gostls13.git log

commit d563bc4ba3301156c1e6b115a89c659b00d71fe7 [browse]
Author: Gopher Robot
Date: 2026-06-02 11:27:20 -07:00

[release-branch.go1.25] go1.25.11

Change-Id: I294bec3e2b7893fc24bcaf8755de77e1afb31fd1
Reviewed-on: https://go-review.googlesource.com/c/go/+/786221
Reviewed-by: David Chase <drchase@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>

commit 917b60b4944c4a7c764d64f3973d2588ed36f8e8 [browse]
Author: Jorropo
Date: 2026-05-05 00:32:58 +02:00

[release-branch.go1.25] cmd/compile: do not misscompile x+x << 63 to x << 0 on amd64

For #79182
Fixes #79190

Change-Id: I63ca6cb1bd3f6752a7e9b809cfffc8d45b7adc51
Reviewed-on: https://go-review.googlesource.com/c/go/+/774040
Auto-Submit: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit c3bfc824a58d8cd6871af6825a08a49e9ed16a26)
Reviewed-on: https://go-review.googlesource.com/c/go/+/783601
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>

commit 51f47daa18cb95683499db6652499129c06b3fc7 [browse]
Author: khr@golang.org
Date: 2026-05-26 18:12:55 -07:00

[release-branch.go1.25] runtime/race: build race detector linux/arm64 syso with no-outline-atomics

See https://go-review.googlesource.com/c/build/+/783460

That's the only change - otherwise use the same llvm and Go source.

Fixes #79698

Change-Id: I11cb284704a71693ba4cf52a61bcac69c03be7ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/783860
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Keith Randall <khr@google.com>
SLSA-Policy-Verified: SLSA Policy Verification Service <devtools-gerritcodereview-exitgate@google.com>

commit c5d18e479475e251c8593b1113fb53836117d5d3 [browse]
Author: Ian Alexander
Date: 2026-05-27 04:22:31 -04:00

[release-branch.go1.25] crypto/x509: split candidate hostname only once

(*x509.Certificate).VerifyHostname previously called matchHostnames in a
loop over all DNS Subject Alternative Name (SAN) entries. This caused
strings.Split(host, ".") to execute repeatedly on the same input
hostname.

With a large DNS SAN list, verification costs scaled quadratically based
on the number of SAN entries multiplied by the hostname's label count.
Because x509.Verify validates hostnames before building the certificate
chain, this overhead occurred even for untrusted certificates.

Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue.

For #79694
Fixes #79700
Fixes CVE-2026-27145

Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74
Reviewed-on: https://go-review.googlesource.com/c/go/+/783621
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Neal Patel <neal@golang.org>
(cherry picked from commit d01955d5d50ccb5f46c215f88c1781742b3f117d)
Reviewed-on: https://go-review.googlesource.com/c/go/+/783941
Reviewed-by: Neal Patel <nealpatel@google.com>

commit 449dafea7264878e73acc58cbd330e0ee6630030 [browse]
Author: Nicholas S. Husin
Date: 2026-05-11 18:04:07 -04:00

[release-branch.go1.25] net/textproto: escape arbitrary input when including them in errors

When returning errors, functions in the net/textproto package would
include its input as part of the error, without any escaping. Note that
said input is often controlled by external parties when using this
package naturally. For example, a net/http client uses ReadMIMEHeader
when parsing the headers it receive from a server.

As a result, an attacker could inject arbitrary content into the error.
Practically, this can result in an attacker injecting misleading
content, terminal control bytes, etc. into a victim's output or logs.

Fix this issue by making sure that ProtocolError usages within the
package are properly escaped, and that Error.String will escape its Msg.

Updates #79346
Fixes #79425
Fixes CVE-2026-42507

Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777060
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 1a7e601d07b67aec8d795c8182ee7257ba7d1960)
Reviewed-on: https://go-review.googlesource.com/c/go/+/778181

clone the repository to get more history