* gnu/packages/golang-web.scm (go-github-com-valyala-fasthttp): Update to 1.70.0.
[arguments] <test-flags>: Skip only one tests which tries to reach
Internet. Shuffle tests, as seen in projects CI.
[propagated-inputs]: Remove go-github-com-valyala-tcplisten and
go-golang-org-x-text.
[description]: Add more info.
Change-Id: I8363639b0ac211536ed67f5c32080737bc20fe5f
* gnu/packages/golang-xyz.scm (go-github-com-tinylib-msgp): Update to 1.6.4.
[arguments] <skip-build?>: Use the argument instead of deleting phase.
<tests?, test-flags>: Run the most of the tests, skip only some portion
requiring tinygo compiler.
[phases]{go-generate, remove-test-file}: New phases.
Change-Id: Ib10f2492799259b2b3591269390fabd890e9295b
* gnu/packages/golang-xyz.scm (go-github-com-syncthing-notify):
[arguments] <parallel-tests?, test-flags>: Run tests in parallel but
skip 2 shaky tests.
[description]: Mention that it's a fork.
Change-Id: I5bafbe9a0c029037b5597f9a24e0bae18f8bb4bb
* gnu/packages/golang-build.scm (go-golang-org-x-tools): Update to 0.44.0.
[source] <snippet>: Remove deletion of no longer existing "cmd/auth"
dirrectory.
[arguments] <test-flags>: Skip one more test.
Change-Id: I01ea6b724a7b629b36e2ffb88414c1080382dde6
Leaf, hidden and not in use bootstrap variant.
* gnu/packages/golang-build.scm (go-golang-org-x-sys-bootstrap): Delete variable.
Change-Id: Ic6291f098ec382bd1c6f87e882028817ff835356
We are now building with go-1.25 by default.
Automated via:
git grep -rl '#:go go-1.25' | xargs sed -i '/.*#:go go-1.25.*/d'.
Change-Id: I5a503a6db10fc65cb22abd89563dfb6297db6ac6
go1.26.2 (released 2026-04-07) includes security fixes to the go
command, the compiler, and the archive/tar, crypto/tls, crypto/x509,
html/template, and os packages, as well as bug fixes to the go command,
the go fix command, the compiler, the linker, the runtime, and the net,
net/http, and net/url packages.
See: <https://github.com/golang/go/milestone/430>
Containes fixes for:
CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on
Linux
CVE-2026-32289: html/template: JS template literal context incorrectly
tracked
CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap
checking
CVE-2026-27143: cmd/compile: possible memory corruption after bound
check elimination
CVE-2026-32288: rchive/tar: unbounded allocation when parsing old format
GNU sparse map
CVE-2026-32283: crypto/tls: multiple key update handshake messages can
cause connection to deadlock
CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
CVE-2026-32280: crypto/x509: unexpected work during chain building
CVE-2026-32281: crypto/x509: inefficient policy validation
CVE-2026-33810: crypto/x509: excluded DNS constraints not properly
applied to wildcard domains
* gnu/packages/golang.scm (go-1.26): Update to 1.26.2.
Change-Id: I634c908bc4f2a1dd37a1405e2277c60846c2a43e
go1.25.9 (released 2026-04-07) includes security fixes to the go
command, the compiler, and the archive/tar, crypto/tls, crypto/x509,
html/template, and os packages, as well as bug fixes to the go command,
the compiler, and the runtime.
See: <https://github.com/golang/go/milestone/431>
Containes fixes for:
CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on
Linux
CVE-2026-32289: html/template: JS template literal context incorrectly
tracked
CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap
checking
CVE-2026-27143: cmd/compile: possible memory corruption after bound
check elimination
CVE-2026-32288: rchive/tar: unbounded allocation when parsing old format
GNU sparse map
CVE-2026-32283: crypto/tls: multiple key update handshake messages can
cause connection to deadlock
CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG
CVE-2026-32280: crypto/x509: unexpected work during chain building
CVE-2026-32281: crypto/x509: inefficient policy validation
* gnu/packages/golang.scm (go-1.25): Update to 1.25.9.
Change-Id: Ie5f8efb1588add0b7dfc25122f9588819e02ba9e
Besides updating ungoogled-chromium, this is a follow up to commits
10ea4f874e and
0f87ff6672 which lacked the full logic necessary
for using the bundled icu library and the new regexes included on the desktop
and manpage templates for this package.
Fixes CVEs:
CVE-2026-7363: Use after free in Canvas. Reported by heapracer.
CVE-2026-7361: Use after free in iOS. Reported by Google.
CVE-2026-7344: Use after free in Accessibility. Reported by Google.
CVE-2026-7343: Use after free in Views. Reported by Google.
CVE-2026-7333: Use after free in GPU.
Reported by c6eed09fc8b174b0f3eebedcceb1e792.
CVE-2026-7360: Insufficient validation of untrusted input in Compositing.
Reported by Google.
CVE-2026-7359: Use after free in ANGLE. Reported by Google.
CVE-2026-7358: Use after free in Animation. Reported by Google.
CVE-2026-7334: Use after free in Views. Reported by Batuhan Esref KOC.
CVE-2026-7357: Use after free in GPU. Reported by Google.
CVE-2026-7356: Use after free in Navigation. Reported by Google.
CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google.
CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google.
CVE-2026-7352: Use after free in Media. Reported by Google.
CVE-2026-7351: Race in MHTML. Reported by Google.
CVE-2026-7350: Use after free in WebMIDI. Reported by Google.
CVE-2026-7349: Use after free in Cast. Reported by Google.
CVE-2026-7348: Use after free in Codecs. Reported by Google.
CVE-2026-7335: Use after free in media.
Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po).
CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla.
CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io.
CVE-2026-7347: Use after free in Chromoting. Reported by Google.
CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google.
CVE-2026-7345: Insufficient validation of untrusted input in Feedback.
Reported by Google.
CVE-2026-7338: Use after free in Cast. Reported by Krace.
CVE-2026-7342: Use after free in WebView. Reported by Google.
CVE-2026-7341: Use after free in WebRTC. Reported by Google.
CVE-2026-7339: Heap buffer overflow in WebRTC.
Reported by c6eed09fc8b174b0f3eebedcceb1e792.
CVE-2026-7340: Integer overflow in ANGLE.
Reported by 86ac1f1587b71893ed2ad792cd7dde32.
CVE-2026-7355: Use after free in Media. Reported by Google.
See:
<https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_28.html>
* gnu/packages/chromium.scm (%chromium-version): Update to 147.0.7727.137.
(%ungoogled-origin, %debian-origin): Update hashes.
(ungoogled-chromium) [arguments] <#:configure-flags>: Set icu_use_data_file
true.
<#:phases> {install}: Include icudtl.dat to copied libs. Add @@uri_scheme
and @@extra_desktop_entries to regex substitutions on desktop file and
manpage.
Change-Id: I1342eac3ba3a85e8851189844614d47512c1ca42
Signed-off-by: Andreas Enge <andreas@enge.fr>
* gnu/packages/chromium.scm (ungoogled-chromium) [arguments]
<#:configure-flags>: Conditionally add use_v4l2_codec and use_av1_hw_decoder
and set them true on aarch64-linux. Also ensure that use_vaapi is set to
false on this architecture.
Change-Id: Ib7f1c2d492ccb71df253e621b9cd626ec0942bc6
Signed-off-by: Andreas Enge <andreas@enge.fr>
Sharlatan Hellseher