Update to Go 1.26.4#171
Merged
Merged
Conversation
This partially reverts CL 758361. The result is functionally equivalent,
but the previous readFromEntropy function was actually reading from a
DRBG which in turn is seeded from the Entropy Source (and mixed with the
system RNG), not directly from the Entropy Source. I'm sorry to be
pedantic about this but
1. the whole randomness and entropy machinery is already very complex
and we should avoid any confusion;
2. this is the kind of code that auditors might read, and they have a
dreadful sense of humor.
I also slightly prefer having fewer levels of indirection, and we
already have the getEntropy function to stub out.
Updates golang#78321
Fixes golang#79226
Change-Id: Ic95bbb0061b7d519f2a1e80c667f4f8b6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/774221
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 1bd98fa)
Reviewed-on: https://go-review.googlesource.com/c/go/+/774980
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Generated with updatestd, though it's equivalent to manually running: cd src/cmd go get golang.org/x/tools@internal-branch.go1.26-vendor # v0.39.1-0.20260527181557-0f52e3809b35 go mod tidy go mod vendor For golang#77564. Fixes golang#79349. [git-generate] updatestd -goroot=$(pwd) -branch=internal-branch.go1.26-vendor Change-Id: Id17508e64e9379d1c4af5d16310553f0f82d7a88 Reviewed-on: https://go-review.googlesource.com/c/go/+/784000 Commit-Queue: David Chase <drchase@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
…er.DecodeHeader When encountering an undecodable encoded-word, skip over the entire word rather than just the initial "=?". For golang#79217 Fixes golang#79230 Fixes CVE-2026-42504 Change-Id: I28605faa235459d2ba71bd0f3ae3dce96a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/774481 Reviewed-by: Nicholas Husin <nsh@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <husin@google.com> (cherry picked from commit f230dd8) Reviewed-on: https://go-review.googlesource.com/c/go/+/774861 TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com>
…cluding them in errors When returning errors, functions in the net/textproto package would include its input as part of the error, without any escaping. Note that said input is often controlled by external parties when using this package naturally. For example, a net/http client uses ReadMIMEHeader when parsing the headers it receive from a server. As a result, an attacker could inject arbitrary content into the error. Practically, this can result in an attacker injecting misleading content, terminal control bytes, etc. into a victim's output or logs. Fix this issue by making sure that ProtocolError usages within the package are properly escaped, and that Error.String will escape its Msg. Updates golang#79346 Fixes golang#79426 Fixes CVE-2026-42507 Change-Id: Ide4c1005d8254f90d95d7a389b8ca3a26a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/777060 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-by: Damien Neil <dneil@google.com> (cherry picked from commit 1a7e601) Reviewed-on: https://go-review.googlesource.com/c/go/+/778182
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue. For golang#79694 Fixes golang#79701 Fixes CVE-2026-27145 Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74 Reviewed-on: https://go-review.googlesource.com/c/go/+/783621 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Neal Patel <neal@golang.org> (cherry picked from commit d01955d) Reviewed-on: https://go-review.googlesource.com/c/go/+/783942 Reviewed-by: Neal Patel <nealpatel@google.com>
… syso with no-outline-atomics See https://go-review.googlesource.com/c/build/+/783460 That's the only change - otherwise use the same llvm and Go source. Fixes golang#79686 Change-Id: I11cb284704a71693ba4cf52a61bcac69c03be7ab Reviewed-on: https://go-review.googlesource.com/c/go/+/783521 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> SLSA-Policy-Verified: SLSA Policy Verification Service <devtools-gerritcodereview-exitgate@google.com> Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Keith Randall <khr@google.com>
…x << 0 on amd64 For golang#79182 Fixes golang#79191 Change-Id: I63ca6cb1bd3f6752a7e9b809cfffc8d45b7adc51 Reviewed-on: https://go-review.googlesource.com/c/go/+/774040 Auto-Submit: Jorropo <jorropo.pgm@gmail.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: Keith Randall <khr@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit c3bfc82) Reviewed-on: https://go-review.googlesource.com/c/go/+/784101 Reviewed-by: Junyang Shao <shaojunyang@google.com> Reviewed-by: Jorropo <jorropo.pgm@gmail.com>
Change-Id: I1c45ebded2d678b73081c6716a0fdd15a0b1824e Reviewed-on: https://go-review.googlesource.com/c/go/+/786201 TryBot-Bypass: Gopher Robot <gobot@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Mark Freeman <markfreeman@google.com> Reviewed-by: David Chase <drchase@google.com>
bradfitz
approved these changes
Jun 3, 2026
bradfitz
left a comment
bradfitz
left a comment
Member
There was a problem hiding this comment.
LGTM but merge by hand, without the github web UI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.