From: Peter Korsgaard <peter@korsgaard.com>
To: Julien Olivain via buildroot <buildroot@buildroot.org>
Cc: Christian Stewart <christian@aperture.us>,
Julien Olivain <ju.o@free.fr>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
James Hilliard <james.hilliard1@gmail.com>,
Thomas Perale <thomas.perale@mind.be>
Subject: Re: [Buildroot] [PATCH v2 1/1] package/go: security bump to version 1.26.1
Date: Fri, 13 Mar 2026 18:14:21 +0100 [thread overview]
Message-ID: <875x6zirde.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <4529c7b6d321750cc0d99e8e02c4758f@free.fr> (Julien Olivain via buildroot's message of "Thu, 12 Mar 2026 20:44:37 +0100")
>>>>> "Julien" == Julien Olivain via buildroot <buildroot@buildroot.org> writes:
> On 12/03/2026 08:57, Christian Stewart via buildroot wrote:
>> Building Go 1.26 and later requires Go 1.24.6 or later for bootstrap.
>> To support this we use Go version 1.25.8 as the version for
>> go-bootstrap-stage5 and have the build for Go 1.26.1 depend on
>> go-bootstrap-stage5.
>> Go version 1.25.8 is the latest Go version we can build using
>> go-bootstrap-stage4.
>> The package build for go-bootstrap-stage5 is effectively identical
>> to
>> go-bootstrap-stage4 with only the Go version and stage number changed.
>> Go 1.28 is expected to require a minor release of Go 1.26 for
>> bootstrap.
>> Fixes the following security vulnerabilities:
>> - CVE-2026-25679: net/url: reject IPv6 literal not at start of host
>> - CVE-2026-27142: html/template: URLs in meta attribute actions not
>> escaped
>> - CVE-2026-27137: crypto/x509: incorrect enforcement of email
>> constraints
>> - CVE-2026-27138: crypto/x509: panic in name constraint checking:
>> certificates
>> - CVE-2026-27139: os: FileInfo can escape from a Root
>> For full release notes, see:
>> https://go.dev/doc/devel/release#go1.26.0
>> Signed-off-by: Christian Stewart <christian@aperture.us>
> Applied to master, thanks.
NIT: It would have been better to first bump to 1.25.8 (which includes
the same security fixes) and then afterwards add the feature bump from
1.25.x to 1.26.x so the security fix could be backported.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-03-13 17:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 7:57 [Buildroot] [PATCH v2 1/1] package/go: security bump to version 1.26.1 Christian Stewart via buildroot
2026-03-12 19:44 ` Julien Olivain via buildroot
2026-03-13 17:14 ` Peter Korsgaard [this message]
2026-03-13 18:24 ` Julien Olivain via buildroot
2026-03-13 19:22 ` Peter Korsgaard
2026-03-13 23:02 ` Christian Stewart via buildroot
2026-03-14 7:59 ` Peter Korsgaard
2026-03-19 10:19 ` Thomas Perale via buildroot
2026-03-19 10:31 ` Peter Korsgaard
2026-03-19 11:19 ` Christian Stewart via buildroot
2026-03-20 15:54 ` Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875x6zirde.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=christian@aperture.us \
--cc=james.hilliard1@gmail.com \
--cc=ju.o@free.fr \
--cc=thomas.perale@mind.be \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox