From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3
Date: Fri, 15 May 2026 19:46:02 +0200 [thread overview]
Message-ID: <20260515174602.529473-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260507195049.1002469-1-peter@korsgaard.com>
In reply of:
> Fixes the following security issues:
>
> CVE-2026-33811: net: crash when handling long CNAME response
> CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad
> SETTINGS_MAX_FRAME_SIZE
> CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
> CVE-2026-39819: md/go: "go bug" follows symlinks in predictable temporary
> filenames
> CVE-2026-39820: net/mail: quadratic string concatenation in consumeComment
> CVE-2026-39823: html/template: bypass of meta content URL escaping causes
> XSS
> CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more
> than urlmaxqueryparams parameters
> CVE-2026-39826: html/template: escaper bypass leads to XSS
> CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on
> Windows
> CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase
> CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database
>
> go1.26.3 (released 2026-05-07) includes security fixes to the go command,
> the pack tool, and the html/template, net, net/http, net/http/httputil,
> net/mail, and syscall packages, as well as bug fixes to the go command, the
> go fix command, the compiler, the linker, the runtime, and the
> crypto/fips140, crypto/tls, go/types, and os packages.
>
> https://go.dev/doc/devel/release#go1.26.3
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Applied to 2026.02.x. Thanks
> ---
> package/go/go.hash | 14 +++++++-------
> package/go/go.mk | 2 +-
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/package/go/go.hash b/package/go/go.hash
> index 77be843c83..69f2a3139c 100644
> --- a/package/go/go.hash
> +++ b/package/go/go.hash
> @@ -1,9 +1,9 @@
> # sha256 checksum from https://go.dev/dl/
> -sha256 2e91ebb6947a96e9436fb2b3926a8802efe63a6d375dffec4f82aa9dbd6fd43b go1.26.2.src.tar.gz
> -sha256 89835cdc4dfebde7fe28c9c6dc080bb3753f6b0354301966ff9f62d14991bd7d go1.26.2.linux-386.tar.gz
> -sha256 990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282 go1.26.2.linux-amd64.tar.gz
> -sha256 c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23 go1.26.2.linux-arm64.tar.gz
> -sha256 0000e45577827b0a8868588c543cbe4232853def1d3d7a344ad6e60ce2b015c8 go1.26.2.linux-armv6l.tar.gz
> -sha256 62b7645dd2404052535617c59e91cf03c7aa28e332dbaddbe4c0d7de7bcc6736 go1.26.2.linux-ppc64le.tar.gz
> -sha256 410726ed10a0ea6745c2ea8da4f0e769fd3ce819cd4a41a67ad08b094d5dfc31 go1.26.2.linux-s390x.tar.gz
> +sha256 1c646875d0aa8799133184ed57cf79ff24bdefe8c8820470602a9d3d6d9192b8 go1.26.3.src.tar.gz
> +sha256 0ef3626a149b5811c813838c62b7d6618d03ea36047b32c90b0e4851cc42b1fa go1.26.3.linux-386.tar.gz
> +sha256 2b2cfc7148493da5e73981bffbf3353af381d5f93e789c82c79aff64962eb556 go1.26.3.linux-amd64.tar.gz
> +sha256 9d89a3ea57d141c2b22d70083f2c8459ba3890f2d9e818e7e933b75614936565 go1.26.3.linux-arm64.tar.gz
> +sha256 d44133d4c66b1451a1e247da26db7716f76a081c0169a75e6c84e1871e394320 go1.26.3.linux-armv6l.tar.gz
> +sha256 dbd82b50530ead2beb1fd72215117380df3cb16332b51467116dc35b3691dd75 go1.26.3.linux-ppc64le.tar.gz
> +sha256 5c0605b7175449f1c8e8cb02efaba2695caab914fad4dcedc764c2f4c6dfe6ca go1.26.3.linux-s390x.tar.gz
> sha256 911f8f5782931320f5b8d1160a76365b83aea6447ee6c04fa6d5591467db9dad LICENSE
> diff --git a/package/go/go.mk b/package/go/go.mk
> index 67948dc405..ebd0d418ef 100644
> --- a/package/go/go.mk
> +++ b/package/go/go.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -GO_VERSION = 1.26.2
> +GO_VERSION = 1.26.3
>
> HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
> HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-05-15 17:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 19:50 [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3 Peter Korsgaard
2026-05-07 19:50 ` [Buildroot] [PATCH 2/2] package/go-bootstrap-stage5: security bump to version 1.25.10 Peter Korsgaard
2026-05-07 23:03 ` Christian Stewart via buildroot
2026-05-15 17:46 ` Thomas Perale via buildroot
2026-05-08 9:19 ` [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3 Julien Olivain via buildroot
2026-05-15 17:46 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515174602.529473-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=peter@korsgaard.com \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox