gostls13.git log

commit 5053df5b6ff006dfc96df442fddddee49f5250eb [browse]
Author: Gopher Robot
Date: 2026-05-07 08:42:18 -07:00

[release-branch.go1.25] go1.25.10

Change-Id: Ifcb4215df7bbabf281b70d03ae8ee70aab518151
Reviewed-on: https://go-review.googlesource.com/c/go/+/775260
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>

commit b18ca70b8dfd0224b6387083db8ba5231d8ac900 [browse]
Author: Damien Neil
Date: 2026-04-30 13:10:49 -07:00

[release-branch.go1.25] cmd/go: reject sumdb response lacking module hash

Report an error when a sumdb /lookup/ request does not
include a hash for the requested module, rather than
silently proceeding.

Previously, we would verify that a returned sum matched
the expected module hash, but did not verify that the
response contained a sum. This permits a malicous
proxy to serve a corrupted module along with a
valid-but-irrelevant sumdb response for some other
module. We now ensure that the sumdb response contains
a valid hash for the module we are validating.

Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

Fixes CVE-2026-42501
Updates #79070
Fixes #79072

Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4421
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/775161
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>

commit 278a55c1b44afc7b6c3d127555546e9658d2fd27 [browse]
Author: Damien Neil
Date: 2026-04-24 16:40:40 -07:00

[release-branch.go1.25] all: avoid unsafe StringToUTF16Ptr on Windows

The syscall.UTF16PtrFromString function panics when
provided with an input containing a NUL character.
Replace with syscall.UTF16PtrFromString.

Fixes potential panics in net.Dial, net.LookupPort,
and syscall.Readlink.

Fixes CVE-2026-39836
Updates #79006
Fixes #79028

Change-Id: I2fd7bb750d27474047f199faca4061466a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4260
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4441
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/775160
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>

commit 300adf19b19aab1c4e9c04239c556c2a6b444ff0 [browse]
Author: Neal Patel
Date: 2026-04-28 12:10:24 -04:00

[release-branch.go1.25] net/mail: fix quadratic consumePhrase behavior

Updates #78987
Fixes #79003
Fixes CVE-2026-42499

Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f
Reviewed-on: https://go-review.googlesource.com/c/go/+/771520
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 2c59389fcc5194aeae742fb413e55b656c22343f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/772120
Auto-Submit: Michael Pratt <mpratt@google.com>

commit 9027f0c59ab2c3313018c508723fb875aacab491 [browse]
Author: Ryan Currah
Date: 2026-04-06 16:07:24 Z

[release-branch.go1.25] cmd/go: invalidate test cache when -coverpkg dependencies change

When running tests with -cover and -coverpkg, the resulting coverage
profile includes data from all packages specified in -coverpkg, not
just the test package. Previously, the test cache key did not account
for changes in these out-of-band covered packages, causing stale
coverage profiles to be reused even when source files in covered
packages were modified.

Fix this by hashing the BuildActionIDs of the writeCoverMetaAct's
dependencies (the compile actions for all covered packages) and
incorporating that hash into the coverage profile cache key via
cache.Subkey.

The covMeta hash is now computed directly in tryCacheWithID by
locating the "write coverage meta-data file" action among the run
action's dependencies, keeping all cache logic in one place. When
-coverpkg is used without -coverprofile, a sentinel cache entry is
written so the cache can still detect when covered packages change.

For #74873
Fixes #78582

Change-Id: Ice84557789e325330759442689d0e28f871858bb
GitHub-Last-Rev: 84aa5376f471704b0ee7be79ab33a1d5bba71c5a
GitHub-Pull-Request: golang/go#74773
Reviewed-on: https://go-review.googlesource.com/c/go/+/690775
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Matloob <matloob@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/764380
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

clone the repository to get more history