diff --git a/.gitignore b/.gitignore
index 21f722c..a04fffc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/go-go-1.15.0-2-openssl-fips.tar.gz
+SOURCES/go-go-1.15.2-1-openssl-fips.tar.gz
diff --git a/.golang.metadata b/.golang.metadata
index 3ed7b9c..d7a09d2 100644
--- a/.golang.metadata
+++ b/.golang.metadata
@@ -1 +1 @@
-419f3d1b92d91718c92a9fb2012f926d090657f2 SOURCES/go-go-1.15.0-2-openssl-fips.tar.gz
+95a0e63d7483c2a4ae3d15e5ce9f5c6706c32a01 SOURCES/go-go-1.15.2-1-openssl-fips.tar.gz
diff --git a/SOURCES/golang-1.15-warnCN.patch b/SOURCES/golang-1.15-warnCN.patch
new file mode 100644
index 0000000..5d9cf82
--- /dev/null
+++ b/SOURCES/golang-1.15-warnCN.patch
@@ -0,0 +1,25 @@
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 50f4d4a..121fd1b 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -20,6 +20,9 @@ import (
+
+ // ignoreCN disables interpreting Common Name as a hostname. See issue 24151.
+ var ignoreCN = !strings.Contains(os.Getenv("GODEBUG"), "x509ignoreCN=0")
++// if using Common Name as a hostname is enabled via x509ignoreCN=0,
++// warnCN enables a warning whenever Common Name is interpreted as a hostname.
++var warnCN = strings.Contains(os.Getenv("GODEBUG"), "x509warnCN=1")
+
+ type InvalidReason int
+
+@@ -1078,6 +1081,10 @@ func (c *Certificate) VerifyHostname(h string) error {
+ names := c.DNSNames
+ if c.commonNameAsHostname() {
+ names = []string{c.Subject.CommonName}
++ if warnCN {
++ fmt.Fprintf(os.Stderr, "x509: Warning - certificate relies on legacy Common Name field. " +
++ "Using CN without SAN is deprecated and will not work in future versions.\n")
++ }
+ }
+
+ candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
diff --git a/SOURCES/net-http-graceful-shutdown.patch b/SOURCES/net-http-graceful-shutdown.patch
new file mode 100644
index 0000000..90dd711
--- /dev/null
+++ b/SOURCES/net-http-graceful-shutdown.patch
@@ -0,0 +1,157 @@
+diff --git a/src/net/http/export_test.go b/src/net/http/export_test.go
+index 657ff9d..67a74ae 100644
+--- a/src/net/http/export_test.go
++++ b/src/net/http/export_test.go
+@@ -274,6 +274,17 @@ func (s *Server) ExportAllConnsIdle() bool {
+ return true
+ }
+
++func (s *Server) ExportAllConnsByState() map[ConnState]int {
++ states := map[ConnState]int{}
++ s.mu.Lock()
++ defer s.mu.Unlock()
++ for c := range s.activeConn {
++ st, _ := c.getState()
++ states[st] += 1
++ }
++ return states
++}
++
+ func (r *Request) WithT(t *testing.T) *Request {
+ return r.WithContext(context.WithValue(r.Context(), tLogKey{}, t.Logf))
+ }
+diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
+index 5f56932..806272b 100644
+--- a/src/net/http/serve_test.go
++++ b/src/net/http/serve_test.go
+@@ -5519,16 +5519,23 @@ func TestServerSetKeepAlivesEnabledClosesConns(t *testing.T) {
+ }
+ }
+
+-func TestServerShutdown_h1(t *testing.T) { testServerShutdown(t, h1Mode) }
+-func TestServerShutdown_h2(t *testing.T) { testServerShutdown(t, h2Mode) }
++func TestServerShutdown_h1(t *testing.T) {
++ testServerShutdown(t, h1Mode)
++}
++func TestServerShutdown_h2(t *testing.T) {
++ testServerShutdown(t, h2Mode)
++}
+
+ func testServerShutdown(t *testing.T, h2 bool) {
+ setParallel(t)
+ defer afterTest(t)
+ var doShutdown func() // set later
++ var doStateCount func()
+ var shutdownRes = make(chan error, 1)
++ var statesRes = make(chan map[ConnState]int, 1)
+ var gotOnShutdown = make(chan struct{}, 1)
+ handler := HandlerFunc(func(w ResponseWriter, r *Request) {
++ doStateCount()
+ go doShutdown()
+ // Shutdown is graceful, so it should not interrupt
+ // this in-flight response. Add a tiny sleep here to
+@@ -5545,6 +5552,9 @@ func testServerShutdown(t *testing.T, h2 bool) {
+ doShutdown = func() {
+ shutdownRes <- cst.ts.Config.Shutdown(context.Background())
+ }
++ doStateCount = func() {
++ statesRes <- cst.ts.Config.ExportAllConnsByState()
++ }
+ get(t, cst.c, cst.ts.URL) // calls t.Fail on failure
+
+ if err := <-shutdownRes; err != nil {
+@@ -5556,6 +5566,10 @@ func testServerShutdown(t *testing.T, h2 bool) {
+ t.Errorf("onShutdown callback not called, RegisterOnShutdown broken?")
+ }
+
++ if states := <-statesRes; states[StateActive] != 1 {
++ t.Errorf("connection in wrong state, %v", states)
++ }
++
+ res, err := cst.c.Get(cst.ts.URL)
+ if err == nil {
+ res.Body.Close()
+diff --git a/src/net/http/server.go b/src/net/http/server.go
+index d41b5f6..14a6336 100644
+--- a/src/net/http/server.go
++++ b/src/net/http/server.go
+@@ -324,7 +324,7 @@ func (c *conn) hijackLocked() (rwc net.Conn, buf *bufio.ReadWriter, err error) {
+ return nil, nil, fmt.Errorf("unexpected Peek failure reading buffered byte: %v", err)
+ }
+ }
+- c.setState(rwc, StateHijacked)
++ c.setState(rwc, StateHijacked, runHooks)
+ return
+ }
+
+@@ -1737,7 +1737,12 @@ func validNextProto(proto string) bool {
+ return true
+ }
+
+-func (c *conn) setState(nc net.Conn, state ConnState) {
++const (
++ runHooks = true
++ skipHooks = false
++)
++
++func (c *conn) setState(nc net.Conn, state ConnState, runHook bool) {
+ srv := c.server
+ switch state {
+ case StateNew:
+@@ -1750,6 +1755,9 @@ func (c *conn) setState(nc net.Conn, state ConnState) {
+ }
+ packedState := uint64(time.Now().Unix()<<8) | uint64(state)
+ atomic.StoreUint64(&c.curState.atomic, packedState)
++ if !runHook {
++ return
++ }
+ if hook := srv.ConnState; hook != nil {
+ hook(nc, state)
+ }
+@@ -1803,7 +1811,7 @@ func (c *conn) serve(ctx context.Context) {
+ }
+ if !c.hijacked() {
+ c.close()
+- c.setState(c.rwc, StateClosed)
++ c.setState(c.rwc, StateClosed, runHooks)
+ }
+ }()
+
+@@ -1831,6 +1839,10 @@ func (c *conn) serve(ctx context.Context) {
+ if proto := c.tlsState.NegotiatedProtocol; validNextProto(proto) {
+ if fn := c.server.TLSNextProto[proto]; fn != nil {
+ h := initALPNRequest{ctx, tlsConn, serverHandler{c.server}}
++ // Mark freshly created HTTP/2 as active and prevent any server state hooks
++ // from being run on these connections. This prevents closeIdleConns from
++ // closing such connections. See issue https://golang.org/issue/39776.
++ c.setState(c.rwc, StateActive, skipHooks)
+ fn(c.server, tlsConn, h)
+ }
+ return
+@@ -1851,7 +1863,7 @@ func (c *conn) serve(ctx context.Context) {
+ w, err := c.readRequest(ctx)
+ if c.r.remain != c.server.initialReadLimitSize() {
+ // If we read any bytes off the wire, we're active.
+- c.setState(c.rwc, StateActive)
++ c.setState(c.rwc, StateActive, runHooks)
+ }
+ if err != nil {
+ const errorHeaders = "\r\nContent-Type: text/plain; charset=utf-8\r\nConnection: close\r\n\r\n"
+@@ -1934,7 +1946,7 @@ func (c *conn) serve(ctx context.Context) {
+ }
+ return
+ }
+- c.setState(c.rwc, StateIdle)
++ c.setState(c.rwc, StateIdle, runHooks)
+ c.curReq.Store((*response)(nil))
+
+ if !w.conn.server.doKeepAlives() {
+@@ -2965,7 +2977,7 @@ func (srv *Server) Serve(l net.Listener) error {
+ }
+ tempDelay = 0
+ c := srv.newConn(rw)
+- c.setState(c.rwc, StateNew) // before Serve can return
++ c.setState(c.rwc, StateNew, runHooks) // before Serve can return
+ go c.serve(connCtx)
+ }
+ }
diff --git a/SPECS/golang.spec b/SPECS/golang.spec
index 3f81784..95b1baa 100644
--- a/SPECS/golang.spec
+++ b/SPECS/golang.spec
@@ -96,8 +96,8 @@
%endif
%global go_api 1.15
-%global go_version 1.15.0
-%global pkg_release 2
+%global go_version 1.15.2
+%global pkg_release 1
Name: golang
Version: %{go_version}
@@ -144,6 +144,16 @@ Patch221: fix_TestScript_list_std.patch
# https://go-review.googlesource.com/c/go/+/240917
#Patch240917: ppc64le_fix_missing_deferreturn.patch
+# Add an env var to optionally trigger a warning in x509 when
+# Common Name is used as hostname
+# rhbz#1889437
+Patch223: golang-1.15-warnCN.patch
+
+# Gracefully shut down http2 connections
+# https://go-review.googlesource.com/c/go/+/240278
+# rhbz#1888673
+Patch224: net-http-graceful-shutdown.patch
+
# Having documentation separate was broken
Obsoletes: %{name}-docs < 1.1-4
@@ -239,6 +249,10 @@ Requires: %{name} = %{version}-%{release}
#%patch240917 -p1
+%patch223 -p1
+
+%patch224 -p1
+
cp %{SOURCE1} ./src/runtime/
%build
@@ -505,6 +519,15 @@ cd ..
%endif
%changelog
+* Mon Oct 19 2020 David Benoit <dbenoit@redhat.com> - 1.15.2-1
+- Rebase to 1.15.2
+- fix rhbz#1872622 in commit af9a1b1f6567a1c5273a134d395bfe7bb840b7f8
+- Resolves: rhbz#1872622
+- add net/http graceful shutdown patch
+- Resolves: rhbz#1888673
+- add x509warnCN patch
+- Resolves: rhbz#1889437
+
* Wed Sep 09 2020 Alejandro Sáez <asm@redhat.com> - 1.15.0-1
- Rebase to 1.15.0
- Related: rhbz#1870531