This update for go1.25 fixes the following issues:
Update to go1.25.8 (bsc#1244485):
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).
Changelog:
- go#77253 cmd/compile: miscompile of global array initialization
- go#77406 os: Go 1.25.x regression on RemoveAll for windows
- go#77413 runtime: netpollinit() incorrectly prints the error from linux.Eventfd
- go#77438 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in
pkg-config
- go#77531 net/smtp: expiry date of localhostCert for testing is too short