Overview

File _patchinfo of Package patchinfo.43065

<patchinfo incident="43065">
  <!--generated with prepare-update from request 402949-->
  <issue tracker="bnc" id="1244485">go1.25 release tracking</issue>
  <issue tracker="bnc" id="1259264">VUL-0: CVE-2026-25679: go1.25,go1.26: net/url: reject IPv6 literal not at start of host</issue>
  <issue tracker="bnc" id="1259265">VUL-0: CVE-2026-27142: go1.25,go1.26: html/template: URLs in meta content attribute actions are not escaped</issue>
  <issue tracker="bnc" id="1259268">VUL-0: CVE-2026-27139: go1.25,go1.26: os: FileInfo can escape from a Root</issue>
  <issue tracker="cve" id="2026-25679"/>
  <issue tracker="cve" id="2026-27139"/>
  <issue tracker="cve" id="2026-27142"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>jfkw</packager>
  <summary>Security update for go1.25</summary>
  <description>This update for go1.25 fixes the following issues:

Update to go1.25.8 (bsc#1244485):

- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).

Changelog:
  
* go#77253 cmd/compile: miscompile of global array initialization
* go#77406 os: Go 1.25.x regression on RemoveAll for windows
* go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
* go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in 
  pkg-config
* go#77531 net/smtp: expiry date of localhostCert for testing is too short
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places