diff --git a/.gitignore b/.gitignore
index 14bfefd..f7645d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go1.8.3.src.tar.gz
+SOURCES/go1.9.4.src.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index 8d807c9..d53aad3 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-7c3b942c58a44396ff1d205d0e6e72770792d626 SOURCES/go1.8.3.src.tar.gz
+12b0ecee83525cd594f4fbf30380d4832e06f189 SOURCES/go1.9.4.src.tar.gz
diff --git a/SOURCES/31bit-OID-asn1.patch b/SOURCES/31bit-OID-asn1.patch
deleted file mode 100644
index 4d01b3d..0000000
--- a/SOURCES/31bit-OID-asn1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 94aba76639cf4d5e30975d846bb0368db8202269 Mon Sep 17 00:00:00 2001
-From: Monis Khan <mkhan@redhat.com>
-Date: Wed, 12 Apr 2017 16:00:58 -0400
-Subject: [PATCH] encoding/asn1: support 31 bit identifiers with OID
-
-The current implementation uses a max of 28 bits when decoding an
-ObjectIdentifier.  This change makes it so that an int64 is used to
-accumulate up to 35 bits.  If the resulting data would not overflow
-an int32, it is used as an int.  Thus up to 31 bits may be used to
-represent each subidentifier of an ObjectIdentifier.
-
-Fixes #19933
-
-Change-Id: I95d74b64b24cdb1339ff13421055bce61c80243c
-Reviewed-on: https://go-review.googlesource.com/40436
-Reviewed-by: Adam Langley <agl@golang.org>
-Run-TryBot: Adam Langley <agl@golang.org>
----
- src/encoding/asn1/asn1.go      | 15 ++++++++++++---
- src/encoding/asn1/asn1_test.go |  3 +++
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/src/encoding/asn1/asn1.go b/src/encoding/asn1/asn1.go
-index c2c0ee420ac..65f018d0148 100644
---- a/src/encoding/asn1/asn1.go
-+++ b/src/encoding/asn1/asn1.go
-@@ -22,6 +22,7 @@ package asn1
- import (
- 	"errors"
- 	"fmt"
-+	"math"
- 	"math/big"
- 	"reflect"
- 	"strconv"
-@@ -293,16 +294,24 @@ type Flag bool
- // given byte slice. It returns the value and the new offset.
- func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
- 	offset = initOffset
-+	var ret64 int64
- 	for shifted := 0; offset < len(bytes); shifted++ {
--		if shifted == 4 {
-+		// 5 * 7 bits per byte == 35 bits of data
-+		// Thus the representation is either non-minimal or too large for an int32
-+		if shifted == 5 {
- 			err = StructuralError{"base 128 integer too large"}
- 			return
- 		}
--		ret <<= 7
-+		ret64 <<= 7
- 		b := bytes[offset]
--		ret |= int(b & 0x7f)
-+		ret64 |= int64(b & 0x7f)
- 		offset++
- 		if b&0x80 == 0 {
-+			ret = int(ret64)
-+			// Ensure that the returned value fits in an int on all platforms
-+			if ret64 > math.MaxInt32 {
-+				err = StructuralError{"base 128 integer too large"}
-+			}
- 			return
- 		}
- 	}
-diff --git a/src/encoding/asn1/asn1_test.go b/src/encoding/asn1/asn1_test.go
-index 9976656df89..2dd799f2362 100644
---- a/src/encoding/asn1/asn1_test.go
-+++ b/src/encoding/asn1/asn1_test.go
-@@ -7,6 +7,7 @@ package asn1
- import (
- 	"bytes"
- 	"fmt"
-+	"math"
- 	"math/big"
- 	"reflect"
- 	"strings"
-@@ -386,6 +387,8 @@ var tagAndLengthData = []tagAndLengthTest{
- 	{[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}},
- 	// Tag numbers which would overflow int32 are rejected. (The value below is 2^31.)
- 	{[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}},
-+	// Tag numbers that fit in an int32 are valid. (The value below is 2^31 - 1.)
-+	{[]byte{0x1f, 0x87, 0xFF, 0xFF, 0xFF, 0x7F, 0x00}, true, tagAndLength{tag: math.MaxInt32}},
- 	// Long tag number form may not be used for tags that fit in short form.
- 	{[]byte{0x1f, 0x1e, 0x00}, false, tagAndLength{}},
- }
diff --git a/SOURCES/dlink-aarch64-test-fail.patch b/SOURCES/dlink-aarch64-test-fail.patch
deleted file mode 100644
index c9cd3a1..0000000
--- a/SOURCES/dlink-aarch64-test-fail.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff -up go/misc/cgo/testshared/shared_test.go.dlink go/misc/cgo/testshared/shared_test.go
---- go/misc/cgo/testshared/shared_test.go.dlink	2017-06-01 15:31:59.414045543 +0200
-+++ go/misc/cgo/testshared/shared_test.go	2017-06-01 15:32:35.330926128 +0200
-@@ -167,11 +167,11 @@ func TestMain(m *testing.M) {
- 	os.Unsetenv("GOBIN")
- 
- 	flag.Parse()
--	exitCode, err := testMain(m)
--	if err != nil {
--		log.Fatal(err)
--	}
--	os.Exit(exitCode)
-+	// exitCode, err := testMain(m)
-+	//if err != nil {
-+	//	log.Fatal(err)
-+	//}
-+	os.Exit(0)
- }
- 
- // The shared library was built at the expected location.
diff --git a/SOURCES/dlink-test-fail.patch b/SOURCES/dlink-test-fail.patch
deleted file mode 100644
index 92f1d82..0000000
--- a/SOURCES/dlink-test-fail.patch
+++ /dev/null
@@ -1,9 +0,0 @@
-diff -up go/misc/cgo/test/cgo_unix_test.go.dlink go/misc/cgo/test/cgo_unix_test.go
---- go/misc/cgo/test/cgo_unix_test.go.dlink	2017-06-01 15:05:24.898346937 +0200
-+++ go/misc/cgo/test/cgo_unix_test.go	2017-06-01 15:05:37.762304168 +0200
-@@ -10,4 +10,4 @@ import "testing"
- 
- func TestSigaltstack(t *testing.T) { testSigaltstack(t) }
- func TestSigprocmask(t *testing.T) { testSigprocmask(t) }
--func Test18146(t *testing.T)       { test18146(t) }
-+func Test18146(t *testing.T)       {}
diff --git a/SOURCES/golang-1.2-verbose-build.patch b/SOURCES/golang-1.2-verbose-build.patch
index e9c5edf..c9dbba2 100644
--- a/SOURCES/golang-1.2-verbose-build.patch
+++ b/SOURCES/golang-1.2-verbose-build.patch
@@ -1,8 +1,7 @@
-Index: go/src/make.bash
-===================================================================
---- go.orig/src/make.bash
-+++ go/src/make.bash
-@@ -153,12 +153,12 @@ if [ "$GOHOSTARCH" != "$GOARCH" -o "$GOHOSTOS" != "$GOOS" ]; then
+diff -up go/src/make.bash.verbose go/src/make.bash
+--- go/src/make.bash.verbose	2017-07-11 12:00:09.513553508 +0200
++++ go/src/make.bash	2017-07-11 12:01:25.288245720 +0200
+@@ -167,7 +167,7 @@ if [ "$GOHOSTARCH" != "$GOARCH" -o "$GOH
  	# CC_FOR_TARGET is recorded as the default compiler for the go tool. When building for the host, however,
  	# use the host compiler, CC, from `cmd/dist/dist env` instead.
  	CC=$CC GOOS=$GOHOSTOS GOARCH=$GOHOSTARCH \
@@ -11,9 +10,12 @@ Index: go/src/make.bash
  	echo
  fi
  
- echo "##### Building packages and commands for $GOOS/$GOARCH."
+@@ -175,7 +175,7 @@ echo "##### Building packages and comman
+ 
+ old_bin_files=$(cd $GOROOT/bin && echo *)
+ 
 -CC=$CC_FOR_TARGET "$GOTOOLDIR"/go_bootstrap install $GO_FLAGS -gcflags "$GO_GCFLAGS" -ldflags "$GO_LDFLAGS" -v std cmd
 +CC=$CC_FOR_TARGET "$GOTOOLDIR"/go_bootstrap install $GO_FLAGS -gcflags "$GO_GCFLAGS" -ldflags "$GO_LDFLAGS" -v -x std cmd
- echo
  
- rm -f "$GOTOOLDIR"/go_bootstrap
+ # Check that there are no new files in $GOROOT/bin other than go and gofmt
+ # and $GOOS_$GOARCH (a directory used when cross-compiling).
diff --git a/SOURCES/golang-1.5-bootstrap-binary-path.patch b/SOURCES/golang-1.5-bootstrap-binary-path.patch
index d0e1f34..af7d069 100644
--- a/SOURCES/golang-1.5-bootstrap-binary-path.patch
+++ b/SOURCES/golang-1.5-bootstrap-binary-path.patch
@@ -1,36 +1,37 @@
 diff -up go/src/cmd/dist/buildtool.go.bootstrap go/src/cmd/dist/buildtool.go
---- go/src/cmd/dist/buildtool.go.bootstrap	2016-10-24 12:54:57.620563325 +0200
-+++ go/src/cmd/dist/buildtool.go	2016-10-24 13:12:25.036466602 +0200
-@@ -131,17 +131,25 @@ func bootstrapBuildTools() {
+--- go/src/cmd/dist/buildtool.go.bootstrap	2017-07-11 12:05:00.041373419 +0200
++++ go/src/cmd/dist/buildtool.go	2017-07-11 12:07:27.141775914 +0200
+@@ -153,18 +153,26 @@ func bootstrapBuildTools() {
  	defer os.Setenv("GOBIN", os.Getenv("GOBIN"))
  	os.Setenv("GOBIN", "")
  
-+	hostos := os.Getenv("GOHOSTOS")
-+	hostarch := os.Getenv("GOHOSTARCH")
++    hostos := os.Getenv("GOHOSTOS")
++    hostarch := os.Getenv("GOHOSTARCH")
 +
  	os.Setenv("GOOS", "")
  	os.Setenv("GOHOSTOS", "")
  	os.Setenv("GOARCH", "")
  	os.Setenv("GOHOSTARCH", "")
  
-+	bingopath := pathf("%s/bin/%s_%s/go", goroot_bootstrap, hostos, hostarch)
-+	if _, err := os.Stat(bingopath); os.IsNotExist(err) {
-+		bingopath = pathf("%s/bin/go", goroot_bootstrap)
-+	}
++    bingopath := pathf("%s/bin/%s_%s/go", goroot_bootstrap, hostos, hostarch)
++    if _, err := os.Stat(bingopath); os.IsNotExist(err) {
++       bingopath = pathf("%s/bin/go", goroot_bootstrap)
++    }
 +
  	// Run Go 1.4 to build binaries. Use -gcflags=-l to disable inlining to
  	// workaround bugs in Go 1.4's compiler. See discussion thread:
  	// https://groups.google.com/d/msg/golang-dev/Ss7mCKsvk8w/Gsq7VYI0AwAJ
  	// Use the math_big_pure_go build tag to disable the assembly in math/big
  	// which may contain unsupported instructions.
--	run(workspace, ShowOutput|CheckExit, pathf("%s/bin/go", goroot_bootstrap), "install", "-gcflags=-l", "-tags=math_big_pure_go", "-v", "bootstrap/cmd/...")
-+	run(workspace, ShowOutput|CheckExit, bingopath, "install", "-gcflags=-l", "-v", "-tags=math_big_pure_go", "bootstrap/...")
- 
- 	// Copy binaries into tool binary directory.
- 	for _, name := range bootstrapDirs {
+ 	cmd := []string{
+-		pathf("%s/bin/go", goroot_bootstrap),
++		bingopath,
+ 		"install",
+ 		"-gcflags=-l",
+ 		"-tags=math_big_pure_go",
 diff -up go/src/make.bash.bootstrap go/src/make.bash
---- go/src/make.bash.bootstrap	2016-10-24 12:54:57.606563267 +0200
-+++ go/src/make.bash	2016-10-24 12:54:57.620563325 +0200
+--- go/src/make.bash.bootstrap	2017-07-11 12:05:00.036373439 +0200
++++ go/src/make.bash	2017-07-11 12:05:00.041373419 +0200
 @@ -120,8 +120,15 @@ echo '##### Building Go bootstrap tool.'
  echo cmd/dist
  export GOROOT="$(cd .. && pwd)"
@@ -49,7 +50,7 @@ diff -up go/src/make.bash.bootstrap go/src/make.bash
  	echo "Set \$GOROOT_BOOTSTRAP to a working Go tree >= Go 1.4." >&2
  	exit 1
  fi
-@@ -130,8 +137,6 @@ if [ "$GOROOT_BOOTSTRAP" == "$GOROOT" ];
+@@ -130,8 +137,6 @@ if [ "$GOROOT_BOOTSTRAP" = "$GOROOT" ];
  	echo "Set \$GOROOT_BOOTSTRAP to a working Go tree >= Go 1.4." >&2
  	exit 1
  fi
diff --git a/SOURCES/use-buildmode-pie-for-pie-testing.patch b/SOURCES/use-buildmode-pie-for-pie-testing.patch
new file mode 100644
index 0000000..9f0db0e
--- /dev/null
+++ b/SOURCES/use-buildmode-pie-for-pie-testing.patch
@@ -0,0 +1,51 @@
+diff -up go/src/cmd/dist/test.go.pie go/src/cmd/dist/test.go
+--- go/src/cmd/dist/test.go.pie	2017-10-25 20:30:21.000000000 +0200
++++ go/src/cmd/dist/test.go	2017-11-03 16:47:55.290829798 +0100
+@@ -852,6 +852,16 @@ func (t *tester) supportedBuildmode(mode
+ 			return true
+ 		}
+ 		return false
++	case "pie":
++		switch pair {
++		case "linux-386", "linux-amd64", "linux-arm", "linux-arm64", "linux-ppc64le", "linux-s390x",
++			"android-amd64", "android-arm", "android-arm64", "android-386":
++			return true
++		case "darwin-amd64":
++			return true
++		}
++		return false
++
+ 	default:
+ 		log.Fatalf("internal error: unknown buildmode %s", mode)
+ 		return false
+@@ -953,24 +963,16 @@ func (t *tester) cgoTest(dt *distTest) e
+ 				}
+ 			}
+ 
+-			if pair != "freebsd-amd64" { // clang -pie fails to link misc/cgo/test
+-				cmd := t.dirCmd("misc/cgo/test",
+-					cc, "-xc", "-o", "/dev/null", "-pie", "-")
++			if t.supportedBuildmode("pie") {
++				cmd = t.addCmd(dt, "misc/cgo/test", "go", "test", "-buildmode=pie")
+ 				cmd.Env = env
+-				cmd.Stdin = strings.NewReader("int main() {}")
+-				if err := cmd.Run(); err != nil {
+-					fmt.Println("No support for -pie found, skip cgo PIE test.")
+-				} else {
+-					cmd = t.addCmd(dt, "misc/cgo/test", "go", "test", "-ldflags", `-linkmode=external -extldflags "-pie"`)
+-					cmd.Env = env
+ 
+-					cmd = t.addCmd(dt, "misc/cgo/testtls", "go", "test", "-ldflags", `-linkmode=external -extldflags "-pie"`)
+-					cmd.Env = env
++				cmd = t.addCmd(dt, "misc/cgo/testtls", "go", "test", "-buildmode=pie")
++				cmd.Env = env
+ 
+-					cmd = t.addCmd(dt, "misc/cgo/nocgo", "go", "test", "-ldflags", `-linkmode=external -extldflags "-pie"`)
+-					cmd.Env = env
++				cmd = t.addCmd(dt, "misc/cgo/nocgo", "go", "test", "-buildmode=pie")
++				cmd.Env = env
+ 
+-				}
+ 			}
+ 		}
+ 	}
diff --git a/SOURCES/use-no-pie-where-needed.patch b/SOURCES/use-no-pie-where-needed.patch
new file mode 100644
index 0000000..a1da37f
--- /dev/null
+++ b/SOURCES/use-no-pie-where-needed.patch
@@ -0,0 +1,39 @@
+diff -up go/misc/cgo/testcarchive/carchive_test.go.orig go/misc/cgo/testcarchive/carchive_test.go
+--- go/misc/cgo/testcarchive/carchive_test.go.orig	2017-10-25 20:30:21.000000000 +0200
++++ go/misc/cgo/testcarchive/carchive_test.go	2017-11-08 10:31:42.982462249 +0100
+@@ -6,6 +6,7 @@ package carchive_test
+ 
+ import (
+ 	"bufio"
++	"bytes"
+ 	"debug/elf"
+ 	"fmt"
+ 	"io/ioutil"
+@@ -605,9 +606,26 @@ func TestCompileWithoutShared(t *testing
+ 	}
+ 
+ 	exe := "./testnoshared" + exeSuffix
+-	ccArgs := append(cc, "-o", exe, "main5.c", "libgo2.a")
++
++	// In some cases, -no-pie is needed here, but not accepted everywhere. First try
++	// if -no-pie is accepted. See #22126.
++	ccArgs := append(cc, "-o", exe, "-no-pie", "main5.c", "libgo2.a")
+ 	t.Log(ccArgs)
+ 	out, err = exec.Command(ccArgs[0], ccArgs[1:]...).CombinedOutput()
++
++	// If -no-pie unrecognized, try -nopie if this is possibly clang
++	if err != nil && bytes.Contains(out, []byte("unknown")) && !strings.Contains(cc[0], "gcc") {
++		ccArgs = append(cc, "-o", exe, "-nopie", "main5.c", "libgo2.a")
++		t.Log(ccArgs)
++		out, err = exec.Command(ccArgs[0], ccArgs[1:]...).CombinedOutput()
++	}
++
++	// Don't use either -no-pie or -nopie
++	if err != nil && bytes.Contains(out, []byte("unrecognized")) {
++		ccArgs := append(cc, "-o", exe, "main5.c", "libgo2.a")
++		t.Log(ccArgs)
++		out, err = exec.Command(ccArgs[0], ccArgs[1:]...).CombinedOutput()
++	}
+ 	t.Logf("%s", out)
+ 	if err != nil {
+ 		t.Fatal(err)
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index 0cb6635..d02c0f7 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -80,11 +80,11 @@
 %global gohostarch s390x
 %endif
 
-%global go_api 1.8
-%global go_version 1.8.3
+%global go_api 1.9
+%global go_version 1.9.4
 
 Name:           golang
-Version:        1.8.3
+Version:        1.9.4
 Release:        1%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
@@ -120,10 +120,10 @@ Patch212:       golang-1.5-bootstrap-binary-path.patch
 # later run `go test -a std`. This makes it only use the zoneinfo.zip where needed in tests.
 Patch215:       ./go1.5-zoneinfo_testing_only.patch
 
-# https://github.com/golang/go/commit/94aba76639cf4d5e30975d846bb0368db8202269
-Patch216:       ./31bit-OID-asn1.patch
-Patch217:       ./dlink-test-fail.patch
-Patch218:       ./dlink-aarch64-test-fail.patch
+# https://github.com/golang/go/commit/ca8c361d867d62bd46013c5abbaaad0b2ca6077f
+Patch216: use-buildmode-pie-for-pie-testing.patch
+# https://github.com/hyangah/go/commit/3502496d03bcd842fd7aac95ec0d7096d581cd26
+Patch217: use-no-pie-where-needed.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -244,15 +244,7 @@ Summary:        Golang shared object libraries
 %patch215 -p1
 
 %patch216 -p1
-%ifarch ppc64le
 %patch217 -p1
-%endif
-%ifarch aarch64
-%patch218 -p1
-%endif
-
-# don't include chacha test vectors in buildID
-mv ./src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_test_vectors.go ./src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go
 
 %build
 
@@ -434,6 +426,7 @@ fi
 %exclude %{goroot}/src/
 %exclude %{goroot}/doc/
 %exclude %{goroot}/misc/
+%exclude %{goroot}/test/
 %{goroot}/*
 
 # ensure directory ownership, so they are cleaned up if empty
@@ -474,6 +467,33 @@ fi
 %endif
 
 %changelog
+* Thu Feb 08 2018 Jakub Čajka <jcajka@redhat.com> - 1.9.4-1
+- Rebase to 1.9.4
+- Fix CVE-2018-6574
+- Resolves: rhbz#1545300
+
+* Wed Nov 08 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.2-4
+- Related: rhbz#1505967
+
+* Tue Nov 07 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.2-3
+- Resolve: rhbz#1505967 
+
+* Tue Oct 31 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.2-2
+- fix up file lists
+- Related: rhbz#1499827
+
+* Thu Oct 26 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.2-1
+- Rebase to 1.9.2
+- Related: rhbz#1499827
+
+* Fri Oct 13 2017 Jakub Čajka <jcajka@redhat.com> - 1.9.1-1
+- Rebase to 1.9.1
+- fix CVE-2017-15041 and CVE-2017-15042
+- Resolves: rhbz#1500591, rhbz#1499827, rhbz#1500587, rhbz#1448494
+
+* Tue Jun 20 2017 Jakub Čajka <jcajka@redhat.com> - 1.8.3-2
+- Resolves: rhbz#1447109
+
 * Wed May 31 2017 Jakub Čajka <jcajka@redhat.com> - 1.8.3-1
 - bump to 1.8.3
 - fix CVE-2017-8932