* Wed Feb 04 2026 jkowalczyk@suse.com
- Update to version 1.24.13 cut from the go1.24-fips-release
branch at the revision tagged go1.24.13-1-openssl-fips.
Refs jsc#SLE-18320
* Rebase to 1.24.13
* Wed Feb 04 2026 jkowalczyk@suse.com
- go1.24.13 (released 2026-02-04) includes security fixes to the go
command and the crypto/tls package, as well as bug fixes to the
crypto/x509 package.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61732 CVE-2025-68121 CVE-2025-68119
* go#77128 go#76697 boo#1257692 security: fix CVE-2025-61732 cmd/go: potential code smuggling using doc comments
* go#77355 go#77217 boo#1256818 crypto/tls: CVE-2025-68121 revert Config.Clone change and apply lightweight chain validation
* go#77103 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77322 crypto/x509: single-label excluded DNS name constraints incorrectly match all wildcard SANs
* go#77424 crypto/tls: CL 737700 broke session resumption on macOS
* Thu Jan 15 2026 jkowalczyk@suse.com
- Update to version 1.24.12 cut from the go1.24-fips-release
branch at the revision tagged go1.24.12-1-openssl-fips.
Refs jsc#SLE-18320
* Rebase to 1.24.12
* Thu Jan 15 2026 jkowalczyk@suse.com
- go1.24.12 (released 2026-01-15) includes security fixes to the go
command, and the archive/zip, crypto/tls, and net/url packages,
as well as bug fixes to the compiler, the runtime, and the
crypto/tls and os packages.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121
* go#76854 go#76443 boo#1256821 security: fix CVE-2025-61730 crypto/tls: handshake messages may be processed at the incorrect encryption level
* go#77103 go#77099 boo#1256820 security: fix CVE-2025-68119 cmd/go: unexpected code execution when invoking toolchain
* go#77105 go#77100 boo#1256819 security: fix CVE-2025-61731 cmd/go: bypass of flag sanitization can lead to arbitrary code execution
* go#77107 go#77101 boo#1256817 security: fix CVE-2025-61726 net/http: memory exhaustion in Request.ParseForm
* go#77109 go#77102 boo#1256816 security: fix CVE-2025-61728 archive/zip: denial of service when parsing arbitrary ZIP archives
* go#77114 go#77113 boo#1256818 security: fix CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
* go#76408 crypto/tls: earlyTrafficSecret should use ClientHelloInner if ECH enabled
* go#76624 os: on Unix, Readdirnames skips directory entries with zero inodes
* go#76760 runtime: stack split at bad time in os/signal with Go 1.25.4 windows 386
* go#76796 runtime: race detector crash on ppc64le
* go#76966 cmd/compile/internal/ssa: Compile.func1(): panic during sccp while compiling <function>: runtime error: index out of range
* Tue Dec 02 2025 jkowalczyk@suse.com
- Update to version 1.24.11 cut from the go1.24-fips-release
branch at the revision tagged go1.24.11-1-openssl-fips.
Refs jsc#SLE-18320
* Rebase to 1.24.11
* Tue Dec 02 2025 jkowalczyk@suse.com
- go1.24.11 (released 2025-12-02) includes two security fixes to
the crypto/x509 package, as well as bug fixes to the runtime.
Refs boo#1236217 go1.24 release tracking
CVE-2025-61727 CVE-2025-61729
* go#76460 go#76445 boo#1254431 security: fix CVE-2025-61729 crypto/x509: excessive resource consumption in printing error string for host certificate validation
* go#76463 go#76442 boo#1254430 security: fix CVE-2025-61727 crypto/x509: excluded subdomain constraint doesn't preclude wildcard SAN
* go#76378 internal/cpu: incorrect CPU features bit parsing on loong64 cause illegal instruction core dumps on LA364 cores
* Mon Dec 01 2025 martin.schreiner@suse.com
- Packaging: Migrate from update-alternatives to libalternatives
Refs boo#1245878
* This is an optional migration controlled via prjconf definition
with_libalternatives
* If with_libalternatives is not defined packaging continues to
use update-alternatives
* Wed Nov 05 2025 jkowalczyk@suse.com
- go1.24.10 (released 2025-11-05) includes fixes to the
encoding/pem and net/url packages.
Refs boo#1236217 go1.24 release tracking
* go#75831 net/url: ipv4 mapped ipv6 addresses should be valid in square brackets
* go#75951 encoding/pem: regression when decoding blocks with leading garbage
* go#76028 pem/encoding: malformed line endings can cause panics
- Packaging improvements:
* Remove net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
No longer needed with go#75831 in latest upstream release
* Mon Oct 20 2025 jkowalczyk@suse.com
- Update to version 1.24.9 cut from the go1.24-fips-release
branch at the revision tagged go1.24.9-1-openssl-fips.
Refs jsc#SLE-18320
* Rebase to 1.24.9
* Mon Oct 13 2025 jkowalczyk@suse.com
- go1.24.9 (released 2025-10-13) includes fixes to the crypto/x509
package.
Refs boo#1236217 go1.24 release tracking
* go#75860 crypto/x509: TLS validation fails for FQDNs with trailing dot
- Packaging improvements:
* Add net-url-allow-IP-literals-with-IPv4-mapped-IPv6-addresses.patch
needed today and will be available in the next upstream release