diff --git a/.gitignore b/.gitignore
index 3334520..ceb3ab9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz
+SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index 771796a..413c971 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-97a713b08ed6438c1b488c29fb4c1b2d654831c8 SOURCES/go-go-1.16.6-3-openssl-fips.tar.gz
+e693273f254789980a55720bd48ac8741d446f21 SOURCES/go-go-1.16.7-1-openssl-fips.tar.gz
diff --git a/SOURCES/reject-leading-zeros.patch b/SOURCES/reject-leading-zeros.patch
new file mode 100644
index 0000000..24fa6c8
--- /dev/null
+++ b/SOURCES/reject-leading-zeros.patch
@@ -0,0 +1,109 @@
+diff --git a/doc/go1.16.html b/doc/go1.16.html
+index 0beb62d..fc6b668 100644
+--- a/doc/go1.16.html
++++ b/doc/go1.16.html
+@@ -891,6 +891,14 @@ func TestFoo(t *testing.T) {
+ is missing; this is common on musl-based systems and makes
+ Go programs match the behavior of C programs on those systems.
+
++
++ The ParseIP and ParseCIDR
++ functions now reject IPv4 addresses which contain decimal components with leading zeros.
++ These components were always interpreted as decimal, but some operating systems treat them as octal.
++ This mismatch could hypothetically lead to security issues if a Go application was used to validate IP addresses
++ which were then used in their original form with non-Go applications which interpreted components as octal. Generally,
++ it is advisable to always re-encoded values after validation, which avoids this class of parser misalignment issues.
++
+
+
+
+diff --git a/src/net/hosts_test.go b/src/net/hosts_test.go
+index f850e2f..19c4399 100644
+--- a/src/net/hosts_test.go
++++ b/src/net/hosts_test.go
+@@ -36,7 +36,7 @@ var lookupStaticHostTests = []struct {
+ },
+ },
+ {
+- "testdata/ipv4-hosts", // see golang.org/issue/8996
++ "testdata/ipv4-hosts",
+ []staticHostEntry{
+ {"localhost", []string{"127.0.0.1", "127.0.0.2", "127.0.0.3"}},
+ {"localhost.localdomain", []string{"127.0.0.3"}},
+@@ -102,7 +102,7 @@ var lookupStaticAddrTests = []struct {
+ },
+ },
+ {
+- "testdata/ipv4-hosts", // see golang.org/issue/8996
++ "testdata/ipv4-hosts",
+ []staticHostEntry{
+ {"127.0.0.1", []string{"localhost"}},
+ {"127.0.0.2", []string{"localhost"}},
+diff --git a/src/net/ip.go b/src/net/ip.go
+index c00fe8e..007f3f7 100644
+--- a/src/net/ip.go
++++ b/src/net/ip.go
+@@ -552,6 +552,10 @@ func parseIPv4(s string) IP {
+ if !ok || n > 0xFF {
+ return nil
+ }
++ if c > 1 && s[0] == '0' {
++ // Reject non-zero components with leading zeroes.
++ return nil
++ }
+ s = s[c:]
+ p[i] = byte(n)
+ }
+diff --git a/src/net/ip_test.go b/src/net/ip_test.go
+index a5fc5e6..585381d 100644
+--- a/src/net/ip_test.go
++++ b/src/net/ip_test.go
+@@ -20,9 +20,7 @@ var parseIPTests = []struct {
+ }{
+ {"127.0.1.2", IPv4(127, 0, 1, 2)},
+ {"127.0.0.1", IPv4(127, 0, 0, 1)},
+- {"127.001.002.003", IPv4(127, 1, 2, 3)},
+ {"::ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
+- {"::ffff:127.001.002.003", IPv4(127, 1, 2, 3)},
+ {"::ffff:7f01:0203", IPv4(127, 1, 2, 3)},
+ {"0:0:0:0:0000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
+ {"0:0:0:0:000000:ffff:127.1.2.3", IPv4(127, 1, 2, 3)},
+@@ -42,6 +40,11 @@ var parseIPTests = []struct {
+ {"fe80::1%911", nil},
+ {"", nil},
+ {"a1:a2:a3:a4::b1:b2:b3:b4", nil}, // Issue 6628
++ {"127.001.002.003", nil},
++ {"::ffff:127.001.002.003", nil},
++ {"123.000.000.000", nil},
++ {"1.2..4", nil},
++ {"0123.0.0.1", nil},
+ }
+
+ func TestParseIP(t *testing.T) {
+@@ -357,6 +360,7 @@ var parseCIDRTests = []struct {
+ {"0.0.-2.0/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.-2.0/32"}},
+ {"0.0.0.-3/32", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.-3/32"}},
+ {"0.0.0.0/-0", nil, nil, &ParseError{Type: "CIDR address", Text: "0.0.0.0/-0"}},
++ {"127.000.000.001/32", nil, nil, &ParseError{Type: "CIDR address", Text: "127.000.000.001/32"}},
+ {"", nil, nil, &ParseError{Type: "CIDR address", Text: ""}},
+ }
+
+diff --git a/src/net/testdata/ipv4-hosts b/src/net/testdata/ipv4-hosts
+index 5208bb4..6b99675 100644
+--- a/src/net/testdata/ipv4-hosts
++++ b/src/net/testdata/ipv4-hosts
+@@ -1,12 +1,8 @@
+ # See https://tools.ietf.org/html/rfc1123.
+-#
+-# The literal IPv4 address parser in the net package is a relaxed
+-# one. It may accept a literal IPv4 address in dotted-decimal notation
+-# with leading zeros such as "001.2.003.4".
+
+ # internet address and host name
+ 127.0.0.1 localhost # inline comment separated by tab
+-127.000.000.002 localhost # inline comment separated by space
++127.0.0.2 localhost # inline comment separated by space
+
+ # internet address, host name and aliases
+-127.000.000.003 localhost localhost.localdomain
++127.0.0.3 localhost localhost.localdomain
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index e45fb19..d266a66 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -96,12 +96,12 @@
%endif
%global go_api 1.16
-%global go_version 1.16.6
-%global pkg_release 3
+%global go_version 1.16.7
+%global pkg_release 1
Name: golang
Version: %{go_version}
-Release: 2%{?dist}
+Release: 1%{?dist}
Summary: The Go Programming Language
# source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
License: BSD and Public Domain
@@ -145,6 +145,11 @@ Patch221: fix_TestScript_list_std.patch
# rhbz#1889437
Patch223: golang-1.15-warnCN.patch
+# Fix incorrect parsing of extraneous zeros in net/ip
+# https://bugzilla.redhat.com/show_bug.cgi?id=1993316
+# https://go-review.googlesource.com/c/go/+/325829
+Patch1993316: reject-leading-zeros.patch
+
Patch1939923: skip_test_rhbz1939923.patch
# Fix FIPS mode memory leaks
@@ -247,6 +252,8 @@ Requires: %{name} = %{version}-%{release}
%patch1939923 -p1
+%patch1993316 -p1
+
%patch1951877 -p1
@@ -516,6 +523,12 @@ cd ..
%endif
%changelog
+* Tue Aug 17 2021 David Benoit - 1.16.7-1
+- Rebase to Go 1.16.7
+- Resolves: rhbz#1994079
+- Add reject leading zeros patch
+- Resolves: rhbz#1993314
+
* Wed Jul 21 2021 Derek Parker - 1.16.6-2
- Fix TestBoringServerCurves failure when run by itself
- Resolves: rhbz#1976168