/go.env
+index 6ff2b921d4..087208cd7c 100644
+--- a/go.env
++++ b/go.env
+@@ -4,9 +4,9 @@
+ 
+ # Use the Go module mirror and checksum database by default.
+ # See https://proxy.golang.org for details.
+-GOPROXY=https://proxy.golang.org,direct
+-GOSUMDB=sum.golang.org
++GOPROXY=direct
++GOSUMDB=off
+ 
+ # Automatically download newer toolchains as directed by go.mod files.
+ # See https://go.dev/doc/toolchain for details.
+-GOTOOLCHAIN=auto
++GOTOOLCHAIN=local
+-- 
+2.41.0
+
diff --git a/0001-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch b/0001-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
deleted file mode 100644
index 24dfde604c89646cd52e171e23def74a764e50b8..0000000000000000000000000000000000000000
--- a/0001-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-diff -uprN go.orig/src/crypto/tls/handshake_client.go go/src/crypto/tls/handshake_client.go
---- go.orig/src/crypto/tls/handshake_client.go	2023-09-01 09:49:36.497825128 +0000
-+++ go/src/crypto/tls/handshake_client.go	2023-09-01 10:14:49.605105116 +0000
-@@ -857,6 +857,10 @@ func (hs *clientHandshakeState) sendFini
- 	return nil
- }
- 
-+// maxRSAKeySize is the maximum RSA key size in bits that we are willing
-+// to verify the signatures of during a TLS handshake.
-+const maxRSAKeySize = 8192
-+
- // verifyServerCertificate parses and verifies the provided chain, setting
- // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
- func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
-@@ -868,6 +872,10 @@ func (c *Conn) verifyServerCertificate(c
- 			c.sendAlert(alertBadCertificate)
- 			return errors.New("tls: failed to parse certificate from server: " + err.Error())
- 		}
-+        if cert.cert.PublicKeyAlgorithm == x509.RSA && cert.cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
-+            c.sendAlert(alertBadCertificate)
-+            return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
-+        }
- 		activeHandles[i] = cert
- 		certs[i] = cert.cert
- 	}
-diff -uprN go.orig/src/crypto/tls/handshake_client_test.go go/src/crypto/tls/handshake_client_test.go
---- go.orig/src/crypto/tls/handshake_client_test.go	2023-09-01 09:49:36.498825137 +0000
-+++ go/src/crypto/tls/handshake_client_test.go	2023-09-01 10:17:01.077258997 +0000
-@@ -2616,3 +2616,82 @@ func TestClientHandshakeContextCancellat
- 		t.Error("Client connection was not closed when the context was canceled")
- 	}
- }
-+
-+
-+// discardConn wraps a net.Conn but discards all writes, but reports that they happened.
-+type discardConn struct {
-+       net.Conn
-+}
-+
-+func (dc *discardConn) Write(data []byte) (int, error) {
-+       return len(data), nil
-+}
-+
-+// largeRSAKeyCertPEM contains a 8193 bit RSA key
-+const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE-----
-+MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0
-+aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH
-+dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca
-+n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur
-+ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j
-+gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0
-+WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4
-+qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9
-+sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo
-+a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh
-+t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp
-+HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO
-+Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8
-+3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3
-+1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G
-+VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8
-+45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq
-+dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH
-+GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe
-+V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn
-+ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7
-+B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J
-+l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW
-+4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg
-+kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK
-+aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r
-+/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv
-+qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ
-+FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l
-+Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds
-+14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+
-+Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w
-+5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg
-+aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa
-+Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28
-+DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu
-+sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv
-+rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j
-+Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X
-+KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F
-+j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs
-+6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ
-+u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3
-+o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR
-+9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X
-+9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS
-+u58=
-+-----END CERTIFICATE-----`
-+
-+func TestHandshakeRSATooBig(t *testing.T) {
-+       testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM))
-+
-+       c := &Conn{conn: &discardConn{}, config: testConfig.Clone()}
-+
-+       expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits"
-+       err := c.verifyServerCertificate([][]byte{testCert.Bytes})
-+       if err == nil || err.Error() != expectedErr {
-+               t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err)
-+       }
-+
-+       expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits"
-+       err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}})
-+       if err == nil || err.Error() != expectedErr {
-+               t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err)
-+       }
-+}
-diff -uprN go.orig/src/crypto/tls/handshake_server.go go/src/crypto/tls/handshake_server.go
---- go.orig/src/crypto/tls/handshake_server.go	2023-09-01 09:49:36.498825137 +0000
-+++ go/src/crypto/tls/handshake_server.go	2023-09-01 10:18:29.072031301 +0000
-@@ -818,6 +818,10 @@ func (c *Conn) processCertsFromClient(ce
- 			c.sendAlert(alertBadCertificate)
- 			return errors.New("tls: failed to parse client certificate: " + err.Error())
- 		}
-+		if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
-+			c.sendAlert(alertBadCertificate)
-+			return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize)
-+		}
- 	}
- 
- 	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
diff --git a/0004-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch b/0002-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
similarity index 36%
rename from 0004-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
rename to 0002-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
index d0a714976dc42f63c3f301321883dfc6444213f4..5341d6d6a87bfcee82bb3bf80fc0512bbfdb3577 100644
--- a/0004-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
+++ b/0002-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
@@ -1,38 +1,20 @@
-From 5ccf9f47bf4f5ba53e0ab7338a7fd4626714cfb2 Mon Sep 17 00:00:00 2001
-From: Jeffery To <jeffery.to@gmail.com>
-Date: Tue, 23 Nov 2021 15:05:37 +0800
-Subject: [PATCH] cmd/link: use gold on ARM/ARM64 only if gold is available
+From 7506da0af38aa307f45664f0c787b5767cc7a87f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alejandro=20S=C3=A1ez?= <asm@redhat.com>
+Date: Thu, 22 Jun 2023 17:19:00 +0200
+Subject: [PATCH] Force gold in aarch64 until binutils 2.41 is on Fedora
 
-COPY relocation handling on ARM/ARM64 has been fixed in recent versions
-of the GNU linker. This switches to gold only if gold is available.
-
-Fixes #22040.
 ---
- src/cmd/link/internal/ld/lib.go | 19 +++++++------------
- 1 file changed, 7 insertions(+), 12 deletions(-)
+ src/cmd/link/internal/ld/lib.go | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
 
 diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
-index 9e13db7b71..2b379259a2 100644
+index 91e2d5149c..99c305530b 100644
 --- a/src/cmd/link/internal/ld/lib.go
 +++ b/src/cmd/link/internal/ld/lib.go
-@@ -1390,25 +1390,20 @@ func (ctxt *Link) hostlink() {
- 		}
+@@ -1605,15 +1605,13 @@ func (ctxt *Link) hostlink() {
+ 			// https://go.dev/issue/22040
+ 			altLinker = "gold"
  
- 		if ctxt.Arch.InFamily(sys.ARM, sys.ARM64) && buildcfg.GOOS == "linux" {
--			// On ARM, the GNU linker will generate COPY relocations
--			// even with -znocopyreloc set.
-+			// On ARM, older versions of the GNU linker will generate
-+			// COPY relocations even with -znocopyreloc set.
- 			// https://sourceware.org/bugzilla/show_bug.cgi?id=19962
- 			//
--			// On ARM64, the GNU linker will fail instead of
--			// generating COPY relocations.
-+			// On ARM64, older versions of the GNU linker will fail
-+			// instead of generating COPY relocations.
- 			//
--			// In both cases, switch to gold.
--			altLinker = "gold"
--
 -			// If gold is not installed, gcc will silently switch
 -			// back to ld.bfd. So we parse the version information
 -			// and provide a useful error if gold is missing.
@@ -42,12 +24,12 @@ index 9e13db7b71..2b379259a2 100644
  			cmd := exec.Command(name, args...)
  			if out, err := cmd.CombinedOutput(); err == nil {
 -				if !bytes.Contains(out, []byte("GNU gold")) {
--					log.Fatalf("ARM external linker must be gold (issue #15696), but is not: %s", out)
+-					log.Fatalf("ARM64 external linker must be gold (issue #15696, 22040), but is not: %s", out)
 +				if bytes.Contains(out, []byte("GNU gold")) {
 +					altLinker = "gold"
  				}
  			}
  		}
 -- 
-2.32.0
+2.40.1
 
diff --git a/0002-fix-CVE-2023-39323.patch b/0002-fix-CVE-2023-39323.patch
deleted file mode 100644
index 04030925a28df6414993a85610108514b85e5d64..0000000000000000000000000000000000000000
--- a/0002-fix-CVE-2023-39323.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 31d5b604ac0adb58aec4870ac1b974c08312fd49 Mon Sep 17 00:00:00 2001
-From: Ian Lance Taylor <iant@golang.org>
-Date: Wed, 20 Sep 2023 16:16:29 -0700
-Subject: [PATCH] [release-branch.go1.20] cmd/compile: use absolute file name
- in isCgo check
-
-For #23672
-Updates #63211
-Fixes #63213
-Fixes CVE-2023-39323
-
-Change-Id: I4586a69e1b2560036afec29d53e53cf25e6c7352
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2032884
-Reviewed-by: Matthew Dempsky <mdempsky@google.com>
-Reviewed-by: Roland Shoemaker <bracewell@google.com>
-(cherry picked from commit 9b19e751918dd218035811b1ef83a8c2693b864a)
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2037629
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Run-TryBot: Roland Shoemaker <bracewell@google.com>
-Reviewed-by: Damien Neil <dneil@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/533195
-Auto-Submit: Michael Pratt <mpratt@google.com>
-Reviewed-by: Ian Lance Taylor <iant@google.com>
-TryBot-Bypass: Michael Pratt <mpratt@google.com>
-Reviewed-by: Than McIntosh <thanm@google.com>
----
- misc/cgo/errors/errors_test.go          | 24 ++++++++++++++++--------
- misc/cgo/errors/testdata/err5.go        | 11 +++++++++++
- src/cmd/compile/internal/noder/noder.go |  8 +++++++-
- 3 files changed, 34 insertions(+), 9 deletions(-)
- create mode 100644 misc/cgo/errors/testdata/err5.go
-
-diff --git a/misc/cgo/errors/errors_test.go b/misc/cgo/errors/errors_test.go
-index 9718b7f9fb4d0..8168032dc35bc 100644
---- a/misc/cgo/errors/errors_test.go
-+++ b/misc/cgo/errors/errors_test.go
-@@ -36,16 +36,23 @@ func check(t *testing.T, file string) {
- 				continue
- 			}
- 
--			_, frag, ok := bytes.Cut(line, []byte("ERROR HERE: "))
--			if !ok {
--				continue
-+			if _, frag, ok := bytes.Cut(line, []byte("ERROR HERE: ")); ok {
-+				re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
-+				if err != nil {
-+					t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
-+					continue
-+				}
-+				errors = append(errors, re)
- 			}
--			re, err := regexp.Compile(fmt.Sprintf(":%d:.*%s", i+1, frag))
--			if err != nil {
--				t.Errorf("Invalid regexp after `ERROR HERE: `: %#q", frag)
--				continue
-+
-+			if _, frag, ok := bytes.Cut(line, []byte("ERROR MESSAGE: ")); ok {
-+				re, err := regexp.Compile(string(frag))
-+				if err != nil {
-+					t.Errorf("Invalid regexp after `ERROR MESSAGE: `: %#q", frag)
-+					continue
-+				}
-+				errors = append(errors, re)
- 			}
--			errors = append(errors, re)
- 		}
- 		if len(errors) == 0 {
- 			t.Fatalf("cannot find ERROR HERE")
-@@ -106,6 +113,7 @@ func TestReportsTypeErrors(t *testing.T) {
- 	for _, file := range []string{
- 		"err1.go",
- 		"err2.go",
-+		"err5.go",
- 		"issue11097a.go",
- 		"issue11097b.go",
- 		"issue18452.go",
-diff --git a/misc/cgo/errors/testdata/err5.go b/misc/cgo/errors/testdata/err5.go
-new file mode 100644
-index 0000000000000..c12a290d3890f
---- /dev/null
-+++ b/misc/cgo/errors/testdata/err5.go
-@@ -0,0 +1,11 @@
-+// Copyright 2023 The Go Authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style
-+// license that can be found in the LICENSE file.
-+
-+package main
-+
-+//line /tmp/_cgo_.go:1
-+//go:cgo_dynamic_linker "/elf/interp"
-+// ERROR MESSAGE: only allowed in cgo-generated code
-+
-+func main() {}
-diff --git a/src/cmd/compile/internal/noder/noder.go b/src/cmd/compile/internal/noder/noder.go
-index d0d95451ac0d3..c99c085037e23 100644
---- a/src/cmd/compile/internal/noder/noder.go
-+++ b/src/cmd/compile/internal/noder/noder.go
-@@ -359,8 +359,14 @@ func (p *noder) pragma(pos syntax.Pos, blankLine bool, text string, old syntax.P
- // contain cgo directives, and for security reasons
- // (primarily misuse of linker flags), other files are not.
- // See golang.org/issue/23672.
-+// Note that cmd/go ignores files whose names start with underscore,
-+// so the only _cgo_ files we will see from cmd/go are generated by cgo.
-+// It's easy to bypass this check by calling the compiler directly;
-+// we only protect against uses by cmd/go.
- func isCgoGeneratedFile(pos syntax.Pos) bool {
--	return strings.HasPrefix(filepath.Base(trimFilename(pos.Base())), "_cgo_")
-+	// We need the absolute file, independent of //line directives,
-+	// so we call pos.Base().Pos().
-+	return strings.HasPrefix(filepath.Base(trimFilename(pos.Base().Pos().Base())), "_cgo_")
- }
- 
- // safeArg reports whether arg is a "safe" command-line argument,
diff --git a/0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch b/0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
deleted file mode 100644
index fba971319a072e18f6dc93880a7554b4c3a01ebb..0000000000000000000000000000000000000000
--- a/0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From fa250374b727439159bc9f203b854bb5df00186f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
-Date: Mon, 27 May 2019 15:12:53 +0200
-Subject: [PATCH 3/3] cmd/go: disable Google's proxy and sumdb
-
----
- src/cmd/go/internal/cfg/cfg.go                  | 4 ++--
- src/cmd/go/testdata/script/mod_sumdb_golang.txt | 6 +++---
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/cmd/go/internal/cfg/cfg.go b/src/cmd/go/internal/cfg/cfg.go
-index 57a3c1ff6f..e56c60e591 100644
---- a/src/cmd/go/internal/cfg/cfg.go
-+++ b/src/cmd/go/internal/cfg/cfg.go
-@@ -266,8 +266,8 @@ var (
- 	GOPPC64  = envOr("GOPPC64", fmt.Sprintf("%s%d", "power", buildcfg.GOPPC64))
- 	GOWASM   = envOr("GOWASM", fmt.Sprint(buildcfg.GOWASM))
- 
--	GOPROXY    = envOr("GOPROXY", "https://proxy.golang.org,direct")
--	GOSUMDB    = envOr("GOSUMDB", "sum.golang.org")
-+	GOPROXY    = envOr("GOPROXY", "direct")
-+	GOSUMDB    = envOr("GOSUMDB", "off")
- 	GOPRIVATE  = Getenv("GOPRIVATE")
- 	GONOPROXY  = envOr("GONOPROXY", GOPRIVATE)
- 	GONOSUMDB  = envOr("GONOSUMDB", GOPRIVATE)
-diff --git a/src/cmd/go/testdata/script/mod_sumdb_golang.txt b/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-index becd88b52e..b2a1250372 100644
---- a/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-+++ b/src/cmd/go/testdata/script/mod_sumdb_golang.txt
-@@ -2,12 +2,12 @@
- env GOPROXY=
- env GOSUMDB=
- go env GOPROXY
--stdout '^https://proxy.golang.org,direct$'
-+stdout '^direct$'
- go env GOSUMDB
--stdout '^sum.golang.org$'
-+stdout '^off$'
- env GOPROXY=https://proxy.golang.org
- go env GOSUMDB
--stdout '^sum.golang.org$'
-+stdout '^off$'
- 
- # Download direct from github.
- 
--- 
-2.31.1
-
diff --git a/0005-fix-CVE-2023-39326.patch b/0005-fix-CVE-2023-39326.patch
deleted file mode 100644
index 85dd15ff588a89115d404ca536c6afe33adfccf5..0000000000000000000000000000000000000000
--- a/0005-fix-CVE-2023-39326.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Tue, 7 Nov 2023 10:47:56 -0800
-Subject: [PATCH] [release-branch.go1.20] net/http: limit chunked data overhead
-
-The chunked transfer encoding adds some overhead to
-the content transferred. When writing one byte per
-chunk, for example, there are five bytes of overhead
-per byte of data transferred: "1\r\nX\r\n" to send "X".
-
-Chunks may include "chunk extensions",
-which we skip over and do not use.
-For example: "1;chunk extension here\r\nX\r\n".
-
-A malicious sender can use chunk extensions to add
-about 4k of overhead per byte of data.
-(The maximum chunk header line size we will accept.)
-
-Track the amount of overhead read in chunked data,
-and produce an error if it seems excessive.
-
-Updates #64433
-Fixes #64434
-Fixes CVE-2023-39326
-
-Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Reviewed-by: Roland Shoemaker <bracewell@google.com>
-(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
-Run-TryBot: Roland Shoemaker <bracewell@google.com>
-TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
-Reviewed-by: Damien Neil <dneil@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
----
- src/net/http/internal/chunked.go      | 36 +++++++++++++---
- src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++
- 2 files changed, 89 insertions(+), 6 deletions(-)
-
-diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go
-index 5a174415dc401..8b6e94b5d49cc 100644
---- a/src/net/http/internal/chunked.go
-+++ b/src/net/http/internal/chunked.go
-@@ -39,7 +39,8 @@ type chunkedReader struct {
- 	n        uint64 // unread bytes in chunk
- 	err      error
- 	buf      [2]byte
--	checkEnd bool // whether need to check for \r\n chunk footer
-+	checkEnd bool  // whether need to check for \r\n chunk footer
-+	excess   int64 // "excessive" chunk overhead, for malicious sender detection
- }
- 
- func (cr *chunkedReader) beginChunk() {
-@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
- 	if cr.err != nil {
- 		return
- 	}
-+	cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data
-+	line = trimTrailingWhitespace(line)
-+	line, cr.err = removeChunkExtension(line)
-+	if cr.err != nil {
-+		return
-+	}
- 	cr.n, cr.err = parseHexUint(line)
- 	if cr.err != nil {
- 		return
- 	}
-+	// A sender who sends one byte per chunk will send 5 bytes of overhead
-+	// for every byte of data. ("1\r\nX\r\n" to send "X".)
-+	// We want to allow this, since streaming a byte at a time can be legitimate.
-+	//
-+	// A sender can use chunk extensions to add arbitrary amounts of additional
-+	// data per byte read. ("1;very long extension\r\nX\r\n" to send "X".)
-+	// We don't want to disallow extensions (although we discard them),
-+	// but we also don't want to allow a sender to reduce the signal/noise ratio
-+	// arbitrarily.
-+	//
-+	// We track the amount of excess overhead read,
-+	// and produce an error if it grows too large.
-+	//
-+	// Currently, we say that we're willing to accept 16 bytes of overhead per chunk,
-+	// plus twice the amount of real data in the chunk.
-+	cr.excess -= 16 + (2 * int64(cr.n))
-+	if cr.excess < 0 {
-+		cr.excess = 0
-+	}
-+	if cr.excess > 16*1024 {
-+		cr.err = errors.New("chunked encoding contains too much non-data")
-+	}
- 	if cr.n == 0 {
- 		cr.err = io.EOF
- 	}
-@@ -140,11 +169,6 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) {
- 	if len(p) >= maxLineLength {
- 		return nil, ErrLineTooLong
- 	}
--	p = trimTrailingWhitespace(p)
--	p, err = removeChunkExtension(p)
--	if err != nil {
--		return nil, err
--	}
- 	return p, nil
- }
- 
-diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go
-index 5e29a786dd61e..b99090c1f8ad7 100644
---- a/src/net/http/internal/chunked_test.go
-+++ b/src/net/http/internal/chunked_test.go
-@@ -239,3 +239,62 @@ func TestChunkEndReadError(t *testing.T) {
- 		t.Errorf("expected %v, got %v", readErr, err)
- 	}
- }
-+
-+func TestChunkReaderTooMuchOverhead(t *testing.T) {
-+	// If the sender is sending 100x as many chunk header bytes as chunk data,
-+	// we should reject the stream at some point.
-+	chunk := []byte("1;")
-+	for i := 0; i < 100; i++ {
-+		chunk = append(chunk, 'a') // chunk extension
-+	}
-+	chunk = append(chunk, "\r\nX\r\n"...)
-+	const bodylen = 1 << 20
-+	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
-+		if i < bodylen {
-+			return chunk, nil
-+		}
-+		return []byte("0\r\n"), nil
-+	}})
-+	_, err := io.ReadAll(r)
-+	if err == nil {
-+		t.Fatalf("successfully read body with excessive overhead; want error")
-+	}
-+}
-+
-+func TestChunkReaderByteAtATime(t *testing.T) {
-+	// Sending one byte per chunk should not trip the excess-overhead detection.
-+	const bodylen = 1 << 20
-+	r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) {
-+		if i < bodylen {
-+			return []byte("1\r\nX\r\n"), nil
-+		}
-+		return []byte("0\r\n"), nil
-+	}})
-+	got, err := io.ReadAll(r)
-+	if err != nil {
-+		t.Errorf("unexpected error: %v", err)
-+	}
-+	if len(got) != bodylen {
-+		t.Errorf("read %v bytes, want %v", len(got), bodylen)
-+	}
-+}
-+
-+type funcReader struct {
-+	f   func(iteration int) ([]byte, error)
-+	i   int
-+	b   []byte
-+	err error
-+}
-+
-+func (r *funcReader) Read(p []byte) (n int, err error) {
-+	if len(r.b) == 0 && r.err == nil {
-+		r.b, r.err = r.f(r.i)
-+		r.i++
-+	}
-+	n = copy(p, r.b)
-+	r.b = r.b[n:]
-+	if len(r.b) > 0 {
-+		return n, nil
-+	}
-+	return n, r.err
-+}
diff --git a/0006-fix-CVE-2023-39318.patch b/0006-fix-CVE-2023-39318.patch
deleted file mode 100644
index bf0f53b972570d1353b0033fe4484c49f06c5e34..0000000000000000000000000000000000000000
--- a/0006-fix-CVE-2023-39318.patch
+++ /dev/null
@@ -1,255 +0,0 @@
-From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker <bracewell@google.com>
-Date: Thu, 3 Aug 2023 12:24:13 -0700
-Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like
- comments in script contexts
-
-Per Appendix B.1.1 of the ECMAScript specification, support HTML-like
-comments in script contexts. Also per section 12.5, support hashbang
-comments. This brings our parsing in-line with how browsers treat these
-comment types.
-
-Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
-reporting this issue.
-
-Fixes #62196
-Fixes #62395
-Fixes CVE-2023-39318
-
-Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593
-Run-TryBot: Roland Shoemaker <bracewell@google.com>
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Reviewed-by: Damien Neil <dneil@google.com>
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620
-Reviewed-on: https://go-review.googlesource.com/c/go/+/526098
-Run-TryBot: Cherry Mui <cherryyz@google.com>
-TryBot-Result: Gopher Robot <gobot@golang.org>
----
- src/html/template/context.go      |  6 ++-
- src/html/template/escape.go       |  5 +-
- src/html/template/escape_test.go  | 10 ++++
- src/html/template/state_string.go | 26 +++++-----
- src/html/template/transition.go   | 80 ++++++++++++++++++++-----------
- 5 files changed, 84 insertions(+), 43 deletions(-)
-
-diff --git a/src/html/template/context.go b/src/html/template/context.go
-index c28fb0c5ea8ef..e07a0c4a027d0 100644
---- a/src/html/template/context.go
-+++ b/src/html/template/context.go
-@@ -128,6 +128,10 @@ const (
- 	stateJSBlockCmt
- 	// stateJSLineCmt occurs inside a JavaScript // line comment.
- 	stateJSLineCmt
-+	// stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment.
-+	stateJSHTMLOpenCmt
-+	// stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment.
-+	stateJSHTMLCloseCmt
- 	// stateCSS occurs inside a <style> element or style attribute.
- 	stateCSS
- 	// stateCSSDqStr occurs inside a CSS double quoted string.
-@@ -155,7 +159,7 @@ const (
- // authors & maintainers, not for end-users or machines.
- func isComment(s state) bool {
- 	switch s {
--	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt:
-+	case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt:
- 		return true
- 	}
- 	return false
-diff --git a/src/html/template/escape.go b/src/html/template/escape.go
-index c262d1698de61..36021c0a8d7af 100644
---- a/src/html/template/escape.go
-+++ b/src/html/template/escape.go
-@@ -776,9 +776,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
- 		if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone {
- 			// Preserve the portion between written and the comment start.
- 			cs := i1 - 2
--			if c1.state == stateHTMLCmt {
-+			if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt {
- 				// "<!--" instead of "/*" or "//"
- 				cs -= 2
-+			} else if c1.state == stateJSHTMLCloseCmt {
-+				// "-->" instead of "/*" or "//"
-+				cs -= 1
- 			}
- 			b.Write(s[written:cs])
- 			written = i1
-diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
-index f8b2b448f2dfa..f60c875927011 100644
---- a/src/html/template/escape_test.go
-+++ b/src/html/template/escape_test.go
-@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) {
- 			"<script>var a/*b*///c\nd</script>",
- 			"<script>var a \nd</script>",
- 		},
-+		{
-+			"JS HTML-like comments",
-+			"<script>before <!-- beep\nbetween\nbefore-->boop\n</script>",
-+			"<script>before \nbetween\nbefore\n</script>",
-+		},
-+		{
-+			"JS hashbang comment",
-+			"<script>#! beep\n</script>",
-+			"<script>\n</script>",
-+		},
- 		{
- 			"CSS comments",
- 			"<style>p// paragraph\n" +
-diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go
-index 6fb1a6eeb0e74..be7a9205111f2 100644
---- a/src/html/template/state_string.go
-+++ b/src/html/template/state_string.go
-@@ -25,21 +25,23 @@ func _() {
- 	_ = x[stateJSRegexp-14]
- 	_ = x[stateJSBlockCmt-15]
- 	_ = x[stateJSLineCmt-16]
--	_ = x[stateCSS-17]
--	_ = x[stateCSSDqStr-18]
--	_ = x[stateCSSSqStr-19]
--	_ = x[stateCSSDqURL-20]
--	_ = x[stateCSSSqURL-21]
--	_ = x[stateCSSURL-22]
--	_ = x[stateCSSBlockCmt-23]
--	_ = x[stateCSSLineCmt-24]
--	_ = x[stateError-25]
--	_ = x[stateDead-26]
-+	_ = x[stateJSHTMLOpenCmt-17]
-+	_ = x[stateJSHTMLCloseCmt-18]
-+	_ = x[stateCSS-19]
-+	_ = x[stateCSSDqStr-20]
-+	_ = x[stateCSSSqStr-21]
-+	_ = x[stateCSSDqURL-22]
-+	_ = x[stateCSSSqURL-23]
-+	_ = x[stateCSSURL-24]
-+	_ = x[stateCSSBlockCmt-25]
-+	_ = x[stateCSSLineCmt-26]
-+	_ = x[stateError-27]
-+	_ = x[stateDead-28]
- }
- 
--const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
-+const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead"
- 
--var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317}
-+var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354}
- 
- func (i state) String() string {
- 	if i >= state(len(_state_index)-1) {
-diff --git a/src/html/template/transition.go b/src/html/template/transition.go
-index 92eb3519063c9..12aa4c41fec7b 100644
---- a/src/html/template/transition.go
-+++ b/src/html/template/transition.go
-@@ -14,32 +14,34 @@ import (
- // the updated context and the number of bytes consumed from the front of the
- // input.
- var transitionFunc = [...]func(context, []byte) (context, int){
--	stateText:        tText,
--	stateTag:         tTag,
--	stateAttrName:    tAttrName,
--	stateAfterName:   tAfterName,
--	stateBeforeValue: tBeforeValue,
--	stateHTMLCmt:     tHTMLCmt,
--	stateRCDATA:      tSpecialTagEnd,
--	stateAttr:        tAttr,
--	stateURL:         tURL,
--	stateSrcset:      tURL,
--	stateJS:          tJS,
--	stateJSDqStr:     tJSDelimited,
--	stateJSSqStr:     tJSDelimited,
--	stateJSBqStr:     tJSDelimited,
--	stateJSRegexp:    tJSDelimited,
--	stateJSBlockCmt:  tBlockCmt,
--	stateJSLineCmt:   tLineCmt,
--	stateCSS:         tCSS,
--	stateCSSDqStr:    tCSSStr,
--	stateCSSSqStr:    tCSSStr,
--	stateCSSDqURL:    tCSSStr,
--	stateCSSSqURL:    tCSSStr,
--	stateCSSURL:      tCSSStr,
--	stateCSSBlockCmt: tBlockCmt,
--	stateCSSLineCmt:  tLineCmt,
--	stateError:       tError,
-+	stateText:           tText,
-+	stateTag:            tTag,
-+	stateAttrName:       tAttrName,
-+	stateAfterName:      tAfterName,
-+	stateBeforeValue:    tBeforeValue,
-+	stateHTMLCmt:        tHTMLCmt,
-+	stateRCDATA:         tSpecialTagEnd,
-+	stateAttr:           tAttr,
-+	stateURL:            tURL,
-+	stateSrcset:         tURL,
-+	stateJS:             tJS,
-+	stateJSDqStr:        tJSDelimited,
-+	stateJSSqStr:        tJSDelimited,
-+	stateJSBqStr:        tJSDelimited,
-+	stateJSRegexp:       tJSDelimited,
-+	stateJSBlockCmt:     tBlockCmt,
-+	stateJSLineCmt:      tLineCmt,
-+	stateJSHTMLOpenCmt:  tLineCmt,
-+	stateJSHTMLCloseCmt: tLineCmt,
-+	stateCSS:            tCSS,
-+	stateCSSDqStr:       tCSSStr,
-+	stateCSSSqStr:       tCSSStr,
-+	stateCSSDqURL:       tCSSStr,
-+	stateCSSSqURL:       tCSSStr,
-+	stateCSSURL:         tCSSStr,
-+	stateCSSBlockCmt:    tBlockCmt,
-+	stateCSSLineCmt:     tLineCmt,
-+	stateError:          tError,
- }
- 
- var commentStart = []byte("<!--")
-@@ -263,7 +265,7 @@ func tURL(c context, s []byte) (context, int) {
- 
- // tJS is the context transition function for the JS state.
- func tJS(c context, s []byte) (context, int) {
--	i := bytes.IndexAny(s, "\"`'/")
-+	i := bytes.IndexAny(s, "\"`'/<-#")
- 	if i == -1 {
- 		// Entire input is non string, comment, regexp tokens.
- 		c.jsCtx = nextJSCtx(s, c.jsCtx)
-@@ -293,6 +295,26 @@ func tJS(c context, s []byte) (context, int) {
- 				err:   errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]),
- 			}, len(s)
- 		}
-+	// ECMAScript supports HTML style comments for legacy reasons, see Appendix
-+	// B.1.1 "HTML-like Comments". The handling of these comments is somewhat
-+	// confusing. Multi-line comments are not supported, i.e. anything on lines
-+	// between the opening and closing tokens is not considered a comment, but
-+	// anything following the opening or closing token, on the same line, is
-+	// ignored. As such we simply treat any line prefixed with "<!--" or "-->"
-+	// as if it were actually prefixed with "//" and move on.
-+	case '<':
-+		if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) {
-+			c.state, i = stateJSHTMLOpenCmt, i+3
-+		}
-+	case '-':
-+		if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) {
-+			c.state, i = stateJSHTMLCloseCmt, i+2
-+		}
-+	// ECMAScript also supports "hashbang" comment lines, see Section 12.5.
-+	case '#':
-+		if i+1 < len(s) && s[i+1] == '!' {
-+			c.state, i = stateJSLineCmt, i+1
-+		}
- 	default:
- 		panic("unreachable")
- 	}
-@@ -372,12 +394,12 @@ func tBlockCmt(c context, s []byte) (context, int) {
- 	return c, i + 2
- }
- 
--// tLineCmt is the context transition function for //comment states.
-+// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state.
- func tLineCmt(c context, s []byte) (context, int) {
- 	var lineTerminators string
- 	var endState state
- 	switch c.state {
--	case stateJSLineCmt:
-+	case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt:
- 		lineTerminators, endState = "\n\r\u2028\u2029", stateJS
- 	case stateCSSLineCmt:
- 		lineTerminators, endState = "\n\f\r", stateCSS
diff --git a/0007-fix-CVE-2023-39319.patch b/0007-fix-CVE-2023-39319.patch
deleted file mode 100644
index 9debc5353401d248c8265d3410ec7208f8b31920..0000000000000000000000000000000000000000
--- a/0007-fix-CVE-2023-39319.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker <bracewell@google.com>
-Date: Thu, 3 Aug 2023 12:28:28 -0700
-Subject: [PATCH] [release-branch.go1.20] html/template: properly handle
- special tags within the script context
-
-The HTML specification has incredibly complex rules for how to handle
-"<!--", "<script", and "</script" when they appear within literals in
-the script context. Rather than attempting to apply these restrictions
-(which require a significantly more complex state machine) we apply
-the workaround suggested in section 4.12.1.3 of the HTML specification [1].
-
-More precisely, when "<!--", "<script", and "</script" appear within
-literals (strings and regular expressions, ignoring comments since we
-already elide their content) we replace the "<" with "\x3C". This avoids
-the unintuitive behavior that using these tags within literals can cause,
-by simply preventing the rendered content from triggering it. This may
-break some correct usages of these tags, but on balance is more likely
-to prevent XSS attacks where users are unknowingly either closing or not
-closing the script blocks where they think they are.
-
-Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for
-reporting this issue.
-
-Fixes #62197
-Fixes #62397
-Fixes CVE-2023-39319
-
-[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements
-
-Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Reviewed-by: Damien Neil <dneil@google.com>
-Run-TryBot: Roland Shoemaker <bracewell@google.com>
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621
-TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/526099
-TryBot-Result: Gopher Robot <gobot@golang.org>
-Run-TryBot: Cherry Mui <cherryyz@google.com>
----
- src/go/build/deps_test.go        |  6 ++--
- src/html/template/context.go     | 14 ++++++++++
- src/html/template/escape.go      | 26 ++++++++++++++++++
- src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++-
- src/html/template/transition.go  | 15 ++++++++++
- 5 files changed, 104 insertions(+), 4 deletions(-)
-
-diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
-index 08452c7b1d27f..3e8fb9ea112d2 100644
---- a/src/go/build/deps_test.go
-+++ b/src/go/build/deps_test.go
-@@ -236,15 +236,15 @@ var depsRules = `
- 	< text/template
- 	< internal/lazytemplate;
- 
--	encoding/json, html, text/template
--	< html/template;
--
- 	# regexp
- 	FMT
- 	< regexp/syntax
- 	< regexp
- 	< internal/lazyregexp;
- 
-+	encoding/json, html, text/template, regexp
-+	< html/template;
-+
- 	# suffix array
- 	encoding/binary, regexp
- 	< index/suffixarray;
-diff --git a/src/html/template/context.go b/src/html/template/context.go
-index e07a0c4a027d0..7987713c65b61 100644
---- a/src/html/template/context.go
-+++ b/src/html/template/context.go
-@@ -174,6 +174,20 @@ func isInTag(s state) bool {
- 	return false
- }
- 
-+// isInScriptLiteral returns true if s is one of the literal states within a
-+// <script> tag, and as such occurances of "<!--", "<script", and "</script"
-+// need to be treated specially.
-+func isInScriptLiteral(s state) bool {
-+	// Ignore the comment states (stateJSBlockCmt, stateJSLineCmt,
-+	// stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already
-+	// omitted from the output.
-+	switch s {
-+	case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp:
-+		return true
-+	}
-+	return false
-+}
-+
- // delim is the delimiter that will end the current HTML attribute.
- type delim uint8
- 
-diff --git a/src/html/template/escape.go b/src/html/template/escape.go
-index 36021c0a8d7af..ba898b8677c2e 100644
---- a/src/html/template/escape.go
-+++ b/src/html/template/escape.go
-@@ -10,6 +10,7 @@ import (
- 	"html"
- 	"internal/godebug"
- 	"io"
-+	"regexp"
- 	"text/template"
- 	"text/template/parse"
- )
-@@ -728,6 +729,26 @@ var delimEnds = [...]string{
- 	delimSpaceOrTagEnd: " \t\n\f\r>",
- }
- 
-+var (
-+	// Per WHATWG HTML specification, section 4.12.1.3, there are extremely
-+	// complicated rules for how to handle the set of opening tags <!--,
-+	// <script, and </script when they appear in JS literals (i.e. strings,
-+	// regexs, and comments). The specification suggests a simple solution,
-+	// rather than implementing the arcane ABNF, which involves simply escaping
-+	// the opening bracket with \x3C. We use the below regex for this, since it
-+	// makes doing the case-insensitive find-replace much simpler.
-+	specialScriptTagRE          = regexp.MustCompile("(?i)<(script|/script|!--)")
-+	specialScriptTagReplacement = []byte("\\x3C$1")
-+)
-+
-+func containsSpecialScriptTag(s []byte) bool {
-+	return specialScriptTagRE.Match(s)
-+}
-+
-+func escapeSpecialScriptTags(s []byte) []byte {
-+	return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement)
-+}
-+
- var doctypeBytes = []byte("<!DOCTYPE")
- 
- // escapeText escapes a text template node.
-@@ -786,6 +807,11 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context {
- 			b.Write(s[written:cs])
- 			written = i1
- 		}
-+		if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) {
-+			b.Write(s[written:i])
-+			b.Write(escapeSpecialScriptTags(s[i:i1]))
-+			written = i1
-+		}
- 		if i == i1 && c.state == c1.state {
- 			panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:]))
- 		}
-diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
-index f60c875927011..8a4f62e92fae7 100644
---- a/src/html/template/escape_test.go
-+++ b/src/html/template/escape_test.go
-@@ -513,6 +513,21 @@ func TestEscape(t *testing.T) {
- 			"<script>#! beep\n</script>",
- 			"<script>\n</script>",
- 		},
-+		{
-+			"Special tags in <script> string literals",
-+			`<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`,
-+			`<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`,
-+		},
-+		{
-+			"Special tags in <script> string literals (mixed case)",
-+			`<script>var a = "<!-- <ScripT </ScripT"</script>`,
-+			`<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`,
-+		},
-+		{
-+			"Special tags in <script> regex literals (mixed case)",
-+			`<script>var a = /<!-- <ScripT </ScripT/</script>`,
-+			`<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`,
-+		},
- 		{
- 			"CSS comments",
- 			"<style>p// paragraph\n" +
-@@ -1533,8 +1548,38 @@ func TestEscapeText(t *testing.T) {
- 			context{state: stateJS, element: elementScript},
- 		},
- 		{
-+			// <script and </script tags are escaped, so </script> should not
-+			// cause us to exit the JS state.
- 			`<script>document.write("<script>alert(1)</script>");`,
--			context{state: stateText},
-+			context{state: stateJS, element: elementScript},
-+		},
-+		{
-+			`<script>document.write("<script>`,
-+			context{state: stateJSDqStr, element: elementScript},
-+		},
-+		{
-+			`<script>document.write("<script>alert(1)</script>`,
-+			context{state: stateJSDqStr, element: elementScript},
-+		},
-+		{
-+			`<script>document.write("<script>alert(1)<!--`,
-+			context{state: stateJSDqStr, element: elementScript},
-+		},
-+		{
-+			`<script>document.write("<script>alert(1)</Script>");`,
-+			context{state: stateJS, element: elementScript},
-+		},
-+		{
-+			`<script>document.write("<!--");`,
-+			context{state: stateJS, element: elementScript},
-+		},
-+		{
-+			`<script>let a = /</script`,
-+			context{state: stateJSRegexp, element: elementScript},
-+		},
-+		{
-+			`<script>let a = /</script/`,
-+			context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp},
- 		},
- 		{
- 			`<script type="text/template">`,
-diff --git a/src/html/template/transition.go b/src/html/template/transition.go
-index 12aa4c41fec7b..3d2a37cdd9901 100644
---- a/src/html/template/transition.go
-+++ b/src/html/template/transition.go
-@@ -214,6 +214,11 @@ var (
- // element states.
- func tSpecialTagEnd(c context, s []byte) (context, int) {
- 	if c.element != elementNone {
-+		// script end tags ("</script") within script literals are ignored, so that
-+		// we can properly escape them.
-+		if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) {
-+			return c, len(s)
-+		}
- 		if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 {
- 			return context{}, i
- 		}
-@@ -353,6 +358,16 @@ func tJSDelimited(c context, s []byte) (context, int) {
- 			inCharset = true
- 		case ']':
- 			inCharset = false
-+		case '/':
-+			// If "</script" appears in a regex literal, the '/' should not
-+			// close the regex literal, and it will later be escaped to
-+			// "\x3C/script" in escapeText.
-+			if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 {
-+				i++
-+			} else if !inCharset {
-+				c.state, c.jsCtx = stateJS, jsCtxDivOp
-+				return c, i + 1
-+			}
- 		default:
- 			// end delimiter
- 			if !inCharset {
diff --git a/0008-fix-CVE-2023-45285.patch b/0008-fix-CVE-2023-45285.patch
deleted file mode 100644
index d06267a733a069c1a387ce73bf4ed5de0e2e5ead..0000000000000000000000000000000000000000
--- a/0008-fix-CVE-2023-45285.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 46bc33819ac86a9596b8059235842f0e0c7469bd Mon Sep 17 00:00:00 2001
-From: "Bryan C. Mills" <bcmills@google.com>
-Date: Thu, 2 Nov 2023 15:06:35 -0400
-Subject: [PATCH] [release-branch.go1.20] cmd/go/internal/vcs: error out if the
- requested repo does not support a secure protocol
-
-Updates #63845.
-Fixes #63972.
-
-Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
-Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
-Reviewed-by: Michael Matloob <matloob@golang.org>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-Reviewed-by: Roland Shoemaker <roland@golang.org>
-Auto-Submit: Bryan Mills <bcmills@google.com>
-(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3)
-Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
-Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
----
- src/cmd/go/internal/vcs/vcs.go                | 25 +++++++++++++----
- .../script/mod_insecure_issue63845.txt        | 28 +++++++++++++++++++
- 2 files changed, 47 insertions(+), 6 deletions(-)
- create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt
-
-diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
-index 12ea0524826d8..695bb4b616da0 100644
---- a/src/cmd/go/internal/vcs/vcs.go
-+++ b/src/cmd/go/internal/vcs/vcs.go
-@@ -1179,18 +1179,31 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths
- 			var ok bool
- 			repoURL, ok = interceptVCSTest(repo, vcs, security)
- 			if !ok {
--				scheme := vcs.Scheme[0] // default to first scheme
--				if vcs.PingCmd != "" {
--					// If we know how to test schemes, scan to find one.
-+				scheme, err := func() (string, error) {
- 					for _, s := range vcs.Scheme {
- 						if security == web.SecureOnly && !vcs.isSecureScheme(s) {
- 							continue
- 						}
--						if vcs.Ping(s, repo) == nil {
--							scheme = s
--							break
-+
-+						// If we know how to ping URL schemes for this VCS,
-+						// check that this repo works.
-+						// Otherwise, default to the first scheme
-+						// that meets the requested security level.
-+						if vcs.PingCmd == "" {
-+							return s, nil
-+						}
-+						if err := vcs.Ping(s, repo); err == nil {
-+							return s, nil
- 						}
- 					}
-+					securityFrag := ""
-+					if security == web.SecureOnly {
-+						securityFrag = "secure "
-+					}
-+					return "", fmt.Errorf("no %sprotocol found for repository", securityFrag)
-+				}()
-+				if err != nil {
-+					return nil, err
- 				}
- 				repoURL = scheme + "://" + repo
- 			}
-diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
-new file mode 100644
-index 0000000000000..5fa6a4f12b81b
---- /dev/null
-+++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt
-@@ -0,0 +1,28 @@
-+# Regression test for https://go.dev/issue/63845:
-+# If 'git ls-remote' fails for all secure protocols,
-+# we should fail instead of falling back to an arbitrary protocol.
-+#
-+# Note that this test does not use the local vcweb test server
-+# (vcs-test.golang.org), because the hook for redirecting to that
-+# server bypasses the "ping to determine protocol" logic
-+# in cmd/go/internal/vcs.
-+
-+[!net] skip
-+[!git] skip
-+[short] skip 'tries to access a nonexistent external Git repo'
-+
-+env GOPRIVATE=golang.org
-+env CURLOPT_TIMEOUT_MS=100
-+env GIT_SSH_COMMAND=false
-+
-+! go get -x golang.org/nonexist.git@latest
-+stderr '^git ls-remote https://golang.org/nonexist$'
-+stderr '^git ls-remote git\+ssh://golang.org/nonexist'
-+stderr '^git ls-remote ssh://golang.org/nonexist$'
-+! stderr 'git://'
-+stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$'
-+
-+-- go.mod --
-+module example
-+
-+go 1.19
diff --git a/0009-fix-CVE-2023-39325.patch b/0009-fix-CVE-2023-39325.patch
deleted file mode 100644
index a1e6e2b0ed4c31b42d4066b88ccd38196cbce172..0000000000000000000000000000000000000000
--- a/0009-fix-CVE-2023-39325.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From e175f27f58aa7b9cd4d79607ae65d2cd5baaee68 Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Fri, 6 Oct 2023 14:16:27 -0700
-Subject: [PATCH] [release-branch.go1.20] net/http: regenerate h2_bundle.go
-
-Pull in a security fix from x/net/http2:
-http2: limit maximum handler goroutines to MaxConcurrentStreamso
-
-For #63417
-Fixes #63426
-Fixes CVE-2023-39325
-
-Change-Id: I6e32397323cd9b4114c990fcc9d19557a7f5f619
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2047401
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
-Run-TryBot: Damien Neil <dneil@google.com>
-Reviewed-by: Ian Cottrell <iancottrell@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/go/+/534255
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-Reviewed-by: Damien Neil <dneil@google.com>
-TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
-Reviewed-by: Michael Pratt <mpratt@google.com>
-Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
----
- src/cmd/internal/moddeps/moddeps_test.go |  2 +
- src/net/http/h2_bundle.go                | 66 +++++++++++++++++++++++-
- 2 files changed, 66 insertions(+), 2 deletions(-)
-
-diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go
-index 41220645c6ed1..022c6ba4af20d 100644
---- a/src/cmd/internal/moddeps/moddeps_test.go
-+++ b/src/cmd/internal/moddeps/moddeps_test.go
-@@ -31,6 +31,8 @@ import (
- // See issues 36852, 41409, and 43687.
- // (Also see golang.org/issue/27348.)
- func TestAllDependencies(t *testing.T) {
-+	t.Skip("TODO(#63427): 1.21.3 contains unreleased changes from vendored modules")
-+
- 	goBin := testenv.GoToolPath(t)
- 
- 	// Ensure that all packages imported within GOROOT
-diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
-index 1e0b83d493a8e..1f6d264c16ecd 100644
---- a/src/net/http/h2_bundle.go
-+++ b/src/net/http/h2_bundle.go
-@@ -4320,9 +4320,11 @@ type http2serverConn struct {
- 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
- 	curClientStreams            uint32 // number of open streams initiated by the client
- 	curPushedStreams            uint32 // number of open streams initiated by server push
-+	curHandlers                 uint32 // number of running handler goroutines
- 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
- 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
- 	streams                     map[uint32]*http2stream
-+	unstartedHandlers           []http2unstartedHandler
- 	initialStreamSendWindowSize int32
- 	maxFrameSize                int32
- 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
-@@ -4718,6 +4720,8 @@ func (sc *http2serverConn) serve() {
- 					return
- 				case http2gracefulShutdownMsg:
- 					sc.startGracefulShutdownInternal()
-+				case http2handlerDoneMsg:
-+					sc.handlerDone()
- 				default:
- 					panic("unknown timer")
- 				}
-@@ -4765,6 +4769,7 @@ var (
- 	http2idleTimerMsg        = new(http2serverMessage)
- 	http2shutdownTimerMsg    = new(http2serverMessage)
- 	http2gracefulShutdownMsg = new(http2serverMessage)
-+	http2handlerDoneMsg      = new(http2serverMessage)
- )
- 
- func (sc *http2serverConn) onSettingsTimer() { sc.sendServeMsg(http2settingsTimerMsg) }
-@@ -5759,8 +5764,7 @@ func (sc *http2serverConn) processHeaders(f *http2MetaHeadersFrame) error {
- 		}
- 	}
- 
--	go sc.runHandler(rw, req, handler)
--	return nil
-+	return sc.scheduleHandler(id, rw, req, handler)
- }
- 
- func (sc *http2serverConn) upgradeRequest(req *Request) {
-@@ -5780,6 +5784,10 @@ func (sc *http2serverConn) upgradeRequest(req *Request) {
- 		sc.conn.SetReadDeadline(time.Time{})
- 	}
- 
-+	// This is the first request on the connection,
-+	// so start the handler directly rather than going
-+	// through scheduleHandler.
-+	sc.curHandlers++
- 	go sc.runHandler(rw, req, sc.handler.ServeHTTP)
- }
- 
-@@ -6021,8 +6029,62 @@ func (sc *http2serverConn) newResponseWriter(st *http2stream, req *Request) *htt
- 	return &http2responseWriter{rws: rws}
- }
- 
-+type http2unstartedHandler struct {
-+	streamID uint32
-+	rw       *http2responseWriter
-+	req      *Request
-+	handler  func(ResponseWriter, *Request)
-+}
-+
-+// scheduleHandler starts a handler goroutine,
-+// or schedules one to start as soon as an existing handler finishes.
-+func (sc *http2serverConn) scheduleHandler(streamID uint32, rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) error {
-+	sc.serveG.check()
-+	maxHandlers := sc.advMaxStreams
-+	if sc.curHandlers < maxHandlers {
-+		sc.curHandlers++
-+		go sc.runHandler(rw, req, handler)
-+		return nil
-+	}
-+	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
-+		return sc.countError("too_many_early_resets", http2ConnectionError(http2ErrCodeEnhanceYourCalm))
-+	}
-+	sc.unstartedHandlers = append(sc.unstartedHandlers, http2unstartedHandler{
-+		streamID: streamID,
-+		rw:       rw,
-+		req:      req,
-+		handler:  handler,
-+	})
-+	return nil
-+}
-+
-+func (sc *http2serverConn) handlerDone() {
-+	sc.serveG.check()
-+	sc.curHandlers--
-+	i := 0
-+	maxHandlers := sc.advMaxStreams
-+	for ; i < len(sc.unstartedHandlers); i++ {
-+		u := sc.unstartedHandlers[i]
-+		if sc.streams[u.streamID] == nil {
-+			// This stream was reset before its goroutine had a chance to start.
-+			continue
-+		}
-+		if sc.curHandlers >= maxHandlers {
-+			break
-+		}
-+		sc.curHandlers++
-+		go sc.runHandler(u.rw, u.req, u.handler)
-+		sc.unstartedHandlers[i] = http2unstartedHandler{} // don't retain references
-+	}
-+	sc.unstartedHandlers = sc.unstartedHandlers[i:]
-+	if len(sc.unstartedHandlers) == 0 {
-+		sc.unstartedHandlers = nil
-+	}
-+}
-+
- // Run on its own goroutine.
- func (sc *http2serverConn) runHandler(rw *http2responseWriter, req *Request, handler func(ResponseWriter, *Request)) {
-+	defer sc.sendServeMsg(http2handlerDoneMsg)
- 	didPanic := true
- 	defer func() {
- 		rw.rws.stream.cancelCtx()
diff --git a/golang.spec b/golang.spec
index 7dbbeb9487e8560658f2aaf4f3a6d4e0cbc8f699..7ccdfd87ae8c9e5a1c79c8f675a01714ccc96041 100644
--- a/golang.spec
+++ b/golang.spec
@@ -1,7 +1,7 @@
 # after we have putting golang into repo, we should shift bootstrap closing.
 %bcond_without bootstrap
 
-%global baserelease 8
+%global baserelease 1
 
 %global golibdir %{_libdir}/golang
 
@@ -75,7 +75,7 @@
 
 
 Name:           golang
-Version:        1.20.6
+Version:        1.21.7
 Release:        %{baserelease}%{?dist}
 Summary:        An open source programming language supported by Google
 License:        BSD and Public Domain
@@ -83,24 +83,8 @@ URL:            https://go.dev
 Source0:        https://go.dev/dl/go%{version}.src.tar.gz
 Source2:        golang-gdbinit
 
-# fix CVE-2023-29409 CVE-2023-39533
-# remove it when upgrade to 1.21
-Patch0001:      0001-crypto-tls-restrict-RSA-keys-in-certificates-to-8192.patch
-#upstream:https://github.com/golang/go/commit/31d5b604ac0adb58aec4870ac1b974c08312fd49
-Patch0002:      0002-fix-CVE-2023-39323.patch
-#upstream:https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd
-Patch0003:      0005-fix-CVE-2023-39326.patch
-#upstream:https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
-Patch0004:      0006-fix-CVE-2023-39318.patch
-#upstream:https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5
-Patch0005:      0007-fix-CVE-2023-39319.patch
-#upstream:https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd
-Patch0006:      0008-fix-CVE-2023-45285.patch
-#upstream:https://github.com/golang/go/commit/e175f27f58aa7b9cd4d79607ae65d2cd5baaee68
-Patch0007:      0009-fix-CVE-2023-39325.patch
-
-Patch3000:      0003-cmd-go-disable-Google-s-proxy-and-sumdb.patch
-Patch3001:      0004-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
+Patch3000:      0001-Modify-go.env.patch
+Patch3001:      0002-cmd-link-use-gold-on-ARM-ARM64-only-if-gold-is-avail.patch
 
 # The compiler is written in Go. Needs go(1.4+) compiler for self-building.
 %if %{with bootstrap}
@@ -204,7 +188,7 @@ This package includes compiler and other tools of Go.
 
 %build
 %if %{with bootstrap}
-export GOROOT_BOOTSTRAP=/tmp
+export GOROOT_BOOTSTRAP=/
 %else
 export GOROOT_BOOTSTRAP=%{goroot}
 %endif
@@ -362,6 +346,9 @@ fi
 
 
 %changelog
+* Mon Mar 18 2024 jackeyji <jackeyji@tencent.com> - 1.21.7-1
+- update to 1.21.7 for the last version is end of full support
+
 * Wed Jan 10 2024 jackeyji <jackeyji@tencent.com> - 1.20.6-8
 - fix CVE-2023-39325
 
diff --git a/sources b/sources
index d3e029a122812e5dadccc308636495136f9d3bf6..32a2d50a7d99f8429150058467da4aca128678c5 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (go1.20.6.src.tar.gz) = 509ade7c2a76bd46b26dda4522692ceef5023aae21461b866006341f98544e7ea755aee230a9fea789ed7afb1c49a693c34c8337892e308dfb051aef2b08c975
+SHA512 (go1.21.7.src.tar.gz) = 5cadc458265deea2650fbbc5b0652e19e858fa7a7b929ea717e82ee4be2af45214a9dfc5b8b799003e83b92aa80141962a472d1d4f0653e97e99df5b68c88e5d