From c1fbc5d4e26439ce304bf4ea854d879ced06f6ee Mon Sep 17 00:00:00 2001
From: Sharlatan Hellseher <sharlatanus@gmail.com>
Date: Fri, 15 May 2026 13:52:01 +0100
Subject: [PATCH] gnu: go-1.26: Update to 1.26.3 [security-fixes].

go1.26.3 (released 2026-05-07) includes security fixes to the go
command, the pack tool, and the html/template, net, net/http,
net/http/httputil, net/mail, and syscall packages, as well as bug fixes
to the go command, the go fix command, the compiler, the linker, the
runtime, and the crypto/fips140, crypto/tls, go/types, and os packages
See: <https://github.com/golang/go/milestone/433>,
<https://groups.google.com/g/golang-announce/c/qcCIEXso47M>.

Containes fixes for:
CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum
                database
CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with
                more than urlmaxqueryparams parameters
CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte
                on Windows
CVE-2026-42499: net/mail: quadratic string concatenation in
                consumePhrase
CVE-2026-39820: net/mail: quadratic string concatentation in
                consumeComment
CVE-2026-39819: cmd/go: "go bug" follows symlinks in predictable
                temporary filenames
CVE-2026-39817: cmd/go: "go tool pack" does not sanitize output paths
CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given
                bad SETTINGS_MAX_FRAME_SIZE
CVE-2026-39826: html/template: escaper bypass leads to XSS
CVE-2026-33811: net: crash when handling long CNAME response
CVE-2026-39823: html/template: bypass of meta content URL escaping
                causes XSS

* gnu/packages/golang.scm (go-1.26): Update to 1.26.3.

Change-Id: Ia1a51eff549c90918e32af4834c03b675504a231
---
 gnu/packages/golang.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index 812fee70b1f..a3238b4c551 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -1120,7 +1120,7 @@ in the style of communicating sequential processes (@dfn{CSP}).")
   (package
     (inherit go-1.24)
     (name "go")
-    (version "1.26.2")
+    (version "1.26.3")
     (source
      (origin
        (method git-fetch)
@@ -1129,7 +1129,7 @@ in the style of communicating sequential processes (@dfn{CSP}).")
              (commit (string-append "go" version))))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "01dgshhn38dgxmbn02knnvddirmkwgvr3v003dml5q87qibzvg30"))))
+        (base32 "16yrb9si7swc6vnxjj5ga5pvyjkab5w8z589fqml61q0rypnn6ay"))))
     (arguments
      (substitute-keyword-arguments arguments
        ((#:phases phases)