crypto/tls: ALPN negotiation error contains attacker controlled information

[rolandshoemaker]

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. We expect most logging software filters control characters and such, so the impact for this is relatively limited, hence we are treating this as a PUBLIC track issue, per the Go Security Policy (https://go.dev/security/policy).

This is CVE-2025-58189.

[gopherbot]

Change https://go.dev/cl/707776 mentions this issue: crypto/tls: quote protocols in ALPN error message

[rolandshoemaker]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #75660 (for 1.24), #75661 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/708095 mentions this issue: [release-branch.go1.25] crypto/tls: quote protocols in ALPN error message

[gopherbot]

Change https://go.dev/cl/708096 mentions this issue: [release-branch.go1.24] crypto/tls: quote protocols in ALPN error message