- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Drop gcc-go.patch
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+
OBS-URL: https://build.opensuse.org/request/show/1299494
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=35
- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+
OBS-URL: https://build.opensuse.org/request/show/1299489
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=34
- go1.23.12 (released 2025-08-06) includes security fixes to the
database/sql and os/exec packages, as well as bug fixes to the
runtime.
Refs boo#1229122 go1.23 release tracking
CVE-2025-47906 CVE-2025-47907
* go#74803 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
* go#74832 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
* go#74415 runtime: use-after-free of allpSnapshot in findRunnable
* go#74693 runtime: segfaults in runtime.(*unwinder).next
* go#74721 cmd/go: TestScript/build_trimpath_cgo fails to decode dwarf on release-branch.go1.23
* go#74726 cmd/cgo/internal/testsanitizers: failures with signal: segmentation fault or exit status 66
OBS-URL: https://build.opensuse.org/request/show/1298035
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=31
- go1.23.11 (released 2025-07-08) includes security fixes to the go
command, as well as bug fixes to the compiler, the linker, and
the runtime.
Refs boo#1229122 go1.23 release tracking
CVE-2025-4674
* go#74382 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module
* go#73907 runtime: bad frame pointer during panic during duffcopy
* go#74289 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
* go#74293 internal/trace: stress tests triggering suspected deadlock in tracer
* go#74362 runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile
* go#74402 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
OBS-URL: https://build.opensuse.org/request/show/1291358
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=29
- go1.23.10 (released 2025-06-05) includes security fixes to the
net/http and os packages, as well as bug fixes to the linker.
Refs boo#1229122 go1.23 release tracking
CVE-2025-0913 CVE-2025-4673
* go#73719 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
* go#73905 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect
* go#73677 runtime/debug: BuildSetting does not document DefaultGODEBUG
* go#73831 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
OBS-URL: https://build.opensuse.org/request/show/1283448
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=27
- go1.23.8 (released 2025-04-01) includes security fixes to the
net/http package, as well as bug fixes to the runtime and the go
command.
Refs boo#1229122 go1.23 release tracking
CVE-2025-22871
* go#72010 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
* go#72114 runtime: process hangs for mips hardware
* go#72871 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
* go#72937 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
net/http package, as well as bug fixes to cgo, the compiler, and
the reflect, runtime, and syscall packages.
OBS-URL: https://build.opensuse.org/request/show/1266332
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=23
- go1.23.7 (released 2025-03-04) includes security fixes to the
net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
as bug fixes to the compiler, the runtime and the os and reflect
packages.
Refs boo#1229122 go1.23 release tracking
CVE-2025-22870
* go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71727 runtime: usleep computes wrong tv_nsec on s390x
* go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
* go#71848 os: spurious SIGCHILD on running child process
* go#71875 reflect: Value.Seq panicking on functional iterator methods
* go#71915 reflect: Value.Seq iteration value types not matching the type of given int types
* go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement
OBS-URL: https://build.opensuse.org/request/show/1250290
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=21
- go1.23.7 (released 2025-03-04) includes security fixes to the
net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
as bug fixes to the compiler, the runtime and the os and reflect
packages.
Refs boo#1229122 go1.23 release tracking
CVE-2025-22870
* go#71985 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71962 runtime/cgo: does not build with -Wdeclaration-after-statement
* go#71915 reflect: Value.Seq iteration value types not matching the type of given int types
* go#71875 reflect: Value.Seq panicking on functional iterator methods
* go#71848 os: spurious SIGCHILD on running child process
* go#71839 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
* go#71727 runtime: usleep computes wrong tv_nsec on s390x
OBS-URL: https://build.opensuse.org/request/show/1250285
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=20
- go1.23.6 (released 2025-02-04) includes security fixes to the
crypto/elliptic package, as well as bug fixes to the compiler and
the go command.
Refs boo#1229122 go1.23 release tracking
CVE-2025-22866
* go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le
* go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1
* go#71230 cmd/compile: broken write barrier
OBS-URL: https://build.opensuse.org/request/show/1243260
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=18
- go1.23.6 (released 2025-02-04) includes security fixes to the
crypto/elliptic package, as well as bug fixes to the compiler and
the go command.
Refs boo#1229122 go1.23 release tracking
CVE-2025-22866
* go#71423 go#71383 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le
* go#71263 cmd/go/internal/modfetch/codehost: test fails with git 2.47.1
* go#71230 cmd/compile: broken write barrier
OBS-URL: https://build.opensuse.org/request/show/1243249
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=17
- go1.23.5 (released 2025-01-16) includes security fixes to the
crypto/x509 and net/http packages, as well as bug fixes to the
compiler, the runtime, and the net package.
Refs boo#1229122 go1.23 release tracking
CVE-2024-45341 CVE-2024-45336
* go#71208 go#71156 boo#1236045 security: fix CVE-2024-45341 crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
* go#71211 go#70530 boo#1236046 security: fix CVE-2024-45336 net/http: sensitive headers incorrectly sent after cross-domain redirect
* go#69988 runtime: severe performance drop for cgo calls in go1.22.5
* go#70517 cmd/compile/internal/importer: flip enable alias to true
* go#70789 os: io.Copy(net.Conn, os.Stdin) on MacOS terminate immediately without waiting for input
* go#71104 crypto/tls: TestVerifyConnection/TLSv12 failures
* go#71147 internal/trace: TestTraceCPUProfile/Stress failures
OBS-URL: https://build.opensuse.org/request/show/1240017
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=15
- go1.23.3 (released 2024-11-06) includes fixes to the linker, the
runtime, and the net/http, os, and syscall packages.
Refs boo#1229122 go1.23 release tracking
* go#69258 runtime: corrupted GoroutineProfile stack traces
* go#69259 runtime: multi-arch build via qemu fails to exec go binary
* go#69640 os: os.checkPidfd() crashes with SIGSYS
* go#69746 runtime: TestGdbAutotmpTypes failures
* go#69848 cmd/compile: syscall.Syscall15: nosplit stack over 792 byte limit
* go#69865 runtime: MutexProfile missing root frames in go1.23
* go#69882 time,runtime: too many concurrent timer firings for short time.Ticker
* go#69978 time,runtime: too many concurrent timer firings for short, fast-resetting time.Timer
* go#69992 cmd/link: LC_UUID not generated by go linker, resulting in failure to access local network on macOS 15
* go#70001 net/http/pprof: coroutines + pprof makes the program panic
* go#70020 net/http: short writes with FileServer on macos
OBS-URL: https://build.opensuse.org/request/show/1222505
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=9
- go1.23.2 (released 2024-10-01) includes fixes to the compiler,
cgo, the runtime, and the maps, os, os/exec, time, and unique
packages.
Refs boo#1229122 go1.23 release tracking
* go#69119 os: double close pidfd if caller uses pidfd updated by os.StartProcess
* go#69156 maps: segmentation violation in maps.Clone
* go#69219 cmd/cgo: alignment issue with int128 inside of a struct
* go#69240 unique: fatal error: found pointer to free object
* go#69333 runtime,time: timer.Stop returns false even when no value is read from the channel
* go#69383 unique: large string still referenced, after interning only a small substring
* go#69402 os/exec: resource leak on exec failure
* go#69511 cmd/compile: mysterious crashes and non-determinism with range over func
OBS-URL: https://build.opensuse.org/request/show/1205005
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=7
- go1.23.1 (released 2024-09-05) includes security fixes to the
encoding/gob, go/build/constraint, and go/parser packages, as
well as bug fixes to the compiler, the go command, the runtime,
and the database/sql, go/types, os, runtime/trace, and unique
packages.
Refs boo#1229122 go1.23 release tracking
CVE-2024-34155 CVE-2024-34156 CVE-2024-34158
- go#69143 go#69138 boo#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions
- go#69145 go#69139 boo#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode
- go#69149 go#69141 boo#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse
- go#68812 os: TestChtimes failures
- go#68894 go/types: 'under' panics on Alias type
- go#68905 cmd/compile: error in Go 1.23.0 with generics, type aliases and indexing
- go#68907 os: CopyFS overwrites existing file in destination.
- go#68973 cmd/cgo: aix c-archive corrupting stack
- go#68992 unique: panic when calling unique.Make with string casted as any
- go#68994 cmd/go: any invocation creates read-only telemetry configuration file under GOMODCACHE
- go#68995 cmd/go: multi-arch build via qemu fails to exec go binary
- go#69041 database/sql: panic in database/sql.(*connRequestSet).deleteIndex
- go#69087 runtime/trace: crash during traceAdvance when collecting call stack for cgo-calling goroutine
- go#69094 cmd/go: breaking change in 1.23rc2 with version constraints in GOPATH mode
OBS-URL: https://build.opensuse.org/request/show/1199060
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.23?expand=0&rev=5
