This update for go1.26 fixes the following issues:
Update to go1.26.1 (bsc#1255111):
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host (bsc#1259264).
- CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints (bsc#1259266).
- CVE-2026-27138: crypto/x509: panic in name constraint checking for malformed certificates (bsc#1259267).
- CVE-2026-27139: os: FileInfo can escape from a Root (bsc#1259268).
- CVE-2026-27142: html/template: URLs in meta content attribute actions are not escaped (bsc#1259265).
Changelog:
- go#77252 cmd/compile: miscompile of global array initialization
- go#77407 os: Go 1.25.x regression on RemoveAll for windows
- go#77474 cmd/go: CGO compilation fails after upgrading from Go 1.25.5 to 1.25.6 due to --define-variable flag in
pkg-config
- go#77529 cmd/fix, x/tools/go/analysis/passes/modernize: stringscut: OOB panic in indexArgValid analyzing
'buf.Bytes()' call
- go#77532 net/smtp: expiry date of localhostCert for testing is too short
- go#77536 cmd/compile: internal compiler error: 'main.func1': not lowered: v15, Load STRUCT PTR SSA
- go#77618 strings: HasSuffix doesn't work correctly for multibyte runes in go 1.26
- go#77623 cmd/compile: internal compiler error on : 'tried to free an already free register' with generic function
and type >= 192 bytes
- go#77624 cmd/fix, x/tools/go/analysis/passes/modernize: stringsbuilder breaks code when combining two
strings.Builders
- go#77680 cmd/link: TestFlagW/-w_-linkmode=external fails on illumos
- go#77766 cmd/fix,x/tools/go/analysis/passes/modernize: rangeint uses target platform's type in the range expression,
breaking other platforms
- go#77780 reflect: breaking change for reflect.Value.Interface behaviour
- go#77786 cmd/compile: rewriteFixedLoad does not properly sign extend AuxInt
- go#77803 cmd/fix,x/tools/go/analysis/passes/modernize: reflect.TypeOf(nil) transformed into
reflect.TypeForuntyped nil
- go#77804...