File _patchinfo of Package patchinfo.43066
<patchinfo incident="43066"> <!--generated with prepare-update from request 402950--> <issue tracker="bnc" id="1255111">go1.26 release tracking</issue> <issue tracker="bnc" id="1259264">VUL-0: CVE-2026-25679: go1.25,go1.26: net/url: reject IPv6 literal not at start of host</issue> <issue tracker="bnc" id="1259265">VUL-0: CVE-2026-27142: go1.25,go1.26: html/template: URLs in meta content attribute actions are not escaped</issue> <issue tracker="bnc" id="1259266">VUL-0: CVE-2026-27137: go1.26: crypto/x509: incorrect enforcement of email constraints</issue> <issue tracker="bnc" id="1259267">VUL-0: CVE-2026-27138: go1.26: crypto/x509: panic in name constraint checking for malformed certificates</issue> <issue tracker="bnc" id="1259268">VUL-0: CVE-2026-27139: go1.25,go1.26: os: FileInfo can escape from a Root</issue> <issue tracker="cve" id="2026-25679"/> <issue tracker="cve" id="2026-27137"/> <issue tracker="cve" id="2026-27138"/> <issue tracker="cve" id="2026-27139"/> <issue tracker="cve" id="2026-27142"/> <category>security</category> <rating>moderate</rating> <packager>jfkw</packager> <summary>Security update for go1.26</summary> <description>This update for go1.26 fixes the following issues: Update to go1.26.1 (bsc#1255111): - CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264). - CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints (bsc#1259266). - CVE-2026-27138: crypto/x509: panic in name constraint checking for malformed certificates (bsc#1259267). - CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268). - CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265). Changelog: * go#77252 cmd/compile: miscompile of global array initialization * go#77407 os: Go 1.25.x regression on RemoveAll for windows * go#77474 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in pkg-config * go#77529 cmd/fix, x/tools/go/analysis/passes/modernize: stringscut: OOB panic in indexArgValid analyzing "buf.Bytes()" call * go#77532 net/smtp: expiry date of localhostCert for testing is too short * go#77536 cmd/compile: internal compiler error: 'main.func1': not lowered: v15, Load STRUCT PTR SSA * go#77618 strings: HasSuffix doesn't work correctly for multibyte runes in go 1.26 * go#77623 cmd/compile: internal compiler error on : "tried to free an already free register" with generic function and type >= 192 bytes * go#77624 cmd/fix, x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when combining two strings.Builders * go#77680 cmd/link: TestFlagW/-w_-linkmode=external fails on illumos * go#77766 cmd/fix,x/tools/go/analysis/passes/modernize: rangeint uses target platform's type in the range expression, breaking other platforms * go#77780 reflect: breaking change for reflect.Value.Interface behaviour * go#77786 cmd/compile: rewriteFixedLoad does not properly sign extend AuxInt * go#77803 cmd/fix,x/tools/go/analysis/passes/modernize: reflect.TypeOf(nil) transformed into reflect.TypeFor[untyped nil]() * go#77804 cmd/fix,x/tools/go/analysis/passes/modernize: minmax breaks select statements * go#77805 cmd/fix, x/tools/go/analysis/passes/modernize: waitgroup leads to a compilation error * go#77807 cmd/fix,x/tools/go/analysis/passes/modernize: stringsbuilder ignores variables if they are used multiple times * go#77849 cmd/fix,x/tools/go/analysis/passes/modernize: stringscut rewrite changes behavior * go#77860 cmd/go: change go mod init default go directive back to 1.N * go#77899 cmd/fix, x/tools/go/analysis/passes/modernize: bad rangeint rewriting * go#77904 x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when GenDecl is a block declaration </description> </patchinfo>
