Dominique Leuenberger
0e531b76f7
- go1.25.10 (released 2026-05-07) includes security fixes to the go command, the pack tool, and the html/template, net, net/http, net/http/httputil, net/mail, and syscall packages, as well as bug fixes to the go command, the compiler, the linker, the runtime, and the crypto/fips140, go/types, and os packages. Refs boo#1244485 go1.25 release tracking CVE-2026-33811 CVE-2026-33814 CVE-2026-39817 CVE-2026-39819 CVE-2026-39820 CVE-2026-39823 CVE-2026-39825 CVE-2026-39826 CVE-2026-39836 CVE-2026-42499 CVE-2026-42501 * go#78812 go#78803 boo#1264508 security: fix CVE-2026-33811 net: crash when handling long CNAME response * go#78477 go#78476 boo#1264506 security: fix CVE-2026-33814 net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE * go#78790 go#78778 boo#1264505 security: fix CVE-2026-39817 cmd/go: "go tool pack" does not sanitize output paths * go#78587 go#78584 boo#1264504 security: fix CVE-2026-39819 cmd/go: "go bug" follows symlinks in predictable temporary filenames * go#78567 go#78566 boo#1264503 security: fix CVE-2026-39820 net/mail: quadratic string concatentation in consumeComment * go#79031 go#78913 boo#1264509 security: fix CVE-2026-39823 html/template: bypass of meta content URL escaping causes XSS * go#78985 go#78948 boo#1264500 security: fix CVE-2026-39825 net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters * go#79024 go#78981 boo#1264507 security: fix CVE-2026-39826 html/template: escaper bypass leads to XSS * go#79028 go#79006 boo#1264501 security: fix CVE-2026-39836 net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters * go#79003 go#78987 boo#1264502 security: fix CVE-2026-42499 net/mail: quadratic string concatenation in consumePhrase * go#79072 go#79070 boo#1264499 security: fix CVE-2026-42501 cmd/go: malicious module proxy can bypass checksum database * go#77298 cmd/compile: go1.22+ cmd with go.mod 1.21 generates per-loop variable when using line directive * go#78374 cmd/compile: incorrect loop trip count * go#78405 cmd/link: stop requiring gold on arm64 when GNU ld is fixed * go#78411 cmd/go: test -cover can't find covdata tool with switched toolchain and empty tests * go#78510 cmd/cgo/internal/testsanitizers: TestLSAN/lsan1,2, and 3 always fail on linux with glibc 2.42 * go#78581 cmd/compile: panic on invalid generic append with type parameter spread * go#78582 cmd/go: test cache uses stale coverage data with -coverpkg * go#78675 cmd/compile: ice expecting positive value on loop iterating by math.MinInt64 (regression) * go#78866 os: RemoveAll can leak internal errSymlink as a user-visible PathError on Unix * go#78983 lib/fips140: update certified and inprocess aliases * go#79020 crypto/fips140: missing package comment - Packaging improvements: (forwarded request 1351538 from jfkw) OBS-URL: https://build.opensuse.org/request/show/1351540 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.25?expand=0&rev=17
# Go Programming Language
OBS: https://build.opensuse.org/project/show/devel:languages:go
Maintainer: Jeff Kowalczyk
Wiki: http://en.opensuse.org/Go
http://en.opensuse.org/openSUSE:Packaging_Go