go1.25.2 (released 2025-10-07) includes security fixes to the
archive/tar, crypto/tls, crypto/x509, encoding/asn1, encoding/pem,
net/http, net/mail, net/textproto, and net/url packages, as well as
bug fixes to the compiler, the runtime, and the context, debug/pe,
net/http, os, and sync/atomic packages.
go1.25.3 (released 2025-10-13) includes fixes to the crypto/x509
package.
Changelog: https://go.dev/doc/devel/release#go1.25.minor
Fixes:
- CVE-2025-47912
- CVE-2025-58183
- CVE-2025-58185
- CVE-2025-58186
- CVE-2025-58187
- CVE-2025-58188
- CVE-2025-58189
- CVE-2025-61723
- CVE-2025-61724
- CVE-2025-61725
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
e5500 is the only powerpc64 target we have in tree, but it's not
supported by golang[1]. Since it's hard to opt e5500 out from the
supported arch list, simply remove powerpc64 from it for now.
1. https://github.com/golang/go/issues/19074
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.24.1 (released 2025-03-04) includes security fixes to the net/http
package, as well as bug fixes to cgo, the compiler, the go command,
and the reflect, runtime, and syscall packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.23.5 (released 2025-01-16) includes security fixes to the
crypto/x509 and net/http packages, as well as bug fixes to the
compiler, the runtime, and the net package.
go1.23.6 (released 2025-02-04) includes security fixes to the
crypto/elliptic package, as well as bug fixes to the compiler
and the go command.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.23.4 (released 2024-12-03) includes fixes to the compiler, the
runtime, the trace command, and the syscall package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.23.3 (released 2024-11-06) includes fixes to the linker,
the runtime, and the net/http, os, and syscall packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.23.2 (released 2024-10-01) includes fixes to the compiler, cgo,
the runtime, and the maps, os, os/exec, time, and unique packages.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Added GOARM64 and GORISCV64 in golang-build.sh.
Drop deprecated GOROOT_FINAL in GoCompiler/Default/Make.
Updated environment vars in golang-values.mk for GOARM64 and GORISCV64.
Refined host build in golang/Makefile for openbsd_riscv64.
Co-authored-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Go 1.23.1 (released 2024-09-05) includes security fixes to
the encoding/gob, go/build/constraint, and go/parser
packages. It also addresses bug fixes in the compiler,
go command, runtime, and the database/sql, go/types,
os, runtime/trace, and unique packages.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
go1.22.7(released 2024-09-05)includes security fixes to the encoding/gob,
go/build/constraint, and go/parser packages,
as well as bug fixes to the fix command and the runtime.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
go1.22.6 (released 2024-08-06) includes fixes to the go command,
the compiler, the linker, the trace command, the covdata command,
and the bytes, go/types, and os/exec packages.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
go1.22.5 (2024-07-02) includes security fixes to the net/http package,
as well as bug fixes to the compiler, cgo, the go command, the linker,
the runtime, and the crypto/tls, go/types, net, net/http, and os/exec.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
go1.22.4 (released 2024-06-04) includes
security fixes to the archive/zip and net/netip packages,
as well as bug fixes to the compiler,
the go command, the linker,
the runtime, and the os package.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
go1.22.3 (released 2024-05-07) includes security fixes to the go command
and the net package, as well as bug fixes to the compiler, the runtime,
and the net/http package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Go 1.22.1 contains the following security fixes:
- CVE-2024-24783:
crypto/x509: Verify panics on certificates with an unknown public key
algorithm
- CVE-2023-45290
net/http: memory exhaustion in Request.ParseMultipartForm
- CVE-2023-45289
net/http, net/http/cookiejar: incorrect forwarding of sensitive headers
and cookies on HTTP redirect
- CVE-2024-24785
html/template: errors returned from MarshalJSON methods may break
template escaping
- CVE-2024-24784
net/mail: comments in display names are incorrectly handled
https://go.dev/doc/devel/release#go1.22.1https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
Signed-off-by: Zephyr Lykos <git@mochaa.ws>
go1.21.6 (released 2024-01-09) includes fixes to the compiler,
the runtime, and the crypto/tls, maps, and runtime/pprof packages.
go1.21.7 (released 2024-02-06) includes fixes to the compiler,
the go command, the runtime, and the crypto/x509 package.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Includes fixes for CVE-2023-45283 and CVE-2023-45284 (path/filepath:
insecure parsing of Windows paths).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Includes fix for CVE-2023-39325 (net/http, x/net/http2: rapid stream
resets can cause excessive work).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Upstream has updated the Go compiler to not use gold when building for
arm, and is waiting for a fix to binutils (released in 2.41) before
doing the same for aarch64.[1]
Based on the above, it does not appear that
https://github.com/golang/go/pull/49748 will be merged. This removes the
patch from that pull request.
[1]: https://github.com/golang/go/issues/22040
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Includes fix for CVE-2023-29409 (crypto/tls: verifying certificate
chains containing large RSA keys is slow).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Includes fix for CVE-2023-29406 (net/http: insufficient sanitization of
Host header).
This also updates the copyright information for various Go packaging
files.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Includes fixes for:
* 1.20.1:
* CVE-2022-41722: path/filepath: path traversal in filepath.Clean on
Windows
* CVE-2022-41723: net/http: avoid quadratic complexity in HPACK
decoding
* CVE-2022-41724: crypto/tls: large handshake records may cause panics
* CVE-2022-41725: net/http, mime/multipart: denial of service from
excessive resource consumption
* 1.20.2:
* CVE-2023-24532: crypto/elliptic: specific unreduced P-256 scalars
produce incorrect results
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Includes fix for CVE-2023-2453 (crypto/elliptic: specific unreduced
P-256 scalars produce incorrect results).
This also includes makefile updates for Go 1.19.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
go1.19.6 (released 2023-02-14) includes security fixes to the
crypto/tls, mime/multipart, net/http, and path/filepath packages,
as well as bug fixes to the go command, the linker, the runtime,
and the crypto/x509, net/http, and time packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Go1.19.5 (released 2023-01-10) includes fixes to the compiler,
the linker, and the crypto/x509, net/http, sync/atomic,
and syscall packages.
Removed upstreamed patch.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
go1.19.4 (released 2022-12-06) includes security fixes to the net/http
and os packages, as well as bug fixes to the compiler, the runtime,
and the crypto/x509, os/exec, and sync/atomic packages.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
