1–30 of many
anno...@golang.org's profile photo
anno...@golang.org
Mar 5
[security] Go 1.26.1 and Go 1.25.8 are released
include 5 security fixes following the security policy : - crypto/x509: incorrect enforcement of email constraints When verifying a certificate chain which contains a certificate
unread,
[security] Go 1.26.1 and Go 1.25.8 are released
include 5 security fixes following the security policy : - crypto/x509: incorrect enforcement of email constraints When verifying a certificate chain which contains a certificate
Mar 5
anno...@golang.org's profile photo
anno...@golang.orgCherry Mui2
Feb 27
[security] Go 1.26.1 and Go 1.25.8 pre-announcement
include PRIVATE security fixes to the standard > library, covering the following CVEs: > > - CVE-2026-27137 > - CVE-2026-27138 > - CVE-2026-25679 > - CVE-2026
unread,
[security] Go 1.26.1 and Go 1.25.8 pre-announcement
include PRIVATE security fixes to the standard > library, covering the following CVEs: > > - CVE-2026-27137 > - CVE-2026-27138 > - CVE-2026-25679 > - CVE-2026
Feb 27
anno...@golang.org's profile photo
anno...@golang.org
Feb 4
[security] Go 1.26 Release Candidate 3 is released
includes 1 security fix following the security policy : - crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented
unread,
[security] Go 1.26 Release Candidate 3 is released
includes 1 security fix following the security policy : - crypto/tls: unexpected session resumption when using Config.GetConfigForClient Config.GetConfigForClient is documented
Feb 4
anno...@golang.org's profile photo
anno...@golang.org
Feb 4
[security] Go 1.25.7 and Go 1.24.13 are released
include 2 security fixes following the security policy : - cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed
unread,
[security] Go 1.25.7 and Go 1.24.13 are released
include 2 security fixes following the security policy : - cmd/cgo: remove user-content from doc strings in cgo ASTs A discrepancy between how Go and C/C++ comments were parsed allowed
Feb 4
anno...@golang.org's profile photo
anno...@golang.org
Jan 15
[security] Go 1.26 Release Candidate 2 is released
includes 6 security fixes following the security policy : - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing
unread,
[security] Go 1.26 Release Candidate 2 is released
includes 6 security fixes following the security policy : - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing
Jan 15
anno...@golang.org's profile photo
anno...@golang.org
Jan 15
[security] Go 1.25.6 and Go 1.24.12 are released
include 6 security fixes following the security policy : - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing
unread,
[security] Go 1.25.6 and Go 1.24.12 are released
include 6 security fixes following the security policy : - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing
Jan 15
Michael Pratt's profile photo
Michael Pratt
Jan 12
Go 1.25.6, Go 1.24.12 and Go 1.26 RC2 pre-announcement
include PRIVATE security fixes to the standard library and the toolchain, covering the following CVEs: - CVE-2025-61728 - CVE-2025-61726 - CVE-2025-68121 - CVE-2025-61731 - CVE
unread,
Go 1.25.6, Go 1.24.12 and Go 1.26 RC2 pre-announcement
include PRIVATE security fixes to the standard library and the toolchain, covering the following CVEs: - CVE-2025-61728 - CVE-2025-61726 - CVE-2025-68121 - CVE-2025-61731 - CVE
Jan 12
Roland Shoemaker's profile photo
Roland Shoemaker
12/18/25
[security] Vulnerability in Visual Studio Code Go extension
address a security issue. This release fixes unexpected behavior when operating in Restricted Mode. To prevent accidental untrusted code execution, the extension is now disabled
unread,
[security] Vulnerability in Visual Studio Code Go extension
address a security issue. This release fixes unexpected behavior when operating in Restricted Mode. To prevent accidental untrusted code execution, the extension is now disabled
12/18/25
anno...@golang.org's profile photo
anno...@golang.org
12/2/25
[security] Go 1.25.5 and Go 1.24.11 are released
include 2 security fixes following the security policy : - crypto/x509: excessive resource consumption in printing error string for host certificate validation Within HostnameError
unread,
[security] Go 1.25.5 and Go 1.24.11 are released
include 2 security fixes following the security policy : - crypto/x509: excessive resource consumption in printing error string for host certificate validation Within HostnameError
12/2/25
anno...@golang.org's profile photo
anno...@golang.org
11/26/25
[security] Go 1.25.5 and Go 1.24.11 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-61729 Following our security policy, this is the pre-announcement of those releases
unread,
[security] Go 1.25.5 and Go 1.24.11 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-61729 Following our security policy, this is the pre-announcement of those releases
11/26/25
Roland Shoemaker's profile photo
Roland Shoemaker
11/19/25
Vulnerabilities in golang.org/x/crypto
address two security issues. This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a vulnerability in the golang.org/x/crypto/ssh/agent package which
unread,
Vulnerabilities in golang.org/x/crypto
address two security issues. This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a vulnerability in the golang.org/x/crypto/ssh/agent package which
11/19/25
anno...@golang.org's profile photo
anno...@golang.org
11/13/25
[security] golang.org/x/crypto fix pre-announcement
issue a security fix for the packages golang.org/x/crypto/ssh and golang.org/x/crypto/ssh/agent in the golang.org/x/crypto module during US business hours on Wednesday, November
unread,
[security] golang.org/x/crypto fix pre-announcement
issue a security fix for the packages golang.org/x/crypto/ssh and golang.org/x/crypto/ssh/agent in the golang.org/x/crypto module during US business hours on Wednesday, November
11/13/25
anno...@golang.org's profile photo
anno...@golang.orgRoland Shoemaker2
10/13/25
Go 1.25.3 and Go 1.24.9 are released
by a security patch included in Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on the parsing of X.509 certificates. We've removed those restrictions while
unread,
Go 1.25.3 and Go 1.24.9 are released
by a security patch included in Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on the parsing of X.509 certificates. We've removed those restrictions while
10/13/25
Roland Shoemaker's profile photo
Roland Shoemaker
10/7/25
[security] Vulnerabilities in golang.org/x/net
address two security issues. This version fixes two vulnerabilities in the golang.org/x/net/html package which could result in calls to Parse (and associated functions) executing
unread,
[security] Vulnerabilities in golang.org/x/net
address two security issues. This version fixes two vulnerabilities in the golang.org/x/net/html package which could result in calls to Parse (and associated functions) executing
10/7/25
anno...@golang.org's profile photo
anno...@golang.org
10/7/25
[security] Go 1.25.2 and Go 1.24.8 are released
include 10 security fixes following the security policy : - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address
unread,
[security] Go 1.25.2 and Go 1.24.8 are released
include 10 security fixes following the security policy : - net/mail: excessive CPU consumption in ParseAddress The ParseAddress function constructed domain-literal address
10/7/25
anno...@golang.org's profile photo
anno...@golang.org
10/2/25
[security] golang.org/x/net fix pre-announcement
issue a security fix for the package golang.org/x/net/html in the golang.org/x/net module during US business hours on Tuesday, October 7. This will cover the following CVEs: - CVE
unread,
[security] golang.org/x/net fix pre-announcement
issue a security fix for the package golang.org/x/net/html in the golang.org/x/net module during US business hours on Tuesday, October 7. This will cover the following CVEs: - CVE
10/2/25
anno...@golang.org's profile photo
anno...@golang.org
10/2/25
[security] Go 1.25.2 and Go 1.24.8 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVEs: - CVE-2025-61724 - CVE-2025-61725 - CVE-2025-58187 - CVE-2025-61723 - CVE-2025-47912 - CVE
unread,
[security] Go 1.25.2 and Go 1.24.8 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVEs: - CVE-2025-61724 - CVE-2025-61725 - CVE-2025-58187 - CVE-2025-61723 - CVE-2025-47912 - CVE
10/2/25
anno...@golang.org's profile photo
anno...@golang.org
9/3/25
[security] Go 1.25.1 and Go 1.24.7 are released
include 1 security fixes following the security policy : - net/http: CrossOriginProtection bypass patterns are over-broad When passing patterns to CrossOriginProtection.AddInsecureBypassPattern
unread,
[security] Go 1.25.1 and Go 1.24.7 are released
include 1 security fixes following the security policy : - net/http: CrossOriginProtection bypass patterns are over-broad When passing patterns to CrossOriginProtection.AddInsecureBypassPattern
9/3/25
Dmitri Shuralyov's profile photo
Dmitri Shuralyov
8/6/25
Go 1.25 Release Candidate 3 is released
includes 2 security fixes following the security policy : - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (
unread,
Go 1.25 Release Candidate 3 is released
includes 2 security fixes following the security policy : - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (
8/6/25
Dmitri Shuralyov's profile photo
Dmitri Shuralyov
8/6/25
[security] Go 1.24.6 and Go 1.23.12 are released
include 2 security fixes following the security policy : - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (rather
unread,
[security] Go 1.24.6 and Go 1.23.12 are released
include 2 security fixes following the security policy : - os/exec: LookPath may return unexpected paths If the PATH environment variable contains paths which are executables (rather
8/6/25
Mark Freeman's profile photo
Mark Freeman
8/1/25
[security] Go 1.25 RC3, Go 1.24.6, and Go 1.23.12 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-47907 Following our security policy, this is the pre-announcement of those releases
unread,
[security] Go 1.25 RC3, Go 1.24.6, and Go 1.23.12 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-47907 Following our security policy, this is the pre-announcement of those releases
8/1/25
anno...@golang.org's profile photo
anno...@golang.orgCarlos Amedee2
7/8/25
Go 1.25 Release Candidate 2 is released
includes 1 security fix following the security policy : - cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories
unread,
Go 1.25 Release Candidate 2 is released
includes 1 security fix following the security policy : - cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories
7/8/25
anno...@golang.org's profile photo
anno...@golang.org
7/8/25
[security] Go 1.24.5 and Go 1.23.11 are released
include 1 security fixes following the security policy : - cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories
unread,
[security] Go 1.24.5 and Go 1.23.11 are released
include 1 security fixes following the security policy : - cmd/go: unexpected command execution in untrusted VCS repositories Various uses of the Go toolchain in untrusted VCS repositories
7/8/25
David Chase's profile photo
David Chase
7/1/25
[security] Go 1.25RC2, 1.24.5 and Go 1.23.11 pre-announcement
include PRIVATE security fixes to the toolchain, covering the following CVE: - CVE-2025-4674 Following our security policy, this is the pre-announcement of those releases. Thanks
unread,
[security] Go 1.25RC2, 1.24.5 and Go 1.23.11 pre-announcement
include PRIVATE security fixes to the toolchain, covering the following CVE: - CVE-2025-4674 Following our security policy, this is the pre-announcement of those releases. Thanks
7/1/25
anno...@golang.org's profile photo
anno...@golang.org
6/5/25
[security] Go 1.24.4 and Go 1.23.10 are released
include 3 security fixes following the security policy : - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers
unread,
[security] Go 1.24.4 and Go 1.23.10 are released
include 3 security fixes following the security policy : - net/http: sensitive headers not cleared on cross-origin redirect Proxy-Authorization and Proxy-Authenticate headers
6/5/25
anno...@golang.org's profile photo
anno...@golang.orgMichael Knyszek2
5/30/25
[security] Go 1.24.4 and Go 1.23.10 pre-announcement
a PRIVATE security fix. The others are PUBLIC. On Friday, May 30, 2025 at 12:19:51 PM UTC-4 anno...@golang.org wrote: > Hello gophers, > > We plan to issue Go 1.24.4 and Go 1.23
unread,
[security] Go 1.24.4 and Go 1.23.10 pre-announcement
a PRIVATE security fix. The others are PUBLIC. On Friday, May 30, 2025 at 12:19:51 PM UTC-4 anno...@golang.org wrote: > Hello gophers, > > We plan to issue Go 1.24.4 and Go 1.23
5/30/25
Cherry Mui's profile photo
Cherry Mui
5/6/25
[security] Go 1.24.3 and Go 1.23.9 are released
includes 1 security fix following the security policy : - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening
unread,
[security] Go 1.24.3 and Go 1.23.9 are released
includes 1 security fix following the security policy : - os: Root permits access to parent directory It was possible to improperly access the parent directory of an os.Root by opening
5/6/25
anno...@golang.org's profile photo
anno...@golang.org
5/1/25
[security] Go 1.24.3 and Go 1.23.9 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-22873 Following our security policy, this is the pre-announcement of those releases
unread,
[security] Go 1.24.3 and Go 1.23.9 pre-announcement
include PRIVATE security fixes to the standard library, covering the following CVE: - CVE-2025-22873 Following our security policy, this is the pre-announcement of those releases
5/1/25
anno...@golang.org's profile photo
anno...@golang.org
4/1/25
[security] Go 1.24.2 and Go 1.23.8 are released
include 1 security fixes following the security policy : - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding
unread,
[security] Go 1.24.2 and Go 1.23.8 are released
include 1 security fixes following the security policy : - net/http: request smuggling through invalid chunked data The net/http package accepted data in the chunked transfer encoding
4/1/25
anno...@golang.org's profile photo
anno...@golang.org
3/27/25
[security] Vulnerability in golang.org/x/net
address a security issue. This version fixes a vulnerability in the golang.org/x/net/html package which could result in the tokenizer emitting incorrect tokens and the parser producing
unread,
[security] Vulnerability in golang.org/x/net
address a security issue. This version fixes a vulnerability in the golang.org/x/net/html package which could result in the tokenizer emitting incorrect tokens and the parser producing
3/27/25