- go1.24.12 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76854 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77103 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77105 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77107 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77109 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77114 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76796 runtime: race detector crash on ppc64le
* go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range (forwarded request 1327526 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1327528
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=19
- go1.24.12 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76854 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77103 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77105 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77107 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77109 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77114 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76796 runtime: race detector crash on ppc64le
* go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
OBS-URL: https://build.opensuse.org/request/show/1327526
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=44
- go1.24.12 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76854 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77103 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77105 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77107 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77109 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77114 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76796 runtime: race detector crash on ppc64le
* go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
OBS-URL: https://build.opensuse.org/request/show/1327504
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=43
- go1.24.11 (released 2025-12-02) includes two security fixes to
the crypto/x509 package, as well as bug fixes to the runtime.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61727 CVE-2025-61729
* go#76460 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76463 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores (forwarded request 1320909 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1320911
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=18
- go1.24.11 (released 2025-12-02) includes two security fixes to
the crypto/x509 package, as well as bug fixes to the runtime.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61727 CVE-2025-61729
* go#76460 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76463 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores
OBS-URL: https://build.opensuse.org/request/show/1320909
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=41
- go1.24.10 (released 2025-11-05) includes fixes to the
encoding/pem and net/url packages.
Refs boo#1236217 go1.24 release tracking
* go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75951 encoding/pem: regression when decoding blocks with leading garbage
* go#76028 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75831 in latest upstream release (forwarded request 1316084 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1316086
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=17
- go1.24.10 (released 2025-11-05) includes fixes to the
encoding/pem and net/url packages.
Refs boo#1236217 go1.24 release tracking
* go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75951 encoding/pem: regression when decoding blocks with leading garbage
* go#76028 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75831 in latest upstream release
OBS-URL: https://build.opensuse.org/request/show/1316084
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=38
- go1.24.10 (released 2025-11-05) includes fixes to the
encoding/pem and net/url packages.
* go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75951 encoding/pem: regression when decoding blocks with leading garbage
* go#76028 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75831 in latest upstream release
OBS-URL: https://build.opensuse.org/request/show/1316074
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=37
- go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509
package.
Refs boo#1236217 go1.24 release tracking
* go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot
- Packaging improvements:
* Add net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
needed today and will be available in the next upstream release (forwarded request 1311560 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1311562
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=16
- go1.24.7 (released 2025-09-03) includes fixes to the go command,
and the net and os/exec packages.
Refs boo#1236217 go1.24 release tracking
* go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
* go#74821 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Drop gcc-go.patch
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+ (forwarded request 1302803 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1302805
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=12
- go1.24.7 (released 2025-09-03) includes fixes to the go command,
and the net and os/exec packages.
Refs boo#1236217 go1.24 release tracking
* go#75007 os/exec: TestLookPath fails on plan9 after CL 685755
* go#74821 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74818 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Drop gcc-go.patch
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+
OBS-URL: https://build.opensuse.org/request/show/1302803
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=27
- go1.24.6 (released 2025-08-06) includes security fixes to the
database/sql and os/exec packages, as well as bug fixes to the
runtime.
Refs boo#1236217 go1.24 release tracking
CVE-2025-47906 CVE-2025-47907
* go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
* go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
* go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not
* go#74416 runtime: use-after-free of allpSnapshot in findRunnable
* go#74694 runtime: segfaults in runtime.(*unwinder).next
* go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures (forwarded request 1298036 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1298039
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=11
- go1.24.6 (released 2025-08-06) includes security fixes to the
database/sql and os/exec packages, as well as bug fixes to the
runtime.
Refs boo#1236217 go1.24 release tracking
CVE-2025-47906 CVE-2025-47907
* go#74804 go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
* go#74833 go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
* go#73800 runtime: RSS seems to have increased in Go 1.24 while the runtime accounting has not
* go#74416 runtime: use-after-free of allpSnapshot in findRunnable
* go#74694 runtime: segfaults in runtime.(*unwinder).next
* go#74760 os/user:nolibgcc: TestGroupIdsTestUser failures
OBS-URL: https://build.opensuse.org/request/show/1298036
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=25
- go1.24.5 (released 2025-07-08) includes security fixes to the go
command, as well as bug fixes to the compiler, the linker, the
runtime, and the go command.
Refs boo#1236217 go1.24 release tracking
CVE-2025-4674
* go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module
* go#73908 runtime: bad frame pointer during panic during duffcopy
* go#74098 cmd/compile: regression on ppc64le bit operations
* go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection
* go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
* go#74294 internal/trace: stress tests triggering suspected deadlock in tracer
* go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk
* go#74363 runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile
* go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN (forwarded request 1291359 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1291362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=10
- go1.24.5 (released 2025-07-08) includes security fixes to the go
command, as well as bug fixes to the compiler, the linker, the
runtime, and the go command.
Refs boo#1236217 go1.24 release tracking
CVE-2025-4674
* go#74381 go#74380 boo#1246118 security: fix CVE-2025-4674 cmd/go: disable support for multiple vcs in one module
* go#73908 runtime: bad frame pointer during panic during duffcopy
* go#74098 cmd/compile: regression on ppc64le bit operations
* go#74113 cmd/go: crash on unknown GOEXPERIMENT during toolchain selection
* go#74290 runtime: heap mspan limit is set too late, causing data race between span allocation and conservative scanning
* go#74294 internal/trace: stress tests triggering suspected deadlock in tracer
* go#74346 runtime: memlock not unlocked in all control flow paths in sysReserveAlignedSbrk
* go#74363 runtime/pprof: crash "cannot read stack of running goroutine" in goroutine profile
* go#74403 cmd/link: duplicated definition of symbol github.com/ebitengine/purego.syscall15XABI0 when running with ASAN
OBS-URL: https://build.opensuse.org/request/show/1291359
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=23
- go1.24.4 (released 2025-06-05) includes security fixes to the
crypto/x509, net/http, and os packages, as well as bug fixes to
the linker, the go command, and the hash/maphash and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22874 CVE-2025-0913 CVE-2025-4673
* go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation
* go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
* go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect
* go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD
* go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics
* go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG
* go#73809 cmd/go: add fips140 module selection mechanism
* go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen (forwarded request 1283449 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1283453
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=9
- go1.24.4 (released 2025-06-05) includes security fixes to the
crypto/x509, net/http, and os packages, as well as bug fixes to
the linker, the go command, and the hash/maphash and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22874 CVE-2025-0913 CVE-2025-4673
* go#73700 go#73702 boo#1244158 security: fix CVE-2025-22874 crypto/x509: ExtKeyUsageAny bypasses policy validation
* go#73720 go#73612 boo#1244157 security: fix CVE-2025-0913 os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
* go#73906 go#73816 boo#1244156 security: fix CVE-2025-4673 net/http: sensitive headers not cleared on cross-origin redirect
* go#73570 os: Root.Mkdir creates directories with zero permissions on OpenBSD
* go#73669 hash/maphash: hashing channels with purego impl. of maphash.Comparable panics
* go#73678 runtime/debug: BuildSetting does not document DefaultGODEBUG
* go#73809 cmd/go: add fips140 module selection mechanism
* go#73832 cmd/link: Go 1.24.3 and 1.23.9 regression - duplicated definition of symbol dlopen
OBS-URL: https://build.opensuse.org/request/show/1283449
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=21
- go1.24.3 (released 2025-05-06) includes security fixes to the os
package, as well as bug fixes to the runtime, the compiler, the
linker, the go command, and the crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22873
* go#73556 go#73555 boo#1242715 security: fix CVE-2025-22873 os: Root permits access to parent directory
* go#73082 os: Root.Open panics when opening a symlink referencing the root
* go#73092 cmd/link: linkname directive on userspace variable can override runtime variable
* go#73118 crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions
* go#73144 runtime: segmentation fault from vgetrandomPutState and runtime.growslice w/ runtime.OSLockThread
* go#73192 runtime: -race data race map traceback report incorrect functions
* go#73281 cmd/compile: program compiles to wasm but is invalid: go:wasmexport: integer too large
* go#73379 runtime, x/sys/unix: Connectx is broken on darwin/amd64
* go#73440 cmd/compile: infinite loop in the inliner
* go#73500 cmd/go: +dirty in version stamping doesn't combine well with +incompatible
- Packaging improvements:
* Drop gh-issue-73141.patch to repair random segmentation faults (boo#1240764)
fixed in upstream release. (forwarded request 1275267 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1275268
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=8
- go1.24.3 (released 2025-05-06) includes security fixes to the os
package, as well as bug fixes to the runtime, the compiler, the
linker, the go command, and the crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22873
* go#73556 go#73555 boo#1242715 security: fix CVE-2025-22873 os: Root permits access to parent directory
* go#73082 os: Root.Open panics when opening a symlink referencing the root
* go#73092 cmd/link: linkname directive on userspace variable can override runtime variable
* go#73118 crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions
* go#73144 runtime: segmentation fault from vgetrandomPutState and runtime.growslice w/ runtime.OSLockThread
* go#73192 runtime: -race data race map traceback report incorrect functions
* go#73281 cmd/compile: program compiles to wasm but is invalid: go:wasmexport: integer too large
* go#73379 runtime, x/sys/unix: Connectx is broken on darwin/amd64
* go#73440 cmd/compile: infinite loop in the inliner
* go#73500 cmd/go: +dirty in version stamping doesn't combine well with +incompatible
- Packaging improvements:
* Drop gh-issue-73141.patch to repair random segmentation faults (boo#1240764)
fixed in upstream release.
OBS-URL: https://build.opensuse.org/request/show/1275267
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=19
- go1.24.3 (released 2025-05-06) includes security fixes to the os
package, as well as bug fixes to the runtime, the compiler, the
linker, the go command, and the crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22873
* go#73556 go#73555 boo#73555 security: fix CVE-2025-22873 os: Root permits access to parent directory
* go#73082 os: Root.Open panics when opening a symlink referencing the root
* go#73092 cmd/link: linkname directive on userspace variable can override runtime variable
* go#73118 crypto/tls: ECH decodeInnerClientHello incorrectly rejects ClientHello with GREASE values in supportedVersions
* go#73144 runtime: segmentation fault from vgetrandomPutState and runtime.growslice w/ runtime.OSLockThread
* go#73192 runtime: -race data race map traceback report incorrect functions
* go#73281 cmd/compile: program compiles to wasm but is invalid: go:wasmexport: integer too large
* go#73379 runtime, x/sys/unix: Connectx is broken on darwin/amd64
* go#73440 cmd/compile: infinite loop in the inliner
* go#73500 cmd/go: +dirty in version stamping doesn't combine well with +incompatible
- Packaging improvements:
* Drop gh-issue-73141.patch to repair random segmentation faults (boo#1240764)
fixed in upstream release.
OBS-URL: https://build.opensuse.org/request/show/1275044
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=18
- go1.24.2 (released 2025-04-01) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the
runtime, the go command, and the crypto/tls, go/types, net/http,
and testing packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22871
* go#72011 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
* go#72067 cmd/compile: out of memory
* go#72103 net/http: go1.24 breaks compatibility by modifying in-place the tls.Config{NextProtos}
* go#72115 runtime: process hangs for mips hardware
* go#72796 runtime: add an example for AddCleanup
* go#72822 cmd/compile: OOM with mutually-recursive iter.Seq
* go#72823 crypto/tls: FIPS 140-3 modes reject ECDSA w/ curve P-521/SHA-512 in TLS
* go#72826 go/types, types2: CheckExpr / Eval may mutate type checked objects (=> data race)
* go#72872 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
* go#72934 testing: b.StopTimer breaks b.Loop
* go#72938 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
* go#72974 testing: b.Loop gives bogus results in some situations
- Packaging improvements:
* SLE-12 only: Add declarations to Cgo seccomp_linux.go
for new syscalls seccomp and getrandom which are not present
in the kernel headers supplied by glibc version in SLE-12.
(Marcus Meissner)
Refs boo#1239182
* Add patch go-fixseccomp.patch (forwarded request 1266346 from jfkw)
* SLE-12 only: Fix conditional for go-fixsecomp.patch to work
correctly when suse_version is undefined.
* Fix RPM warning by removing valid macro syntax in comment
describing naming format of llvm-tsan_commit.tar.xz
OBS-URL: https://build.opensuse.org/request/show/1266903
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=6
- go1.24.2 (released 2025-04-01) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the
runtime, the go command, and the crypto/tls, go/types, net/http,
and testing packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22871
* go#72011 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
* go#72067 cmd/compile: out of memory
* go#72103 net/http: go1.24 breaks compatibility by modifying in-place the tls.Config{NextProtos}
* go#72115 runtime: process hangs for mips hardware
* go#72796 runtime: add an example for AddCleanup
* go#72822 cmd/compile: OOM with mutually-recursive iter.Seq
* go#72823 crypto/tls: FIPS 140-3 modes reject ECDSA w/ curve P-521/SHA-512 in TLS
* go#72826 go/types, types2: CheckExpr / Eval may mutate type checked objects (=> data race)
* go#72872 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
* go#72934 testing: b.StopTimer breaks b.Loop
* go#72938 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
* go#72974 testing: b.Loop gives bogus results in some situations
- Packaging improvements:
* SLE-12 only: Add declarations to Cgo seccomp_linux.go
for new syscalls seccomp and getrandom which are not present
in the kernel headers supplied by glibc version in SLE-12.
(Marcus Meissner)
Refs boo#1239182
* Add patch go-fixseccomp.patch
OBS-URL: https://build.opensuse.org/request/show/1266346
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=13
- go1.24.2 (released 2025-04-01) includes security fixes to the
net/http package, as well as bug fixes to the compiler, the
runtime, the go command, and the crypto/tls, go/types, net/http,
and testing packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22871
* go#72011 go#71988 boo#1240550 security: fix CVE-2025-22871 net/http: reject bare LF in chunked encoding
* go#72067 cmd/compile: out of memory
* go#72103 net/http: go1.24 breaks compatibility by modifying in-place the tls.Config{NextProtos}
* go#72115 runtime: process hangs for mips hardware
* go#72796 runtime: add an example for AddCleanup
* go#72822 cmd/compile: OOM with mutually-recursive iter.Seq
* go#72823 crypto/tls: FIPS 140-3 modes reject ECDSA w/ curve P-521/SHA-512 in TLS
* go#72826 go/types, types2: CheckExpr / Eval may mutate type checked objects (=> data race)
* go#72872 runtime: cgo callback on extra M treated as external code after nested cgo callback returns
* go#72934 testing: b.StopTimer breaks b.Loop
* go#72938 internal/godebugs: winsymlink and winreadlinkvolume have incorrect defaults for Go 1.22
* go#72974 testing: b.Loop gives bogus results in some situations
- Packaging improvements:
* SLE-12 only: Add declarations to Cgo seccomp_linux.go
for new syscalls seccomp and getrandom which are not present
in the kernel headers supplied by glibc version in SLE-12.
(Marcus Meissner)
Refs boo#1239182
net/http package, as well as bug fixes to cgo, the compiler, the
go command, and the reflect, runtime, and syscall packages.
OBS-URL: https://build.opensuse.org/request/show/1266333
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=12
- go1.24.1 (released 2025-03-04) includes security fixes to the
net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
as bug fixes to the compiler, the runtime, the go command and the
crypto, debug, os and reflect packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22870
* go#71986 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71687 cmd/go: panics with GOAUTH='git dir' go get -x
* go#71705 runtime: add linkname of runtime.lastmoduledatap for cloudwego/sonic
* go#71728 runtime: usleep computes wrong tv_nsec on s390x
* go#71745 crypto: add fips140 as an opaque GODEBUG setting and add documentation for it
* go#71829 cmd/compile: fail to compile package in 1.24
* go#71836 os: possible regression from Go 1.23 to Go 1.24 when opening DevNull with O_TRUNC
* go#71840 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
* go#71849 os: spurious SIGCHILD on running child process
* go#71855 cmd/compile: Pow10 freeze the compiler on certain condition on Go 1.24
* go#71858 debug/buildinfo: false positives with external scanners flag for go117 binary in testdata
* go#71876 reflect: Value.Seq panicking on functional iterator methods
* go#71904 cmd/compile: nil dereference when storing field of non-nil struct value
* go#71916 reflect: Value.Seq iteration value types not matching the type of given int types
* go#71938 cmd/compile: "fatal error: found pointer to free object" on arm64
* go#71955 proposal: runtime: allow cleanups to run concurrently
* go#71963 runtime/cgo: does not build with -Wdeclaration-after-statement
* go#71977 syscall: js/wasm file operations fail on windows / node.js (forwarded request 1250289 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1250292
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=5
- go1.24.1 (released 2025-03-04) includes security fixes to the
net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
as bug fixes to the compiler, the runtime, the go command and the
crypto, debug, os and reflect packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22870
* go#71986 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71687 cmd/go: panics with GOAUTH='git dir' go get -x
* go#71705 runtime: add linkname of runtime.lastmoduledatap for cloudwego/sonic
* go#71728 runtime: usleep computes wrong tv_nsec on s390x
* go#71745 crypto: add fips140 as an opaque GODEBUG setting and add documentation for it
* go#71829 cmd/compile: fail to compile package in 1.24
* go#71836 os: possible regression from Go 1.23 to Go 1.24 when opening DevNull with O_TRUNC
* go#71840 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
* go#71849 os: spurious SIGCHILD on running child process
* go#71855 cmd/compile: Pow10 freeze the compiler on certain condition on Go 1.24
* go#71858 debug/buildinfo: false positives with external scanners flag for go117 binary in testdata
* go#71876 reflect: Value.Seq panicking on functional iterator methods
* go#71904 cmd/compile: nil dereference when storing field of non-nil struct value
* go#71916 reflect: Value.Seq iteration value types not matching the type of given int types
* go#71938 cmd/compile: "fatal error: found pointer to free object" on arm64
* go#71955 proposal: runtime: allow cleanups to run concurrently
* go#71963 runtime/cgo: does not build with -Wdeclaration-after-statement
* go#71977 syscall: js/wasm file operations fail on windows / node.js
OBS-URL: https://build.opensuse.org/request/show/1250289
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=10
- go1.24.1 (released 2025-03-04) includes security fixes to the
net/http, x/net/proxy, and x/net/http/httpproxy packages, as well
as bug fixes to the compiler, the runtime, the go command and the
crypto, debug, os and reflect packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22870
* go#71986 go#71984 boo#1238572 security: fix CVE-2025-22870 net/http, x/net/proxy, x/net/http/httpproxy: proxy bypass using IPv6 zone IDs
* go#71977 syscall: js/wasm file operations fail on windows / node.js
* go#71963 runtime/cgo: does not build with -Wdeclaration-after-statement
* go#71955 proposal: runtime: allow cleanups to run concurrently
* go#71938 cmd/compile: "fatal error: found pointer to free object" on arm64
* go#71916 reflect: Value.Seq iteration value types not matching the type of given int types
* go#71904 cmd/compile: nil dereference when storing field of non-nil struct value
* go#71876 reflect: Value.Seq panicking on functional iterator methods
* go#71858 debug/buildinfo: false positives with external scanners flag for go117 binary in testdata
* go#71855 cmd/compile: Pow10 freeze the compiler on certain condition on Go 1.24
* go#71849 os: spurious SIGCHILD on running child process
* go#71840 runtime: recover added in range-over-func loop body doesn't stop panic propagation / segfaults printing error
* go#71836 os: possible regression from Go 1.23 to Go 1.24 when opening DevNull with O_TRUNC
* go#71829 cmd/compile: fail to compile package in 1.24
* go#71745 crypto: add fips140 as an opaque GODEBUG setting and add documentation for it
* go#71728 runtime: usleep computes wrong tv_nsec on s390x
* go#71705 runtime: add linkname of runtime.lastmoduledatap for cloudwego/sonic
* go#71687 cmd/go: panics with GOAUTH='git dir' go get -x
OBS-URL: https://build.opensuse.org/request/show/1250286
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=9
- go1.24rc3 (released 2024-02-05) is a release candidate version of
go1.24 cut from the master branch at the revision tagged
go1.24rc3.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22866 CVE-2025-22867
* go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le
* go#71476 boo#1236839 security: fix CVE-2025-22867 cmd/go: arbitrary code execution during build on darwin (forwarded request 1243515 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1243516
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.24?expand=0&rev=3
- go1.24rc3 (released 2024-02-05) is a release candidate version of
go1.24 cut from the master branch at the revision tagged
go1.24rc3.
Refs boo#1236217 go1.24 release tracking
CVE-2025-22866 CVE-2025-22867
* go#71423 go#71383 boo#1236801 security: fix CVE-2025-22866 crypto/internal/fips140/nistec: p256NegCond is variable time on ppc64le
* go#71476 boo#1236839 security: fix CVE-2025-22867 cmd/go: arbitrary code execution during build on darwin
OBS-URL: https://build.opensuse.org/request/show/1243515
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.24?expand=0&rev=5
