| Age | Commit message (Collapse) | Author |
|
go1.26.3 (released 2026-05-07) includes security fixes to the go
command, the pack tool, and the html/template, net, net/http,
net/http/httputil, net/mail, and syscall packages, as well as bug fixes
to the go command, the go fix command, the compiler, the linker, the
runtime, and the crypto/fips140, crypto/tls, go/types, and os packages
See: <https://github.com/golang/go/milestone/433>,
<https://groups.google.com/g/golang-announce/c/qcCIEXso47M>.
Containes fixes for:
CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum
database
CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with
more than urlmaxqueryparams parameters
CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte
on Windows
CVE-2026-42499: net/mail: quadratic string concatenation in
consumePhrase
CVE-2026-39820: net/mail: quadratic string concatentation in
consumeComment
CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable
temporary filenames
CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given
bad SETTINGS_MAX_FRAME_SIZE
CVE-2026-39826: html/template: escaper bypass leads to XSS
CVE-2026-33811: net: crash when handling long CNAME response
CVE-2026-39823: html/template: bypass of meta content URL escaping
causes XSS
* gnu/packages/golang.scm (go-1.26): Update to 1.26.3.
Change-Id: Ia1a51eff549c90918e32af4834c03b675504a231
|
|
go1.25.10 (released 2026-05-07) includes security fixes to the go
command, the pack tool, and the html/template, net, net/http,
net/http/httputil, net/mail, and syscall packages, as well as bug fixes
to the go command, the compiler, the linker, the runtime, and the
crypto/fips140, go/types, and os packages.
See: <https://github.com/golang/go/milestone/434>,
<https://groups.google.com/g/golang-announce/c/qcCIEXso47M>.
Containes fixes for:
CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum
database
CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with
more than urlmaxqueryparams parameters
CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte
on Windows
CVE-2026-42499: net/mail: quadratic string concatenation in
consumePhrase
CVE-2026-39820: net/mail: quadratic string concatentation in
consumeComment
CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable
temporary filenames
CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given
bad SETTINGS_MAX_FRAME_SIZE
CVE-2026-39826: html/template: escaper bypass leads to XSS
CVE-2026-33811: net: crash when handling long CNAME response
CVE-2026-39823: html/template: bypass of meta content URL escaping
causes XSS
* gnu/packages/golang.scm (go-1.25): Update to 1.25.10.
Change-Id: I2fc6c1eac7aed34737b42181b22de3bc310946cd
|
|
go1.26.2 (released 2026-04-07) includes security fixes to the go
command, the compiler, and the archive/tar, crypto/tls, crypto/x509,
html/template, and os packages, as well as bug fixes to the go command,
the go fix command, the compiler, the linker, the runtime, and the net,
net/http, and net/url packages.
See: <https://github.com/golang/go/milestone/430>
Containes fixes for:
CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on
Linux
CVE-2026-32289: html/template: JS template literal context incorrectly
tracked
CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap
checking
CVE-2026-27143: cmd/compile: possible memory corruption after bound
check elimination
CVE-2026-32288: rchive/tar: unbounded allocation when parsing old format
GNU sparse map
CVE-2026-32283: crypto/tls: multiple key update handshake messages can
cause connection to deadlock
CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
CVE-2026-32280: crypto/x509: unexpected work during chain building
CVE-2026-32281: crypto/x509: inefficient policy validation
CVE-2026-33810: crypto/x509: excluded DNS constraints not properly
applied to wildcard domains
* gnu/packages/golang.scm (go-1.26): Update to 1.26.2.
Change-Id: I634c908bc4f2a1dd37a1405e2277c60846c2a43e
|
|
go1.25.9 (released 2026-04-07) includes security fixes to the go
command, the compiler, and the archive/tar, crypto/tls, crypto/x509,
html/template, and os packages, as well as bug fixes to the go command,
the compiler, and the runtime.
See: <https://github.com/golang/go/milestone/431>
Containes fixes for:
CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on
Linux
CVE-2026-32289: html/template: JS template literal context incorrectly
tracked
CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap
checking
CVE-2026-27143: cmd/compile: possible memory corruption after bound
check elimination
CVE-2026-32288: rchive/tar: unbounded allocation when parsing old format
GNU sparse map
CVE-2026-32283: crypto/tls: multiple key update handshake messages can
cause connection to deadlock
CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
CVE-2026-32280: crypto/x509: unexpected work during chain building
CVE-2026-32281: crypto/x509: inefficient policy validation
* gnu/packages/golang.scm (go-1.25): Update to 1.25.9.
Change-Id: Ie5f8efb1588add0b7dfc25122f9588819e02ba9e
|
|
* gnu/packages/golang.scm (go-1.23, go-std-1.23): Delete variables.
Fixes: guix/guix#7080
Change-Id: I854866b0136f5b17fcec24945f576a83d90c0c77
Signed-off-by: Andreas Enge <andreas@enge.fr>
|
|
go1.24.12 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages, as well
as bug fixes to the compiler, the runtime, and the crypto/tls and os
packages.
See: <https://github.com/golang/go/milestone/419>
go1.24.13 (released 2026-02-04) includes security fixes to the go
command and the crypto/tls package, as well as bug fixes to the
crypto/x509 package.
See: <https://github.com/golang/go/milestone/421>
Containes fixes for:
CVE-2025-68121: Unexpected session resumption in crypto/tls
CVE-2025-68119: Unexpected code execution when invoking toolchain in
cmd/go
CVE-2025-61732: Potential code smuggling via doc comments in cmd/cgo
CVE-2025-61731: Arbitrary file write using cgo pkg-config directive in
cmd/go
CVE-2025-61730: Handshake messages may be processed at the incorrect
encryption level in crypto/tls
CVE-2025-61728: Excessive CPU consumption when building archive index in
archive/zip
CVE-2025-61726: Memory exhaustion in query parameter parsing in net/url
* gnu/packages/golang.scm (go-1.24): Update to 1.24.13.
Change-Id: I80dde282c7026fd7a3cf1161a6e63f0ceca2d51f
|
|
go1.25.8 (released 2026-03-05) includes security fixes to the
html/template, net/url, and os packages, as well as bug fixes to the go
command, the compiler, and the os package.
See: <https://github.com/golang/go/compare/go1.25.7...go1.25.8>,
<https://www.openwall.com/lists/oss-security/2026/03/06/1>
Containes fixes for:
CVE-2026-27142: URLs in meta content attribute actions are not escaped
in html/template.
CVE-2026-25679: Incorrect parsing of IPv6 host literals in net/url.
CVE-2026-27139: FileInfo can escape from a Root in os.
* gnu/packages/golang.scm (go-1.25): Update to 1.25.8.
Change-Id: I01a80a78f20075fe6c05c46f97dfe35f770a99a0
|
|
go1.26.1 (released 2026-03-05) includes security fixes to the
crypto/x509, html/template, net/url, and os packages, as well as bug
fixes to the go command, the go fix command, the compiler, and the os
and reflect packages.
See: <https://github.com/golang/go/compare/go1.26.0...go1.26.1>,
<https://www.openwall.com/lists/oss-security/2026/03/06/1>
Containes fixes for:
CVE-2026-27137: Incorrect enforcement of email constraints in
crypto/x509.
CVE-2026-27138: Panic in name constraint checking for malformed
certificates in crypto/x509.
CVE-2026-27142: URLs in meta content attribute actions are not escaped
in html/template.
CVE-2026-25679: Incorrect parsing of IPv6 host literals in net/url.
CVE-2026-27139: FileInfo can escape from a Root in os.
* gnu/packages/golang.scm (go-1.26): Update to 1.26.1.
Change-Id: I1c014a334407d9ca927d9e403c8c7e92cad8fe1d
|
|
Go 1.26 Release Notes: <https://go.dev/doc/go1.26>.
* gnu/packages/golang.scm (go-1.26): Update to 1.26.0.
Change-Id: I20f98681a8954848f55ba63e6fd7edb1fba51437
|
|
* gnu/packages/golang.scm (go-1.26): Update to 1.26rc2.
[native-inputs]: Use go-1.24 for bootstrap.
Change-Id: I0c60c4af5091edede6cec865590c3fcd10074f3b
|
|
Contains fixes for:
CVE-2025-61732: cmd/go: Discrepancy between Go and C/C++ comment parsing
allows for C code smuggling.
CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account
for the expiration of full certificate chainn.
* gnu/packages/golang.scm (go-1.25): Update to 1.25.7.
Change-Id: Id06b038a837beff45af3b6db7ee14a5afd627fb3
|
|
* gnu/packages/golang.scm (go-1.25): Update to 1.25.6.
Change-Id: I1427088bf447796e4dee3b706fed77b71edce2a7
|
|
* gnu/packages/golang.scm (go-1.24): Update to 1.24.11.
Change-Id: Ia56b693579aa8d69936b3f7e3aaa0b96ceca4c83
|
|
* gnu/packages/golang.scm (go-1.23): Update to 1.23.12
Change-Id: I538aa0f419973c32c53330a0b8a4a29592f3092a
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.26, go-std-1.26): New variables.
Change-Id: I13cc52a2d00e8c12b308e42e214ca25c9bb5b345
|
|
* gnu/packages/golang.scm (go-1.25): Update to 1.25.5.
Change-Id: Ie4c97ff2cedbf6f5a97094ee14a1e140aa27b799
|
|
* gnu/packages/golang.scm (go-1.21)[arguments]<#:phases>{patch-source}:
Add phase disabling tests on arm architectures.
Change-Id: I6b07de4d6eee755502f02d6961f1a51066003721
Signed-off-by: Andreas Enge <andreas@enge.fr>
|
|
* gnu/packages/golang.scm (go-1.24)[arguments]: Adjust the
'disable-more-tests phase to skip a test on armhf-linux.
Change-Id: If05e4b80669a0f4faf79c7c589d6c99b297c7d92
|
|
* gnu/packages/golang.scm (go-1.23)[arguments]: Adjust the
'disable-more-tests phase to skip a test on armhf-linux.
Change-Id: I16eabf352395a7fd064cddf40dabd3f1ac35fe65
|
|
* gnu/packages/golang.scm (go-1.25, go-std-1.25): New variables.
Change-Id: I7e8b7d98e84c83f7a218e9bc42434214fb125d88
Reviewed-by: Efraim Flashner <efraim@flashner.co.il>
|
|
* gnu/packages/golang.scm (go-1.23)[arguments]: Replace the
'disable-more-tests phase.
Change-Id: I008d6d73aaeabce5d83fe044473b37902d2d375f
|
|
* gnu/packages/golang.scm (go-1.20)[native-inputs]: Remove gold.
Change-Id: I88d39932063efe53da21c3cc51458d05423a9cae
|
|
Compilation of "plugin.test" fails on aarch64-linux system after
binutils-gold was removed form native inputs. This change adds it back
conditionally.
/gnu/store/pm409aqyb5i21sf9kn8li31p91sfrj38-gcc-14.3.0/bin/gcc
-s
-Wl,-z,now
-Wl,-z,nocopyreloc
-fuse-ld=gold
-o
$WORK/b1499/plugin.test
-Wl,-rpath,/gnu/store/4hw376vyz889zgzrr8mkp82c0d4iz391-gcc-14.3.0-lib/lib
-rdynamic
<...>
-O2
-g
-ldl
-O2
-g
-lpthread
collect2: fatal error: cannot find ‘ld’
See: <https://bordeaux.guix.gnu.org/build/a702cf61-da67-4900-95d2-b2eabd9b83cf/log>.
Change-Id: Ida07cafd632c355dc05cad1ce4ccd0cd6f38a530
|
|
* gnu/packages/golang.scm (go-1.22)[arguments]: On some architectures
add a phase to extend the test timeout.
Change-Id: I7db0d37a616f6515790189451d8d4ce41188ec1c
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.18, go-std-1.18): Remove variables.
Change-Id: I1f53c24f7898d41700cfd615da4eedc3c03d8c09
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.19, go-std-1.19): Remove variables.
Change-Id: I41206e4933c0b66e9683c0de14a505632297b642
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.22)[inherit]: Inherit from go-1.20.
[arguments]: Add phases previously inherited from 1.21.
Change-Id: Ic8e2f921a9889b5cb270eb43e98fbbddde3e8249
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.20)[inherit]: Inherit from go-1.17.
[arguments]: Add phases previously inherited from go-1.19.
[properties]: New field.
Change-Id: Iccf53655323d58fff52a9f987cb71ed94b896abb
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.16, go-std-1.16): Remove variables.
Change-Id: I58f284b341f560cad072279ca75fd1794b5537c6
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.17)[arguments]: Disable tests when
building for armhf-linux.
Change-Id: I8654c1966daaa19602d876618d5ff9e384b12fc8
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.24)[arguments]: Replace inherited
'disable-more-tests phase to adjust for changes in the source.
[native-inputs]: Rewrite inheriting from go-1.22.
[properties]: Add field previously inherited from go-1.23.
Change-Id: I4938c7854cba0aa982d7b755c10f255cab81a828
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.22)[native-inputs]: Replace go-1.21 with
go-1.20. Update the comment.
Change-Id: I3785ecb882ba2c5f7ef888df123b44a88fc9665e
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.22)[arguments]: Disable parallel-tests
on riscv64-linux and armhf-linux. Add a phase to disable certain tests
based on the architecture.
(go-1.23)[arguments]: Remove new inherited phase.
Change-Id: If4ed3f195c1af504d6ab4b686829fda8c91138d2
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.20): Update to 1.20.14.
[arguments]<parallel-tests?>: Disable for riscv64-linux.
<tests?>: Disable for riscv64-linux.
<phases>: Add a phase to skip certain tests based on the architecture.
(go-1.21)[arguments]: Strip the inherited keyword tests. Remove the
added phase to skip tests.
Change-Id: If7cd498ad56c503b0d602e7ea62399e82ecddb06
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.17)[arguments]: When building on
aarch64-linux don't disable the tests.
Change-Id: I9c839a059df772636d8dd129bbb7ddad9e4ecbe9
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.17)[inputs]: Rewrite to not inherit from
go-1.4 and to always use gcc:lib.
[arguments]: Add the phase 'patch-gcc:lib unconditionally.
(go-1.18)[arguments]: Replace the inherited 'patch-gcc:lib phase on all
architectures.
Change-Id: I9024db846fef304b76441fe8b816740a60653d0e
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
Building with a canonical-package hinders cross-building.
* gnu/packages/golang.scm (go-1.4)[inputs]: Replace the canonical-package
gcc:lib with gcc:lib.
Change-Id: I4f0c8549611461d47cc017314e8eb55815ae549f
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.4)[arguments]: Remove code setting the
system to armhf-linux when building for aarch64-linux.
[supported-systems]: Remove aarch64-linux.
Change-Id: I7ad6da7b8ddba674433c6efd7b2085b733548d5c
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.17)[inherit]: Remove field.
[build-system, native-inputs, home-page, synopsis, description,
license]: Add previously inherited fields.
[inputs]: Rewrite without inheriting from go-1.16.
Change-Id: I74e7ca00d0d8f1f79b9e76e10530903a23e3e93b
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.16)[native-inputs]: Remove binutils-gold.
Change-Id: I4d603faa1a0de65e045eb6d28ea93794bd75d272
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go): Update to 1.24.
Change-Id: I036d768405d9c757c0a068d977c1633aaa41d8cd
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (%go-1.23-arm64-micro-architectures): New
variable.
(go-1.23)[compiler-cpu-architectures]: Add aarch64 micro-architectures.
* guix/transformations.scm (tuning-compiler): Update the go optimizer to
also support GOARM64.
Change-Id: I8825f9857e07c1634ea346d5a16ae9550f340e65
|
|
* gnu/packages/golang.scm (go-1.21)[arguments]: Add "remove-failing-test" phase.
Change-Id: Ie12c23c41f82e752cad8b4f7f2689628f05670af
|
|
* gnu/packages/golang.scm (go-1.24): Update to 1.24.3.
Change-Id: Ife52e25c121089cf19a42720a6e7a7d5f8f4f9a6
|
|
* gnu/packages/golang.scm (go-1.23): Update to 1.23.9.
Change-Id: Ibb358b20f8a47136a4c73aa206f63b9ceb849060
|
|
* gnu/packages/golang.scm (go-1.24): Update to 1.24.2.
Change-Id: I4e68c9fb59a14921d0125d0cd0212f0ac4dc9171
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.23): Update to 1.23.8.
Change-Id: Ib146fb5cbd20ed0a003fa31cc56169c8e54881b2
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
|
|
* gnu/packages/golang.scm (go-1.24, go-std-1.24): New variables.
Change-Id: I3f96ae0574a5a0c1b36b291fd23e28f348cd4683
|
|
* gnu/packages/golang.scm (go-1.23): Update to 1.23.6.
Change-Id: Icca7f35d4f20fe93169a68406f20e8ffaa9e38d1
|
|
* gnu/packages/golang.scm (go-1.22): Update to 1.22.12.
Change-Id: I86db365c09bf912339f9d8676048c5660f2e5a70
|