- go1.25.7 (released 2026-02-04) includes security fixes to the go
command and the crypto/tls package, as well as bug fixes to the
compiler and the crypto/x509 package.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61732 CVE-2025-68121
* go#77129 go#76697 boo#1257692 security: fix CVE-2025-61732 cmd/go: potential code smuggling using doc comments
* go#77356 go#77217 boo#1256818 security: fix CVE-2025-68121 crypto/tls: revert Config.Clone change and apply lightweight chain validation
* go#75844 cmd/compile: OOM killed on linux/arm64
* go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77425 crypto/tls: CL 737700 broke session resumption on macOS (forwarded request 1332053 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1332056
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=14
- go1.25.7 (released 2026-02-04) includes security fixes to the go
command and the crypto/tls package, as well as bug fixes to the
compiler and the crypto/x509 package.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61732 CVE-2025-68121
* go#77129 go#76697 boo#1257692 security: fix CVE-2025-61732 cmd/go: potential code smuggling using doc comments
* go#77356 go#77217 boo#1256818 security: fix CVE-2025-68121 crypto/tls: revert Config.Clone change and apply lightweight chain validation
* go#75844 cmd/compile: OOM killed on linux/arm64
* go#77323 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77425 crypto/tls: CL 737700 broke session resumption on macOS
OBS-URL: https://build.opensuse.org/request/show/1332053
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=20
- go1.25.6 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls, errors, and os packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76855 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77104 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77106 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77108 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77110 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77115 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25 (forwarded request 1327527 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1327532
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=13
- go1.25.6 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls, errors, and os packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76855 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77104 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77106 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77108 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77110 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77115 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25
OBS-URL: https://build.opensuse.org/request/show/1327527
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=19
- go1.25.6 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls, errors, and os packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76855 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77104 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77106 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77108 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77110 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77115 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76392 os: package initialization hangs is Stdin is blocked
* go#76409 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76620 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76761 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76776 runtime: race detector crash on ppc64le
* go#76967 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* go#76973 errors: errors.Join behavior changed in 1.25
OBS-URL: https://build.opensuse.org/request/show/1327505
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=18
- go1.25.5 (released 2025-12-02) includes two security fixes to the
crypto/x509 package, as well as bug fixes to the mime and os
packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61729 CVE-2025-61727
* go#76461 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76464 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup (forwarded request 1320928 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1320929
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=12
- go1.25.5 (released 2025-12-02) includes two security fixes to the
crypto/x509 package, as well as bug fixes to the mime and os
packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-61729 CVE-2025-61727
* go#76461 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76464 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup
OBS-URL: https://build.opensuse.org/request/show/1320928
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=17
- go1.25.5 (released 2025-12-02) includes two security fixes to the
crypto/x509 package, as well as bug fixes to the mime and os
packages.
Refs boo#1244485 go1.25 release tracking
* go#76461 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76464 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76245 mime: FormatMediaType and ParseMediaType not compatible across 1.24 to 1.25
* go#76360 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied, ReOpenFile error handling followup
OBS-URL: https://build.opensuse.org/request/show/1320910
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=16
- go1.25.4 (released 2025-11-05) includes fixes to the compiler,
the runtime, and the crypto/subtle, encoding/pem, net/url, and os
packages.
Refs boo#1244485 go1.25 release tracking
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75832 in latest upstream release (forwarded request 1316085 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1316087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=10
- go1.25.4 (released 2025-11-05) includes fixes to the compiler,
the runtime, and the crypto/subtle, encoding/pem, net/url, and os
packages.
Refs boo#1244485 go1.25 release tracking
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75832 in latest upstream release
OBS-URL: https://build.opensuse.org/request/show/1316085
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=12
- go1.25.4 (released 2025-11-05) includes fixes to the compiler,
the runtime, and the crypto/subtle, encoding/pem, net/url, and os
packages.
* go#75480 cmd/link: linker panic and relocation errors with complex generics inlining
* go#75775 runtime: build fails when run via QEMU for linux/amd64 running on linux/arm64
* go#75790 crypto/internal/fips140/subtle: Go 1.25 subtle.xorBytes panic on MIPS
* go#75832 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75952 encoding/pem: regression when decoding blocks with leading garbage
* go#75989 os: on windows RemoveAll removing directories containing read-only files errors with unlinkat ... Access is denied
* go#76010 cmd/compile: any(func(){})==any(func(){}) does not panic but should
* go#76029 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75832 in latest upstream release
OBS-URL: https://build.opensuse.org/request/show/1316075
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=11
- go1.25.3 (released 2025-10-13) includes fixes to the crypto/x509
package.
Refs boo#1244485 go1.25 release tracking
* go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
* go#75777 spec: Go1.25 spec should be dated closer to actual release date
- Packaging improvements:
* Add net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
needed today and will be available in the next upstream release (forwarded request 1311561 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1311563
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=9
- go1.25.3 (released 2025-10-13) includes fixes to the crypto/x509
package.
Refs boo#1244485 go1.25 release tracking
* go#75861 crypto/x509: TLS validation fails for FQDNs with trailing dot
* go#75777 spec: Go1.25 spec should be dated closer to actual release date
- Packaging improvements:
* Add net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
needed today and will be available in the next upstream release
OBS-URL: https://build.opensuse.org/request/show/1311561
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=10
- go1.25.2 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the runtime, and
the context, debug/pe, net/http, os, and sync/atomic packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724
* go#75661 go#75652 boo#1251255 security: fix CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information
* go#75701 go#75680 boo#1251253 security: fix CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress
* go#75703 go#75675 boo#1251260 security: fix CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys
* go#75705 go#75671 boo#1251258 security: fix CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
* go#75707 go#75672 boo#1251259 security: fix CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion
* go#75709 go#75676 boo#1251256 security: fix CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs
* go#75711 go#75677 boo#1251261 security: fix CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map
* go#75713 go#75678 boo#1251257 security: fix CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames
* go#75715 go#75681 boo#1251254 security: fix CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints
* go#75718 go#75716 boo#1251262 security: fix CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse
* go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
* go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
* go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75255 cmd/compile: export to DWARF types only referenced through interfaces
* go#75347 testing/synctest: test timeout with no runnable goroutines
* go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75537 context: Err can return non-nil before Done channel is closed
* go#75539 net/http: internal error: connCount underflow
* go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
* go#75669 runtime: debug.decoratemappings don't work as expected (forwarded request 1309724 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1309726
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=7
- go1.25.2 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1,
encoding/pem, net/http, net/mail, net/textproto, and net/url
packages, as well as bug fixes to the compiler, the runtime, and
the context, debug/pe, net/http, os, and sync/atomic packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-58189 CVE-2025-61725 CVE-2025-58188 CVE-2025-58185 CVE-2025-58186 CVE-2025-61723 CVE-2025-58183 CVE-2025-47912 CVE-2025-58187 CVE-2025-61724
* go#75661 go#75652 boo#1251255 security: fix CVE-2025-58189 crypto/tls: ALPN negotiation error contains attacker controlled information
* go#75701 go#75680 boo#1251253 security: fix CVE-2025-61725 net/mail: excessive CPU consumption in ParseAddress
* go#75703 go#75675 boo#1251260 security: fix CVE-2025-58188 crypto/x509: panic when validating certificates with DSA public keys
* go#75705 go#75671 boo#1251258 security: fix CVE-2025-58185 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
* go#75707 go#75672 boo#1251259 security: fix CVE-2025-58186 net/http: lack of limit when parsing cookies can cause memory exhaustion
* go#75709 go#75676 boo#1251256 security: fix CVE-2025-61723 encoding/pem: quadratic complexity when parsing some invalid inputs
* go#75711 go#75677 boo#1251261 security: fix CVE-2025-58183 archive/tar: unbounded allocation when parsing GNU sparse map
* go#75713 go#75678 boo#1251257 security: fix CVE-2025-47912 net/url: insufficient validation of bracketed IPv6 hostnames
* go#75715 go#75681 boo#1251254 security: fix CVE-2025-58187 crypto/x509: quadratic complexity when checking name constraints
* go#75718 go#75716 boo#1251262 security: fix CVE-2025-61724 net/textproto: excessive CPU consumption in Reader.ReadResponse
* go#75111 os, syscall: volume handles with FILE_FLAG_OVERLAPPED fail when calling ReadAt
* go#75116 os: Root.MkdirAll can return "file exists" when called concurrently on the same path
* go#75139 os: Root.OpenRoot sets incorrect name, losing prefix of original root
* go#75221 debug/pe: pe.Open fails on object files produced by llvm-mingw 21
* go#75255 cmd/compile: export to DWARF types only referenced through interfaces
* go#75347 testing/synctest: test timeout with no runnable goroutines
* go#75357 net: new test TestIPv4WriteMsgUDPAddrPortTargetAddrIPVersion fails on plan9
* go#75524 crypto/internal/fips140/rsa: requires a panic if self-tests fail
* go#75537 context: Err can return non-nil before Done channel is closed
* go#75539 net/http: internal error: connCount underflow
* go#75595 cmd/compile: internal compiler error with GOEXPERIMENT=cgocheck2 on github.com/leodido/go-urn
* go#75610 sync/atomic: comment for Uintptr.Or incorrectly describes return value
* go#75669 runtime: debug.decoratemappings don't work as expected
OBS-URL: https://build.opensuse.org/request/show/1309724
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=8
- go1.25.1 (released 2025-09-03) includes security fixes to the
net/http package, as well as bug fixes to the go command, and the
net, os, os/exec, and testing/synctest packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-47910
* go#75160 go#75054 boo#1249141 security: fix CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches
* go#74822 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
* go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
* go#75021 testing/synctest: bubble not terminating
* go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Drop gcc-go.patch
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+
OBS-URL: https://build.opensuse.org/request/show/1302806
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=5
- go1.25.1 (released 2025-09-03) includes security fixes to the
net/http package, as well as bug fixes to the go command, and the
net, os, os/exec, and testing/synctest packages.
Refs boo#1244485 go1.25 release tracking
CVE-2025-47910
* go#75160 go#75054 boo#1249141 security: fix CVE-2025-47910 net/http: CrossOriginProtection insecure bypass patterns not limited to exact matches
* go#74822 cmd/go: "get toolchain@latest" should ignore release candidates
* go#74999 net: WriteMsgUDPAddrPort should accept IPv4-mapped IPv6 destination addresses on IPv4 UDP sockets
* go#75008 os/exec: TestLookPath fails on plan9 after CL 685755
* go#75021 testing/synctest: bubble not terminating
* go#75083 os: File.Seek doesn't set the correct offset with Windows overlapped handles
OBS-URL: https://build.opensuse.org/request/show/1302804
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=6
- Packaging improvements:
* Remove conditional gccgo bootstrap sections and gcc-go.patch.
gccgo cannot be used in any version newer than go1.21. Removal
simplifies go1.x package code.
* go1.21 can optionally be bootstrapped with gccgo and serve as
the inital version of go1.x.
* go1.21 will be the initial version of Go in the bootstrap chain
until gcc gccgo is updated to support a language level newer
than go1.18.
* Drop gcc-go.patch
* Refs boo#1247816 bootstrap go1.21 with gccgo
* Refs boo#1248082 drop unused gccgo bootstrap code in go1.22+
OBS-URL: https://build.opensuse.org/request/show/1300145
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=5
- go1.25 (released 2025-08-12) is a major release of Go.
go1.25.x minor releases will be provided through August 2026.
https://github.com/golang/go/wiki/Go-Release-Cycle
go1.25 arrives six months after Go 1.24. Most of its changes are
in the implementation of the toolchain, runtime, and
libraries. As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.
Refs boo#1244485 go1.25 release tracking
* Language changes: There are no languages changes that affect Go
programs in Go 1.25. However, in the language specification the
notion of core types has been removed in favor of dedicated
prose. See the respective blog post for more information.
* go command: The go build -asan option now defaults to doing
leak detection at program exit. This will report an error if
memory allocated by C is not freed and is not referenced by any
other memory allocated by either C or Go. These new error
reports may be disabled by setting ASAN_OPTIONS=detect_leaks=0
in the environment when running the program.
* go command: The Go distribution will include fewer prebuilt
tool binaries. Core toolchain binaries such as the compiler and
linker will still be included, but tools not invoked by build
or test operations will be built and run by go tool as needed.
* go command: The new go.mod ignore directive can be used to
specify directories the go command should ignore. Files in
these directories and their subdirectories will be ignored by
the go command when matching package patterns, such as all or
./..., but will still be included in module zip files.
* go command: The new go doc -http option will start a
documentation server showing documentation for the requested
OBS-URL: https://build.opensuse.org/request/show/1299279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=4
- go1.25 (released 2025-08-12) is a major release of Go.
go1.25.x minor releases will be provided through August 2026.
https://github.com/golang/go/wiki/Go-Release-Cycle
go1.25 arrives six months after Go 1.24. Most of its changes are
in the implementation of the toolchain, runtime, and
libraries. As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.
Refs boo#1244485 go1.25 release tracking
* Language changes: There are no languages changes that affect Go
programs in Go 1.25. However, in the language specification the
notion of core types has been removed in favor of dedicated
prose. See the respective blog post for more information.
* go command: The go build -asan option now defaults to doing
leak detection at program exit. This will report an error if
memory allocated by C is not freed and is not referenced by any
other memory allocated by either C or Go. These new error
reports may be disabled by setting ASAN_OPTIONS=detect_leaks=0
in the environment when running the program.
* go command: The Go distribution will include fewer prebuilt
tool binaries. Core toolchain binaries such as the compiler and
linker will still be included, but tools not invoked by build
or test operations will be built and run by go tool as needed.
* go command: The new go.mod ignore directive can be used to
specify directories the go command should ignore. Files in
these directories and their subdirectories will be ignored by
the go command when matching package patterns, such as all or
./..., but will still be included in module zip files.
* go command: The new go doc -http option will start a
documentation server showing documentation for the requested
OBS-URL: https://build.opensuse.org/request/show/1299278
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=4
- go1.25rc3 (released 2025-08-06) is a release candidate version of
go1.25 cut from the master branch at the revision tagged
go1.25rc3.
Refs boo#1244485 go1.25 release tracking
CVE-2025-47906 CVE-2025-47907
* go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
* go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
OBS-URL: https://build.opensuse.org/request/show/1298040
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=3
- go1.25rc3 (released 2025-08-06) is a release candidate version of
go1.25 cut from the master branch at the revision tagged
go1.25rc3.
Refs boo#1244485 go1.25 release tracking
CVE-2025-47906 CVE-2025-47907
* go#74466 boo#1247719 security: fix CVE-2025-47906 os/exec: LookPath bug: incorrect expansion of "", "." and ".." in some PATH configurations
* go#74831 boo#1247720 security: fix CVE-2025-47907 database/sql: incorrect results returned from Rows.Scan
OBS-URL: https://build.opensuse.org/request/show/1298037
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.25?expand=0&rev=3
