mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-05-10 19:25:57 +02:00
Sharlatan Hellseher
6d3dbc557c
go1.26.2 (released 2026-04-07) includes security fixes to the go command, the compiler, and the archive/tar, crypto/tls, crypto/x509, html/template, and os packages, as well as bug fixes to the go command, the go fix command, the compiler, the linker, the runtime, and the net, net/http, and net/url packages. See: <https://github.com/golang/go/milestone/430> Containes fixes for: CVE-2026-32282: os: Root.Chmod can follow symlinks out of the root on Linux CVE-2026-32289: html/template: JS template literal context incorrectly tracked CVE-2026-27144: cmd/compile: no-op interface conversion bypasses overlap checking CVE-2026-27143: cmd/compile: possible memory corruption after bound check elimination CVE-2026-32288: rchive/tar: unbounded allocation when parsing old format GNU sparse map CVE-2026-32283: crypto/tls: multiple key update handshake messages can cause connection to deadlock CVE-2026-27140: cmd/go: trust layer bypass when using cgo and SWIG CVE-2026-32280: crypto/x509: unexpected work during chain building CVE-2026-32281: crypto/x509: inefficient policy validation CVE-2026-33810: crypto/x509: excluded DNS constraints not properly applied to wildcard domains * gnu/packages/golang.scm (go-1.26): Update to 1.26.2. Change-Id: I634c908bc4f2a1dd37a1405e2277c60846c2a43e