From: Julien Olivain via buildroot <buildroot@buildroot.org>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: buildroot@buildroot.org, Thomas Perale <thomas.perale@mind.be>,
Christian Stewart <christian@aperture.us>
Subject: Re: [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3
Date: Fri, 08 May 2026 11:19:24 +0200 [thread overview]
Message-ID: <b303329ab2d2fa8be368e5756980d366@free.fr> (raw)
In-Reply-To: <20260507195049.1002469-1-peter@korsgaard.com>
On 07/05/2026 21:50, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> CVE-2026-33811: net: crash when handling long CNAME response
> CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given
> bad
> SETTINGS_MAX_FRAME_SIZE
> CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
> CVE-2026-39819: md/go: "go bug" follows symlinks in predictable
> temporary
> filenames
> CVE-2026-39820: net/mail: quadratic string concatenation in
> consumeComment
> CVE-2026-39823: html/template: bypass of meta content URL escaping
> causes
> XSS
> CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with
> more
> than urlmaxqueryparams parameters
> CVE-2026-39826: html/template: escaper bypass leads to XSS
> CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL
> byte on
> Windows
> CVE-2026-42499: net/mail: quadratic string concatenation in
> consumePhrase
> CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum
> database
>
> go1.26.3 (released 2026-05-07) includes security fixes to the go
> command,
> the pack tool, and the html/template, net, net/http, net/http/httputil,
> net/mail, and syscall packages, as well as bug fixes to the go command,
> the
> go fix command, the compiler, the linker, the runtime, and the
> crypto/fips140, crypto/tls, go/types, and os packages.
>
> https://go.dev/doc/devel/release#go1.26.3
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Series applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-05-08 9:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 19:50 [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3 Peter Korsgaard
2026-05-07 19:50 ` [Buildroot] [PATCH 2/2] package/go-bootstrap-stage5: security bump to version 1.25.10 Peter Korsgaard
2026-05-07 23:03 ` Christian Stewart via buildroot
2026-05-15 17:46 ` Thomas Perale via buildroot
2026-05-08 9:19 ` Julien Olivain via buildroot [this message]
2026-05-15 17:46 ` [Buildroot] [PATCH 1/2] package/go: security bump to version 1.26.3 Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b303329ab2d2fa8be368e5756980d366@free.fr \
--to=buildroot@buildroot.org \
--cc=christian@aperture.us \
--cc=ju.o@free.fr \
--cc=peter@korsgaard.com \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox