Re: [Buildroot] [PATCH 2/2] package/go-bootstrap-stage5: security bump to version 1.25.10

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 2/2] package/go-bootstrap-stage5: security bump to version 1.25.10
Date: Fri, 15 May 2026 19:46:01 +0200	[thread overview]
Message-ID: <20260515174601.529402-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260507195049.1002469-2-peter@korsgaard.com>

In reply of:
> Fixes the following security issues:
> 
> CVE-2026-33811: net: crash when handling long CNAME response
> CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad
>                 SETTINGS_MAX_FRAME_SIZE
> CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
> CVE-2026-39819: md/go: "go bug" follows symlinks in predictable temporary
>                 filenames
> CVE-2026-39820: net/mail: quadratic string concatenation in consumeComment
> CVE-2026-39823: html/template: bypass of meta content URL escaping causes
>                 XSS
> CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more
>                 than urlmaxqueryparams parameters
> CVE-2026-39826: html/template: escaper bypass leads to XSS
> CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on
>                 Windows
> CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase
> CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database
> 
> go1.25.10 (released 2026-05-07) includes security fixes to the go command,
> the pack tool, and the html/template, net, net/http, net/http/httputil,
> net/mail, and syscall packages, as well as bug fixes to the go command, the
> compiler, the linker, the runtime, and the crypto/fips140, go/types, and os
> packages.
> 
> https://go.dev/doc/devel/release#go1.25.10
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to 2026.02.x. Thanks

> ---
>  package/go/go-bootstrap-stage5/go-bootstrap-stage5.hash | 2 +-
>  package/go/go-bootstrap-stage5/go-bootstrap-stage5.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/go/go-bootstrap-stage5/go-bootstrap-stage5.hash b/package/go/go-bootstrap-stage5/go-bootstrap-stage5.hash
> index 5e40ba7e6e..58391471d9 100644
> --- a/package/go/go-bootstrap-stage5/go-bootstrap-stage5.hash
> +++ b/package/go/go-bootstrap-stage5/go-bootstrap-stage5.hash
> @@ -1,3 +1,3 @@
>  # From https://go.dev/dl
> -sha256  e988d4a2446ac7fe3f6daa089a58e9936a52a381355adec1c8983230a8d6c59e  go1.25.8.src.tar.gz
> +sha256  20cf04a92e5af99748e341bc8996fa28090c9ac98765fa115ec5ddf41d7af41d  go1.25.10.src.tar.gz
>  sha256  911f8f5782931320f5b8d1160a76365b83aea6447ee6c04fa6d5591467db9dad  LICENSE
> diff --git a/package/go/go-bootstrap-stage5/go-bootstrap-stage5.mk b/package/go/go-bootstrap-stage5/go-bootstrap-stage5.mk
> index 9006e5bf44..85468414a2 100644
> --- a/package/go/go-bootstrap-stage5/go-bootstrap-stage5.mk
> +++ b/package/go/go-bootstrap-stage5/go-bootstrap-stage5.mk
> @@ -6,7 +6,7 @@
>  
>  # Use last Go version that go-bootstrap-stage4 can build: v1.25.x
>  # See https://go.dev/doc/go1.26#bootstrap
> -GO_BOOTSTRAP_STAGE5_VERSION = 1.25.8
> +GO_BOOTSTRAP_STAGE5_VERSION = 1.25.10
>  GO_BOOTSTRAP_STAGE5_SITE = https://go.dev/dl
>  GO_BOOTSTRAP_STAGE5_SOURCE = go$(GO_BOOTSTRAP_STAGE5_VERSION).src.tar.gz
>  
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot