Go 1.26.3#169
Merged
Merged
Conversation
…tead of gold The bfd linker has been fixed for a while. In the mean time gold got deprecated and has stopped receiving new features. Add runtime version checking and only use gold, if bfd ld 2.35 and lower is detected. This enables using `-buildmode=shared` on arm64 without installing binutils-gold (on distributions that split package this), as well as to use external ldflags that ld.bfd supports, and ld.gold does not. For example, this enables to specify gcs-report-dynamic=none when building with GCC-15. For golang#22040. Fixes golang#78406. Change-Id: I4eb8b3dabb78844ff662332ad63a4625278271b1 Cq-Include-Trybots: luci.golang.try:go1.26-linux-arm64_debian13 Reviewed-on: https://go-review.googlesource.com/c/go/+/740480 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Mark Freeman <markfreeman@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Cherry Mui <cherryyz@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/760302 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
While CL 758801 addresses this fix on tip, it does not apply cleanly on go1.25 or go1.26. In the interest of safety, this disables loop inversion; it's the least invasive path. Fixes golang#78375 Change-Id: Iac399ca47b811042dc5f38272d201d3dc61390b8 Reviewed-on: https://go-review.googlesource.com/c/go/+/766982 Reviewed-by: Jorropo <jorropo.pgm@gmail.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Keith Randall <khr@google.com>
…running go tool covdata Otherwise the GOROOT will be a post-1.25 GOROOT, while we try to run "go tool covdata" with a go command that's 1.24 or earlier from the post 1.25 toolchain. The 1.24 go command won't be able to find covdata in the 1.25 goroot because go 1.25 and later don't ship with a prebuilt covdata tool. For golang#71867 For golang#75031 Fixes golang#78412 Change-Id: I770f10a288347ac33cf721d34a2adb1a6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/756220 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> (cherry picked from commit 90adad7) Reviewed-on: https://go-review.googlesource.com/c/go/+/760500 TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
Since negating min int will overflows back to itself, causing a panic inside subWillUnderflow check. Fixes golang#78676 Change-Id: Ibbf2fa3228b9890a1a76ac6f4ff504b7e125b29f Reviewed-on: https://go-review.googlesource.com/c/go/+/766260 Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Jorropo <jorropo.pgm@gmail.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/766840 TryBot-Bypass: Cuong Manh Le <cuong.manhle.vn@gmail.com>
This is inspired by CL 724560 by Bobby Powers, particularly their great commit message. When using address sanitizer with leak detection, sysReserve registers memory regions with LSAN via lsanregisterrootregion. However, several code paths release this memory using sysFreeOS without first unregistering from LSAN. This leaves LSAN with stale root region entries pointing to memory that has been unmapped and may be reallocated for other purposes. This bug was latent until glibc 2.42, which changed pthread stack guard pages from mprotect(PROT_NONE) to madvise(MADV_GUARD_INSTALL). The difference matters because LSAN filters root region scanning by intersecting registered regions with readable mappings from /proc/self/maps: - mprotect(PROT_NONE) splits the VMA, creating a separate entry with ---p permissions. LSAN's IsReadable() check excludes it from scanning. - MADV_GUARD_INSTALL operates at the page table level without modifying the VMA. The region still appears as rw-p in /proc/self/maps, so LSAN includes it in the scan and crashes with SIGSEGV when accessing the guard pages. Address this by adding sysUnreserve to undo sysReserve. sysUnreserve unregisters the region from LSAN and frees the mapping. With the addition of sysUnreserve, we have complete coverage of LSAN unregister in the mem.go abstract: sysFree unregisters Ready memory. sysUnreserve unregisters Reserved memory. And there is no way to free Prepared memory at all (it must transition to Ready or Reserved first). The implementation of lsanunregisterrootregion [1] finds the region by exact match of start and end address. It therefore does not support splitting a region, and we must extend this requirement to sysUnreserve and sysFree. I am not completely confident that we always pass the full region to sysFree, but LSAN aborts if it can't find the region, so we must not be blatantly violating this. sysReserveAligned does need to unreserve a subset of a region, so it cannot use sysUnreserve directly. Rather than breaking the mem.go abstract, move sysReserveAligned into mem.go, adding it to the abstraction. We should not have any calls to sysFreeOS outside of the mem.go abstraction. That is now true with this CL. Fixes golang#78511. [1] https://github.com/llvm/llvm-project/blob/3e3e362648fa062038b90ccc21f46a09d6902288/compiler-rt/lib/lsan/lsan_common.cpp#L1157 Change-Id: I8c46a62154b2f23456ffd5086a7b91156a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/762381 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 40ec033) Reviewed-on: https://go-review.googlesource.com/c/go/+/767022 TryBot-Bypass: Carlos Amedee <carlos@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org>
Fixes golang#78478 Change-Id: Ic950951a8149a9db0c43e7f6846926b2806a8889 Reviewed-on: https://go-review.googlesource.com/c/go/+/768500 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…ime on 32-bit arch codepaths The previous fallback-on-ENOSYS logic causes issues on forks of Linux. Android: golang#77621 (CL 750040 added a workaround with a TODO, this fixes that TODO) Causes the OS to terminate the program when running on Android versions <=10 since the seccomp jail does not know about the 64-bit time syscall and is configured to terminate the program on any unknown syscall. Synology's Linux: golang#77930 On old versions of Synology's Linux they added custom vendor syscalls without adding a gap in the syscall numbers, that means when we call the newer Linux syscall which was added later, Synology's Linux interprets it as a completely different vendor syscall. Originally by Jorropo in CL 751340. Updates golang#77930 Fixes golang#77931 Co-authored-by: Jorropo <jorropo.pgm@gmail.com> Change-Id: I90e15495d9249fd7f6e112f9e3ae8ad1322f56e0 Reviewed-on: https://go-review.googlesource.com/c/go/+/758902 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Jorropo <jorropo.pgm@gmail.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 04dc12c) Reviewed-on: https://go-review.googlesource.com/c/go/+/770220 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
… empty script type as JavaScript Thank you to Mundur (https://github.com/M0nd0R) for reporting this issue. For golang#78981 Fixes golang#79025 Fixes CVE-2026-39826 Change-Id: I3f2e06496020ece655d156fb099ff556af8cc836 Reviewed-on: https://go-review.googlesource.com/c/go/+/771180 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit a63b23f) Reviewed-on: https://go-review.googlesource.com/c/go/+/772042 Reviewed-by: Neal Patel <nealpatel@google.com>
… parameters in proxy When ReverseProxy forwards a request containing more than urlmaxqueryparams (GODEBUG) query parameters, reencode the outbound query parameters. Avoids potential smuggling of query parameters, where the sender sends many query parameters, the user's Rewrite hook fails to observe those parameters due to the limit being exceeded, and the request is forwarded with the full set of parameters. For golang#78948 Fixes golang#78986 Fixes CVE-2026-39825 Change-Id: I691be7899c4b6208bf61f6b78dacfdf56a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/770541 Reviewed-by: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com> Auto-Submit: Damien Neil <dneil@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 6795bb3) Reviewed-on: https://go-review.googlesource.com/c/go/+/772040 Reviewed-by: Damien Neil <dneil@google.com>
Currently "go fix -diff" and "go vet -fix -diff" always exit with status 0 even when they print diffs, which is inconsistent with "gofmt -d" (golang#46289) and "go mod tidy -diff" (golang#27005) that exit non-zero when diffs are present. The root cause is that the default VetHandleStdout (copyToStdout) simply copies the tool stdout through without checking whether any content was produced. This change installs a new copyAndDetectDiff handler in -diff mode that copies the tool stdout through and calls base.SetExitStatus(1) when content is present, matching the pattern used by "go mod tidy -diff". For golang#77583 Fixes golang#77801 Change-Id: I588fbaae8b3690da2f821240baa4a3b14b78f280 Reviewed-on: https://go-review.googlesource.com/c/go/+/749700 Reviewed-by: Michael Matloob <matloob@golang.org> Reviewed-by: Michael Matloob <matloob@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> (cherry picked from commit 2d72c26) Reviewed-on: https://go-review.googlesource.com/c/go/+/772000 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…ntropy generation on Wasm In FIPS-140 mode we currently use a scratch buffer in the BSS section to generate entropy by measuring jittering for memory touches. The BSS variable usually doesn't cost much, except on Wasm, due to the way the linear memory works. FIPS-140 mode is not supported on Wasm, so this code is not actually needed there. This CL uses a build tag to exclude it, so we don't need to include an (unused) 32 MB BSS variable in Wasm binaries. Updates golang#78321. Fixes golang#78354. Change-Id: I5139029fa98c302e8769be3e3034967d777f1f16 Reviewed-on: https://go-review.googlesource.com/c/go/+/758361 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> (cherry picked from commit e32ec47) Reviewed-on: https://go-review.googlesource.com/c/go/+/767320
…r identity for type comparison Updates golang#78404 Fixes golang#78409 Change-Id: I6adc1fb42ad6a3acce21333c6819d0796a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/760161 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Keith Randall <khr@golang.org> (cherry picked from commit 09031d9) Reviewed-on: https://go-review.googlesource.com/c/go/+/761060 Reviewed-by: Robert Griesemer <gri@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…y for "go bug" Don't use a predictable, potentially attacker-controlled filename in /tmp. For golang#78584 Fixes golang#78588 Fixes CVE-2026-39819 Change-Id: I72116aa6dd8fa50f65b6dc0292a15a8c6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/763882 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 5d6aa23) Reviewed-on: https://go-review.googlesource.com/c/go/+/763883 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com>
…arameters correctly in a few places When iterating over a type set via a range clause, am unconstrained type set produces a single (nil, nil) result. This was not properly accounted for in a few places: - In the code for the append and copy built-in, handle the (nil, nil) case. - Likewise, in NewSignatureType, panic with the correct (string) error in this case. Check all remaining places where we iterate over type sets with range for correctness. Fixes golang#78198. Change-Id: If0f33f43dad59b4b5ef4c310f80522c25c6e251f Reviewed-on: https://go-review.googlesource.com/c/go/+/755941 Reviewed-by: Robert Griesemer <gri@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Mark Freeman <markfreeman@google.com> Auto-Submit: Robert Griesemer <gri@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/756124 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…thoutEnforcement To avoid excessive backports, this CL copies rerunWithFIPS140Enforced from CL 759382, and overrides the certificates used for FIPS-140 tests to avoid requiring the entirety of CL 759380 and CL 759381. Fixes golang#78372 Updates golang#78298 Updates golang#78178 Updates golang#75528 Updates golang#75166 Updates golang#76112 Change-Id: Ie78f3bf5f0b232482da44aba28a0f6d66a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/759383 Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Mark Freeman <markfreeman@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> (cherry picked from commit 3103a23) Reviewed-on: https://go-review.googlesource.com/c/go/+/771961 Reviewed-by: Michael Pratt <mpratt@google.com> Commit-Queue: Michael Pratt <mpratt@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Michael Pratt <mpratt@google.com>
…stems The nsec field of timespec is a C long even when using 64bits time on 32bits systems. This is because by timespec API if nsec never holds more than a second worth of nanoseconds. If it would theses would increment the sec field while the nsec field would get the amount of nanoseconds modulus a second. For golang#77934 Fixes golang#77935 Change-Id: I9803998ba70123eb3b226379bd72b11cae972c38 Reviewed-on: https://go-review.googlesource.com/c/go/+/751341 Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Jorropo <jorropo.pgm@gmail.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit ba402cd) Reviewed-on: https://go-review.googlesource.com/c/go/+/772020 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Jorropo <jorropo.pgm@gmail.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Updates golang#78982 Updates golang#78984 Change-Id: Ic91104597bdb6c77f9885159ce2e3ddc6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/771203 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…-c2097c7c Updates golang#78982 Fixes golang#78984 Change-Id: I37dd130b18026d5830348ad67de465eb6a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/771204 Reviewed-by: Michael Pratt <mpratt@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
…ndling large DNS response No test, unfortunately: I've had no luck triggering this without the ability to override the local recursive resolver. Thanks to hamayanhamayan for reporting this issue. Fixes CVE-2026-33811 Fixes golang#78813 For golang#78803 Change-Id: I9e51410337316c20e4b9fd5b86657f436a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/767860 Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <husin@google.com> (cherry picked from commit ab2c7eb) Reviewed-on: https://go-review.googlesource.com/c/go/+/767542
For golang#77879 Fixes golang#79021 Change-Id: I07c2fade6a5a49dd6abd53cb474462b16a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/771360 TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Michael Pratt <mpratt@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> (cherry picked from commit f0f2768) Reviewed-on: https://go-review.googlesource.com/c/go/+/772200 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
…th line directives
The Go loop variable semantics changed in Go 1.22: loop variables are now
created per-iteration instead of per-loop. The compiler decides which
semantics to use based on the Go version in go.mod.
When go.mod specifies go 1.21 and the code is built with a Go 1.22+
compiler, the per-loop(compatible behavior) semantics should be used.
However, when a line directive is present in the source file,
go.mod 1.21 and go1.22+ compiler outputs a per-iteration semantics.
For example, the file below wants output 333 but got 012.
-- go.mod --
module test
go 1.21
-- main.go --
//line main.go:1
func main() {
var fns []func()
for i := 0; i < 3; i++ {
fns = append(fns, func() { fmt.Print(i) })
}
for _, fn := range fns {
fn()
}
}
The distinctVars function uses stmt.Pos().Base() to look up the file
version in FileVersions. Base() returns the file name after line
directives are applied (e.g., "main.go" for "//line main.go:1"), not
the actual source file path. This causes the version lookup to fail
for files with line directives.
This CL fixes the bug by using stmt.Pos().FileBase() instead. FileBase()
returns the actual file path before line directives are applied, ensuring
the correct version information is retrieved from the original source file.
For golang#77248
Fixes golang#77297
Change-Id: Idacc0816d112ee393089262468a02acfe40e4b72
Reviewed-on: https://go-review.googlesource.com/c/go/+/737820
Reviewed-by: Keith Randall <khr@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
(cherry picked from commit b408256)
Reviewed-on: https://go-review.googlesource.com/c/go/+/772104
Reviewed-by: David Chase <drchase@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…Comment consumeComment builds the comment string by repeated string concatenation inside a loop. Each concatenation copies the entire string built so far, making the function O(n^2) in the depth of nested comments. Replace the concatenation with a strings.Builder, which amortizes allocation by doubling its internal buffer. This reduces consumeComment from O(n^2) to O(n). This is the same bug class as the consumeDomainLiteral fix in CVE-2025-61725. Benchmark results (benchstat, 8 runs): name old time/op new time/op delta ConsumeComment/depth10 2.481us 1.838us -25.92% ConsumeComment/depth100 86.58us 6.498us -92.50% ConsumeComment/depth1000 7.963ms 52.82us -99.34% ConsumeComment/depth10000 897.8ms 521.3us -99.94% The quadratic cost becomes visible at depth 100 and dominant by depth 1000. At depth 10000, the fix is roughly 1700x faster. For golang#78566 Fixes golang#78568 Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34 GitHub-Last-Rev: 7742dad GitHub-Pull-Request: golang#78393 Reviewed-on: https://go-review.googlesource.com/c/go/+/759940 Reviewed-by: Sean Liao <sean@liao.dev> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Sean Liao <sean@liao.dev> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Junyang Shao <shaojunyang@google.com> (cherry picked from commit 0d0799f) Reviewed-on: https://go-review.googlesource.com/c/go/+/763800 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Pratt <mpratt@google.com>
…ory components Do not write to /etc/passwd when running "go tool pack x evil.a" on an archive containing a file named /etc/passwd. For golang#78778 Fixes golang#78791 Change-Id: I4cf69b81af62321ffbb41ace679672a86a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/767520 Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <husin@google.com> (cherry picked from commit 7409ada) Reviewed-on: https://go-review.googlesource.com/c/go/+/767661
…ontent attributes The WHATWG "shared declarative refresh steps" algorithm (§4.2.5.3) skips ASCII whitespace between "url" and "=" when parsing the URL portion of a meta content attribute. Thank you to Samy Ghannad for reporting this issue. Updates golang#78913 Fixes golang#79032 Fixes CVE-2026-39823 Change-Id: I7fc3bb9394b95e07b9b10fbc95725a3de6791774 Reviewed-on: https://go-review.googlesource.com/c/go/+/769920 Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Bypass: Roland Shoemaker <roland@golang.org> (cherry picked from commit f2ec125) Reviewed-on: https://go-review.googlesource.com/c/go/+/772103 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…e a symlink Fix a case where RemoveAll directly returned the error returned from openDirAt. When the target of openDirAt is a symlink, it returns an internal-use-only errSymlink error. This error panics when printed, to catch misuse of openDirAt. Fix RemoveAll to detect and handle the errSymlink return. For golang#78490 Fixes golang#78867 Change-Id: Ibd857280bfca1feb50c163a6e4b192716a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/763520 Reviewed-by: Nicholas Husin <husin@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <nsh@golang.org> (cherry picked from commit 5ddbf4b) Reviewed-on: https://go-review.googlesource.com/c/go/+/769021 Reviewed-by: Robert Griesemer <gri@google.com>
The current bloop pass implementation skips blank nodes silently. This CL makes it aware of that and keep them alive in temps. For golang#77654. Fixes golang#78155. Change-Id: Iaffa5194ba1f0fe8d7c80a4c8e5c9a65a47bf534 Reviewed-on: https://go-review.googlesource.com/c/go/+/754920 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Cuong Manh Le <cuong.manhle.vn@gmail.com> Reviewed-by: Keith Randall <khr@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/772122 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Junyang Shao <shaojunyang@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
…dependencies change When running tests with -cover and -coverpkg, the resulting coverage profile includes data from all packages specified in -coverpkg, not just the test package. Previously, the test cache key did not account for changes in these out-of-band covered packages, causing stale coverage profiles to be reused even when source files in covered packages were modified. Fix this by hashing the BuildActionIDs of the writeCoverMetaAct's dependencies (the compile actions for all covered packages) and incorporating that hash into the coverage profile cache key via cache.Subkey. The covMeta hash is now computed directly in tryCacheWithID by locating the "write coverage meta-data file" action among the run action's dependencies, keeping all cache logic in one place. When -coverpkg is used without -coverprofile, a sentinel cache entry is written so the cache can still detect when covered packages change. Fixes golang#78583 For golang#74873 Change-Id: Ice84557789e325330759442689d0e28f871858bb GitHub-Last-Rev: 84aa537 GitHub-Pull-Request: golang#74773 Reviewed-on: https://go-review.googlesource.com/c/go/+/690775 Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-by: Michael Matloob <matloob@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/764360 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Michael Pratt <mpratt@google.com>
Updates golang#78987 Fixes golang#79004 Fixes CVE-2026-42499 Change-Id: I8438e5dee7e6433573d4161baf8fb2151e7fbc2f Reviewed-on: https://go-review.googlesource.com/c/go/+/771520 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 2c59389) Reviewed-on: https://go-review.googlesource.com/c/go/+/772121 Auto-Submit: Michael Pratt <mpratt@google.com>
The syscall.UTF16PtrFromString function panics when provided with an input containing a NUL character. Replace with syscall.UTF16PtrFromString. Fixes potential panics in net.Dial, net.LookupPort, and syscall.Readlink. Fixes CVE-2026-39836 Updates golang#79006 Fixes golang#79029 Change-Id: I2fd7bb750d27474047f199faca4061466a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4260 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4440 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/775162 Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org>
…hash Report an error when a sumdb /lookup/ request does not include a hash for the requested module, rather than silently proceeding. Previously, we would verify that a returned sum matched the expected module hash, but did not verify that the response contained a sum. This permits a malicous proxy to serve a corrupted module along with a valid-but-irrelevant sumdb response for some other module. We now ensure that the sumdb response contains a valid hash for the module we are validating. Thanks to Mundur (https://github.com/M0nd0R) for reporting this issue. Fixes CVE-2026-42501 Updates golang#79070 Fixes golang#79073 Change-Id: I7d9a367deb237aa70cade2434495998f6a6a6964 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4340 Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/4420 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/775163 Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org>
Change-Id: Ifcfb963f256eff89bc1c447b0dd7471d9cd46cc5 Reviewed-on: https://go-review.googlesource.com/c/go/+/775261 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>
…into bradfitz/go1.26.3 Go 1.26.3 [security] https://groups.google.com/g/golang-announce/c/qcCIEXso47M/m/2bOHLAuTBQAJ https://go.dev/doc/devel/release#go1.26.minor Updates tailscale/corp#41490
awly
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates tailscale/corp#41490