gostls13.git log

commit 2dc996f71b0ebafb77e64433e58333e049488a3c [browse]
Author: Gopher Robot
Date: 2026-05-07 08:48:54 -07:00

[release-branch.go1.26] go1.26.3

Change-Id: Ifcfb963f256eff89bc1c447b0dd7471d9cd46cc5
Reviewed-on: https://go-review.googlesource.com/c/go/+/775261
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>

commit 8282c628a01c9653e8ecae9c8d7e465c92101279 [browse]
Author: Damien Neil
Date: 2026-04-30 13:10:49 -07:00

[release-branch.go1.26] cmd/go: reject sumdb response lacking module hash

Report an error when a sumdb /lookup/ request does not
include a hash for the requested module, rather than
silently proceeding.

Previously, we would verify that a returned sum matched
the expected module hash, but did not verify that the
response contained a sum. This permits a malicous
proxy to serve a corrupted module along with a
valid-but-irrelevant sumdb response for some other
module. We now ensure that the sumdb response contains
a valid hash for the module we are validating.

Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue.

Fixes CVE-2026-42501
Updates #79070
Fixes #79073

Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4420
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/775163
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>

commit 3baf3eec3b2247bbfbdeac4193c88baa7acc0842 [browse]
Author: Damien Neil
Date: 2026-04-24 16:40:40 -07:00

[release-branch.go1.26] all: avoid unsafe StringToUTF16Ptr on Windows

The syscall.UTF16PtrFromString function panics when
provided with an input containing a NUL character.
Replace with syscall.UTF16PtrFromString.

Fixes potential panics in net.Dial, net.LookupPort,
and syscall.Readlink.

Fixes CVE-2026-39836
Updates #79006
Fixes #79029

Change-Id: I2fd7bb750d27474047f199faca4061466a6a6964
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4260
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4440
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/775162
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>

commit 0bec63330d73d022d8b44b229f33b99639d16654 [browse]
Author: Neal Patel
Date: 2026-04-28 12:10:24 -04:00

[release-branch.go1.26] net/mail: fix quadratic consumePhrase behavior

Updates #78987
Fixes #79004
Fixes CVE-2026-42499

Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f
Reviewed-on: https://go-review.googlesource.com/c/go/+/771520
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 2c59389fcc5194aeae742fb413e55b656c22343f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/772121
Auto-Submit: Michael Pratt <mpratt@google.com>

commit 7136366ebf849bad4f77df768c6dc29fbf0d6f86 [browse]
Author: Ryan Currah
Date: 2026-04-09 02:52:39 Z

[release-branch.go1.26] cmd/go: invalidate test cache when -coverpkg dependencies change

When running tests with -cover and -coverpkg, the resulting coverage
profile includes data from all packages specified in -coverpkg, not
just the test package. Previously, the test cache key did not account
for changes in these out-of-band covered packages, causing stale
coverage profiles to be reused even when source files in covered
packages were modified.

Fix this by hashing the BuildActionIDs of the writeCoverMetaAct's
dependencies (the compile actions for all covered packages) and
incorporating that hash into the coverage profile cache key via
cache.Subkey.

The covMeta hash is now computed directly in tryCacheWithID by
locating the "write coverage meta-data file" action among the run
action's dependencies, keeping all cache logic in one place. When
-coverpkg is used without -coverprofile, a sentinel cache entry is
written so the cache can still detect when covered packages change.

Fixes #78583
For #74873

Change-Id: Ice84557789e325330759442689d0e28f871858bb
GitHub-Last-Rev: 84aa5376f471704b0ee7be79ab33a1d5bba71c5a
GitHub-Pull-Request: golang/go#74773
Reviewed-on: https://go-review.googlesource.com/c/go/+/690775
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Matloob <matloob@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/764360
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>

clone the repository to get more history