Description of the patch:
This update for go1.26 fixes the following issues
Security issues:
- CVE-2026-33811: net: crash when handling long CNAME response (bsc#1264508).
- CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1264506).
- CVE-2026-39817: cmd/go: 'go tool pack' does not sanitize output paths (bsc#1264505).
- CVE-2026-39819: cmd/go: 'go bug' follows symlinks in predictable temporary filenames (bsc#1264504).
- CVE-2026-39820: net/mail: quadratic string concatentation in consumeComment (bsc#1264503).
- CVE-2026-39823: html/template: bypass of meta content URL escaping causes XSS (bsc#1264509).
- CVE-2026-39825: net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams parameters
(bsc#1264500).
- CVE-2026-39826: html/template: escaper bypass leads to XSS (bsc#1264507).
- CVE-2026-39836: net: panic in Dial and LookupPort when handling NUL byte on Windows (bsc#1264501).
- CVE-2026-42499: net/mail: quadratic string concatenation in consumePhrase (bsc#1264502).
- CVE-2026-42501: cmd/go: malicious module proxy can bypass checksum database (bsc#1264499).
Non security issues:
- go1.26 release tracking (bsc#1255111).
- Go packages miss binutils-gold dependency (bsc#1170826).