- go1.22.7 (released 2024-09-05) includes security fixes to the
encoding/gob, go/build/constraint, and go/parser packages, as
well as bug fixes to the fix command and the runtime.
Refs boo#1218424 go1.22 release tracking
CVE-2024-34155 CVE-2024-34156 CVE-2024-34158
- go#69142 go#69138 boo#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155)
- go#69144 go#69139 boo#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156)
- go#69148 go#69141 boo#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse (CVE-2024-34158)
- go#68811 os: TestChtimes failures
- go#68825 cmd/fix: fails to run on modules whose go directive value is in "1.n.m" format introduced in Go 1.21.0
- go#68972 cmd/cgo: aix c-archive corrupting stack (forwarded request 1199061 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1199062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=13
encoding/gob, go/build/constraint, and go/parser packages, as
well as bug fixes to the fix command and the runtime.
Refs boo#1218424 go1.22 release tracking
CVE-2024-34155 CVE-2024-34156 CVE-2024-34158
- go#69142 go#69138 boo#1230252 security: fix CVE-2024-34155 go/parser: stack exhaustion in all Parse* functions (CVE-2024-34155)
- go#69144 go#69139 boo#1230253 security: fix CVE-2024-34156 encoding/gob: stack exhaustion in Decoder.Decode (CVE-2024-34156)
- go#69148 go#69141 boo#1230254 security: fix CVE-2024-34158 go/build/constraint: stack exhaustion in Parse (CVE-2024-34158)
- go#68811 os: TestChtimes failures
- go#68825 cmd/fix: fails to run on modules whose go directive value is in "1.n.m" format introduced in Go 1.21.0
- go#68972 cmd/cgo: aix c-archive corrupting stack
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=26
- go1.22.6 (released 2024-08-06) includes fixes to the go command,
the compiler, the linker, the trace command, the covdata command,
and the bytes, go/types, and os/exec packages.
Refs boo#1218424 go1.22 release tracking
* go#68594 cmd/compile: internal compiler error with zero-size types
* go#68546 cmd/trace/v2: pprof profiles always empty
* go#68492 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68475 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68370 go/types: assertion failure in recent range statement checking logic
* go#68331 os/exec: modifications to Path ignored when *Cmd is created using Command with an absolute path on Windows
* go#68230 cmd/compile: inconsistent integer arithmetic result on Go 1.22+arm64 with/without -race
* go#68222 cmd/go: list with -export and -covermode=atomic fails to build
* go#68198 cmd/link: issues with Xcode 16 beta (forwarded request 1192312 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1192314
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=12
the compiler, the linker, the trace command, the covdata command,
and the bytes, go/types, and os/exec packages.
Refs boo#1218424 go1.22 release tracking
* go#68594 cmd/compile: internal compiler error with zero-size types
* go#68546 cmd/trace/v2: pprof profiles always empty
* go#68492 cmd/covdata: too many open files due to defer f.Close() in for loop
* go#68475 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
* go#68370 go/types: assertion failure in recent range statement checking logic
* go#68331 os/exec: modifications to Path ignored when *Cmd is created using Command with an absolute path on Windows
* go#68230 cmd/compile: inconsistent integer arithmetic result on Go 1.22+arm64 with/without -race
* go#68222 cmd/go: list with -export and -covermode=atomic fails to build
* go#68198 cmd/link: issues with Xcode 16 beta
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=24
- go1.22.5 (released 2024-07-02) includes security fixes to the
net/http package, as well as bug fixes to the compiler, cgo, the
go command, the linker, the runtime, and the crypto/tls,
go/types, net, net/http, and os/exec packages.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24791
* go#68200 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#65983 cmd/compile: hash of unhashable type
* go#65994 crypto/tls: segfault when calling tlsrsakex.IncNonDefault()
* go#66598 os/exec: calling Cmd.Start after setting Cmd.Path manually to absolute path without ".exe" no longer implicitly adds ".exe" in Go 1.22
* go#67298 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
* go#67715 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67798 cmd/compile: internal compiler error: unexpected type: <nil> (<nil>) in for-range
* go#67820 cmd/compile: package-level variable initialization with constant dependencies doesn't match order specified in Go spec
* go#67850 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67934 net: go DNS resolver fails to connect to local DNS server
* go#67945 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68052 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
* go#68122 cmd/link: runtime.mach_vm_region_trampoline: unsupported dynamic relocation for symbol libc_mach_task_self_ (type=29 (R_GOTPCREL) stype=46 (SDYNIMPORT)) (forwarded request 1184952 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1184954
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=11
- go1.22.5 (released 2024-07-02) includes security fixes to the
net/http package, as well as bug fixes to the compiler, cgo, the
go command, the linker, the runtime, and the crypto/tls,
go/types, net, net/http, and os/exec packages.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24791
* go#68200 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
* go#65983 cmd/compile: hash of unhashable type
* go#65994 crypto/tls: segfault when calling tlsrsakex.IncNonDefault()
* go#66598 os/exec: calling Cmd.Start after setting Cmd.Path manually to absolute path without ".exe" no longer implicitly adds ".exe" in Go 1.22
* go#67298 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
* go#67715 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
* go#67798 cmd/compile: internal compiler error: unexpected type: <nil> (<nil>) in for-range
* go#67820 cmd/compile: package-level variable initialization with constant dependencies doesn't match order specified in Go spec
* go#67850 go/internal/gccgoimporter: go building failing with gcc 14.1.0
* go#67934 net: go DNS resolver fails to connect to local DNS server
* go#67945 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
* go#68052 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N)
* go#68122 cmd/link: runtime.mach_vm_region_trampoline: unsupported dynamic relocation for symbol libc_mach_task_self_ (type=29 (R_GOTPCREL) stype=46 (SDYNIMPORT))
OBS-URL: https://build.opensuse.org/request/show/1184952
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=22
- go1.22.4 (released 2024-06-04) includes security fixes to the
archive/zip and net/netip packages, as well as bug fixes to the
compiler, the go command, the linker, the runtime, and the os
package.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24789 CVE-2024-24790
* go#67554 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67682 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#67188 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67212 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67236 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67258 runtime: unexpected fault address 0
* go#67311 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67314 cmd/go,cmd/link: TestScript/build_issue48319 and TestScript/build_plugin_reproducible failing on LUCI gotip-darwin-amd64-longtest builder due to non-reproducible LC_UUID
* go#67352 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67460 cmd/compile: internal compiler error: panic with range over integer value
* go#67527 cmd/link: panic: machorelocsect: size mismatch
* go#67650 runtime: SIGSEGV after performing clone(CLONE_PARENT) via C constructor prior to runtime start
* go#67696 os: RemoveAll susceptible to symlink race (forwarded request 1178639 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1178641
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=10
- go1.22.4 (released 2024-06-04) includes security fixes to the
archive/zip and net/netip packages, as well as bug fixes to the
compiler, the go command, the linker, the runtime, and the os
package.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24789 CVE-2024-24790
* go#67554 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
* go#67682 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
* go#67188 runtime/metrics: /memory/classes/heap/unused:bytes spikes
* go#67212 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
* go#67236 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
* go#67258 runtime: unexpected fault address 0
* go#67311 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
* go#67314 cmd/go,cmd/link: TestScript/build_issue48319 and TestScript/build_plugin_reproducible failing on LUCI gotip-darwin-amd64-longtest builder due to non-reproducible LC_UUID
* go#67352 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
* go#67460 cmd/compile: internal compiler error: panic with range over integer value
* go#67527 cmd/link: panic: machorelocsect: size mismatch
* go#67650 runtime: SIGSEGV after performing clone(CLONE_PARENT) via C constructor prior to runtime start
* go#67696 os: RemoveAll susceptible to symlink race
OBS-URL: https://build.opensuse.org/request/show/1178639
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=20
- go1.22.3 (released 2024-05-07) includes security fixes to the go
command and the net package, as well as bug fixes to the
compiler, the runtime, and the net/http package.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24787 CVE-2024-24788
* go#67122 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
* go#67040 go#66754 boo#1224018 security: fix CVE-2024-24788 net: high cpu usage in extractExtendedRCode
* go#67018 cmd/compile: Go 1.22.x failed to be bootstrapped from 386 to ppc64le
* go#67017 cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE
* go#66886 runtime: deterministic fallback hashes across process boundary
* go#66698 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 (forwarded request 1172534 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1172536
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=9
- go1.22.3 (released 2024-05-07) includes security fixes to the go
command and the net package, as well as bug fixes to the
compiler, the runtime, and the net/http package.
Refs boo#1218424 go1.22 release tracking
CVE-2024-24787 CVE-2024-24788
* go#67122 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
* go#67040 go#66754 boo#1224018 security: fix CVE-2024-24788 net: high cpu usage in extractExtendedRCode
* go#67018 cmd/compile: Go 1.22.x failed to be bootstrapped from 386 to ppc64le
* go#67017 cmd/compile: changing a hot concrete method to interface method triggers a PGO ICE
* go#66886 runtime: deterministic fallback hashes across process boundary
* go#66698 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0
OBS-URL: https://build.opensuse.org/request/show/1172534
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=18
- go1.22.2 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the compiler, the go
command, the linker, and the encoding/gob, go/types, net/http,
and runtime/trace packages.
Refs boo#1218424 go1.22 release tracking
CVE-2023-45288
* go#66298 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#65858 cmd/compile: unreachable panic with GODEBUG=gotypesalias=1
* go#66060 cmd/link: RISC-V external link, failed to find text symbol for HI20 relocation
* go#66076 cmd/compile: out-of-bounds panic with uint32 conversion and modulus operation in Go 1.22.0 on arm64
* go#66134 cmd/compile: go test . results in CLOSURE ... <unknown line number>: internal compiler error: assertion failed
* go#66137 cmd/go: go 1.22.0: go test throws errors when processing folders not listed in coverpkg argument
* go#66178 cmd/compile: ICE: panic: interface conversion: ir.Node is *ir.ConvExpr, not *ir.IndexExpr
* go#66201 runtime/trace: v2 traces contain an incorrect timestamp scaling factor on Windows
* go#66255 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66256 cmd/go: git shallow fetches broken at CL 556358
* go#66273 crypto/x509: Certificate no longer encodable using encoding/gob in Go1.22
* go#66412 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le (forwarded request 1164436 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1164438
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=8
- go1.22.2 (released 2024-04-03) includes a security fix to the
net/http package, as well as bug fixes to the compiler, the go
command, the linker, and the encoding/gob, go/types, net/http,
and runtime/trace packages.
Refs boo#1218424 go1.22 release tracking
CVE-2023-45288
* go#66298 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
* go#65858 cmd/compile: unreachable panic with GODEBUG=gotypesalias=1
* go#66060 cmd/link: RISC-V external link, failed to find text symbol for HI20 relocation
* go#66076 cmd/compile: out-of-bounds panic with uint32 conversion and modulus operation in Go 1.22.0 on arm64
* go#66134 cmd/compile: go test . results in CLOSURE ... <unknown line number>: internal compiler error: assertion failed
* go#66137 cmd/go: go 1.22.0: go test throws errors when processing folders not listed in coverpkg argument
* go#66178 cmd/compile: ICE: panic: interface conversion: ir.Node is *ir.ConvExpr, not *ir.IndexExpr
* go#66201 runtime/trace: v2 traces contain an incorrect timestamp scaling factor on Windows
* go#66255 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
* go#66256 cmd/go: git shallow fetches broken at CL 556358
* go#66273 crypto/x509: Certificate no longer encodable using encoding/gob in Go1.22
* go#66412 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le
OBS-URL: https://build.opensuse.org/request/show/1164436
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=16
- go1.22.1 (released 2024-03-05) includes security fixes to the
crypto/x509, html/template, net/http, net/http/cookiejar, and
net/mail packages, as well as bug fixes to the compiler, the go
command, the runtime, the trace command, and the go/types and
net/http packages.
Refs boo#1218424 go1.22 release tracking
CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
* go#65831 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65849 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65850 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65859 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65969 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65352 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65471 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65474 internal/testenv: support LUCI mobile builders in testenv tests
* go#65577 cmd/trace/v2: goroutine analysis page doesn't identify goroutines consistently
* go#65618 cmd/compile: Go 1.22 build fails with 1.21 PGO profile on internal/saferio change
* go#65619 cmd/compile: Go 1.22 changes support for modules that declare go 1.0
* go#65641 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65644 runtime: crash in race detector when execution tracer reads from CPU profile buffer
* go#65728 go/types: nil pointer dereference in Alias.Underlying()
* go#65759 net/http: context cancellation can leave HTTP client with deadlocked HTTP/1.1 connections in Go1.22
* go#65760 runtime: Go 1.22.0 fails to build from source on armv7 Alpine Linux
* go#65818 runtime: go1.22.0 test with -race will SIGSEGV or SIGBUS or Bad Pointer
* go#65852 cmd/go: "missing ziphash" error with go.work
* go#65883 runtime: scheduler sometimes starves a runnable goroutine on wasm platforms (forwarded request 1155401 from jfkw)
OBS-URL: https://build.opensuse.org/request/show/1155403
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/go1.22?expand=0&rev=7
- go1.22.1 (released 2024-03-05) includes security fixes to the
crypto/x509, html/template, net/http, net/http/cookiejar, and
net/mail packages, as well as bug fixes to the compiler, the go
command, the runtime, the trace command, and the go/types and
net/http packages.
Refs boo#1218424 go1.22 release tracking
CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
* go#65831 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
* go#65849 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
* go#65850 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
* go#65859 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
* go#65969 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
* go#65352 cmd/go: go generate fails silently when run on a package in a nested workspace module
* go#65471 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
* go#65474 internal/testenv: support LUCI mobile builders in testenv tests
* go#65577 cmd/trace/v2: goroutine analysis page doesn't identify goroutines consistently
* go#65618 cmd/compile: Go 1.22 build fails with 1.21 PGO profile on internal/saferio change
* go#65619 cmd/compile: Go 1.22 changes support for modules that declare go 1.0
* go#65641 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
* go#65644 runtime: crash in race detector when execution tracer reads from CPU profile buffer
* go#65728 go/types: nil pointer dereference in Alias.Underlying()
* go#65759 net/http: context cancellation can leave HTTP client with deadlocked HTTP/1.1 connections in Go1.22
* go#65760 runtime: Go 1.22.0 fails to build from source on armv7 Alpine Linux
* go#65818 runtime: go1.22.0 test with -race will SIGSEGV or SIGBUS or Bad Pointer
* go#65852 cmd/go: "missing ziphash" error with go.work
* go#65883 runtime: scheduler sometimes starves a runnable goroutine on wasm platforms
OBS-URL: https://build.opensuse.org/request/show/1155401
OBS-URL: https://build.opensuse.org/package/show/devel:languages:go/go1.22?expand=0&rev=14
