gostls13.git log

commit a9ce111d580581fb925ae88f125c69b7d93504ea [browse]
Author: Gopher Robot
Date: 2026-06-02 11:27:25 -07:00

[release-branch.go1.26] go1.26.4

Change-Id: I1c45ebded2d678b73081c6716a0fdd15a0b1824e
Reviewed-on: https://go-review.googlesource.com/c/go/+/786201
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: David Chase <drchase@google.com>

commit babc19e1ad8cf2243b25553917af08fc4ad92948 [browse]
Author: Jorropo
Date: 2026-05-05 00:32:58 +02:00

[release-branch.go1.26] cmd/compile: do not misscompile x+x << 63 to x << 0 on amd64

For #79182
Fixes #79191

Change-Id: I63ca6cb1bd3f6752a7e9b809cfffc8d45b7adc51
Reviewed-on: https://go-review.googlesource.com/c/go/+/774040
Auto-Submit: Jorropo <jorropo.pgm@gmail.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit c3bfc824a58d8cd6871af6825a08a49e9ed16a26)
Reviewed-on: https://go-review.googlesource.com/c/go/+/784101
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Jorropo <jorropo.pgm@gmail.com>

commit 7d24489b2b12b3dd7c4f6f492673a986bda42e25 [browse]
Author: khr@golang.org
Date: 2026-05-26 18:12:55 -07:00

[release-branch.go1.26] runtime/race: build race detector linux/arm64 syso with no-outline-atomics

See https://go-review.googlesource.com/c/build/+/783460

That's the only change - otherwise use the same llvm and Go source.

Fixes #79686

Change-Id: I11cb284704a71693ba4cf52a61bcac69c03be7ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/783521
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
SLSA-Policy-Verified: SLSA Policy Verification Service <devtools-gerritcodereview-exitgate@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Keith Randall <khr@google.com>

commit ce5a3e718cac440defae617dc6ed72a6e94cd0af [browse]
Author: Ian Alexander
Date: 2026-05-27 04:22:31 -04:00

[release-branch.go1.26] crypto/x509: split candidate hostname only once

(*x509.Certificate).VerifyHostname previously called matchHostnames in a
loop over all DNS Subject Alternative Name (SAN) entries. This caused
strings.Split(host, ".") to execute repeatedly on the same input
hostname.

With a large DNS SAN list, verification costs scaled quadratically based
on the number of SAN entries multiplied by the hostname's label count.
Because x509.Verify validates hostnames before building the certificate
chain, this overhead occurred even for untrusted certificates.

Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue.

For #79694
Fixes #79701
Fixes CVE-2026-27145

Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74
Reviewed-on: https://go-review.googlesource.com/c/go/+/783621
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Neal Patel <neal@golang.org>
(cherry picked from commit d01955d5d50ccb5f46c215f88c1781742b3f117d)
Reviewed-on: https://go-review.googlesource.com/c/go/+/783942
Reviewed-by: Neal Patel <nealpatel@google.com>

commit ec1c380418ec6a0da28d4519872e2b81ba9152ba [browse]
Author: Nicholas S. Husin
Date: 2026-05-11 18:04:07 -04:00

[release-branch.go1.26] net/textproto: escape arbitrary input when including them in errors

When returning errors, functions in the net/textproto package would
include its input as part of the error, without any escaping. Note that
said input is often controlled by external parties when using this
package naturally. For example, a net/http client uses ReadMIMEHeader
when parsing the headers it receive from a server.

As a result, an attacker could inject arbitrary content into the error.
Practically, this can result in an attacker injecting misleading
content, terminal control bytes, etc. into a victim's output or logs.

Fix this issue by making sure that ProtocolError usages within the
package are properly escaped, and that Error.String will escape its Msg.

Updates #79346
Fixes #79426
Fixes CVE-2026-42507

Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/777060
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 1a7e601d07b67aec8d795c8182ee7257ba7d1960)
Reviewed-on: https://go-review.googlesource.com/c/go/+/778182

clone the repository to get more history