gostls13.git log

commit 9c8bf0e72a6fb3b415b591b124b59fbb7cf92252 [browse]
Author: Gopher Robot
Date: 2026-04-07 12:19:24 -07:00

[release-branch.go1.26] go1.26.2

Change-Id: I7f99e65c01c25ff7b5efed6c2aa124c52d0a977f
Reviewed-on: https://go-review.googlesource.com/c/go/+/763682
Auto-Submit: Gopher Robot <gobot@golang.org>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: David Chase <drchase@google.com>

commit 096f21b1c50fe62bc54c1fb1ede60fca63239123 [browse]
Author: Neal Patel
Date: 2026-02-24 23:05:34 Z

[release-branch.go1.26] cmd/go: disallow cgo trust boundary bypass

The cgo compiler implicitly trusts generated files
with 'cgo' prefixes; thus, SWIG files containing 'cgo'
in their names will cause bypass of the trust boundary,
leading to code smuggling or arbitrary code execution.

The cgo compiler will now produce an error if it
encounters any SWIG files containing this prefix.

Thanks to Juho Forsén of Mattermost for reporting this issue.


Fixes #78335
Fixes CVE-2026-27140

Change-Id: I44185a84e07739b3b347efdb86be7d8fa560b030
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3520
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4021
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763549
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>

commit 7cafb4140d5616f1a0316a194a977b0794cd7d7c [browse]
Author: Roland Shoemaker
Date: 2026-03-23 11:54:41 -07:00

[release-branch.go1.26] crypto/tls: prevent deadlock when client sends multiple key update messages

When we made setReadTrafficSecret send an alert when there are pending
handshake messages, we introduced a deadlock when the client sends
multiple key update messages that request a response, as handleKeyUpdate
will lock the mutex, and defer the unlocking until the end of the
function, but setReadTrafficSecret called sendAlert in the failure case,
which also tries to lock the mutex.

Add an argument to setReadTrafficSecret which lets the caller indicate
if the mutex is already locked, and if so, call sendAlertLocked instead
of sendAlert.

Thanks to Jakub Ciolek for reporting this issue.

Fixes #78334
Fixes CVE-2026-32283

Change-Id: Id8e56974233c910e0d66ba96eafbd2ea57832610
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3881
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4004
Reviewed-on: https://go-review.googlesource.com/c/go/+/763548
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>

commit a34b5e4d55e39efc9af0d803969e9399a553acf3 [browse]
Author: Damien Neil
Date: 2026-03-23 13:12:44 -07:00

[release-branch.go1.26] archive/tar: limit the number of old GNU sparse format entries

We did not set a limit on the maximum size of sparse maps in
the old GNU sparse format. Set a limit based on the cumulative
size of the extension blocks used to encode the map (consistent
with how we limit the sparse map size for other formats).

Add an additional limit to the total number of sparse file entries,
regardless of encoding, to all sparse formats.

Thanks to Colin Walters (walters@verbum.org),
Uuganbayar Lkhamsuren (https://github.com/uug4na),
and Jakub Ciolek for reporting this issue.

Fixes #78301
Fixes CVE-2026-32288

Change-Id: I84877345d7b41cc60c58771860ba70e16a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3901
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4020
Reviewed-by: Neal Patel <nealpatel@google.com>
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763547
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>

commit c4b4bd7b3aefeb67a541912df0733bde68333bfc [browse]
Author: Junyang Shao
Date: 2026-03-06 00:03:45 Z

[release-branch.go1.26] cmd/compile: fix loopbce overflow check logic

addWillOverflow and subWillOverflow has an implicit assumption that y is
positive, using it outside of addU and subU is really incorrect. This CL
fixes those incorrect usage to use the correct logic in place.

Thanks to Jakub Ciolek for reporting this issue.

Fixes #78333
Fixes CVE-2026-27143

Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3986
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763546
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>

clone the repository to get more history