- go1.21.13 (released 2024-08-06) includes fixes to the go command,
  the covdata command, and the bytes package.
  Refs boo#1212475 go1.21 release tracking
  * go#68491 cmd/covdata: too many open files due to defer f.Close() in for loop
  * go#68474 bytes: IndexByte can return -4294967295 when memory usage is above 2^31 on js/wasm
  * go#68221 cmd/go: list with -export and -covermode=atomic fails to build (forwarded request 1192310 from jfkw)

• Files Changed
• Browse Source

- go1.21.12 (released 2024-07-02) includes security fixes to the
  net/http package, as well as bug fixes to the compiler, the go
  command, the runtime, and the crypto/x509, net/http, net/netip,
  and os packages.
  Refs boo#1212475 go1.21 release tracking
  CVE-2024-24791
  * go#68199 go#67555 boo#1227314 security: fix CVE CVE-2024-24791 net/http: expect: 100-continue handling is broken in various ways
  * go#67297 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21, stale bounds
  * go#67426 cmd/link: need to handle new-style loong64 relocs
  * go#67714 cmd/cgo/internal/swig,cmd/go,x/build: swig cgo tests incompatible with C++ toolchain on builders
  * go#67849 go/internal/gccgoimporter: go building failing with gcc 14.1.0
  * go#67933 net: go DNS resolver fails to connect to local DNS server
  * go#67944 cmd/link: using -fuzz with test that links with cgo on darwin causes linker failure
  * go#68051 cmd/go: go list -u -m all fails loading module retractions: module requires go >= 1.N+1 (running go 1.N) (forwarded request 1184951 from jfkw)

• Files Changed
• Browse Source

- go1.21.11 (released 2024-06-04) includes security fixes to the
  archive/zip and net/netip packages, as well as bug fixes to the
  compiler, the go command, the runtime, and the os package.
  Refs boo#1212475 go1.21 release tracking
  CVE-2024-24789 CVE-2024-24790
  * go#67553 go#66869 boo#1225973 security: fix CVE-2024-24789 archive/zip: EOCDR comment length handling is inconsistent with other ZIP implementations
  * go#67681 go#67680 boo#1225974 security: fix CVE-2024-24790 net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses
  * go#64586 cmd/go: spurious "v1.x.y is not a tag" error when a tag's commit was previously download without the tag
  * go#67164 cmd/compile: SIGBUS unaligned access on mips64 via qemu-mips64
  * go#67187 runtime/metrics: /memory/classes/heap/unused:bytes spikes
  * go#67235 cmd/go: mod tidy reports toolchain not available with 'go 1.21'
  * go#67310 cmd/go: TestScript/gotoolchain_issue66175 fails on tip locally
  * go#67351 crypto/x509: TestPlatformVerifier failures on Windows due to broken connections
  * go#67695 os: RemoveAll susceptible to symlink race (forwarded request 1178638 from jfkw)

• Files Changed
• Browse Source

- go1.21.10 (released 2024-05-07) includes security fixes to the go
  command, as well as bug fixes to the net/http package.
  Refs boo#1212475 go1.21 release tracking
  CVE-2024-24787
  * go#67121 go#67119 boo#1224017 security: fix CVE-2024-24787 cmd/go: arbitrary code execution during build on darwin
  * go#66697 net/http: TestRequestLimit/h2 becomes significantly more expensive and slower after x/net@v0.23.0 (forwarded request 1172533 from jfkw)

• Files Changed
• Browse Source

- go1.21.9 (released 2024-04-03) includes a security fix to the
  net/http package, as well as bug fixes to the linker, and the
  go/types and net/http packages.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-45288
  * go#65387 go#65051 boo#1221400 security: fix CVE-2023-45288 net/http, x/net/http2: close connections when receiving too many headers
  * go#66254 net/http: http2 round tripper nil pointer dereference causes panic causing deadlock
  * go#66326 cmd/compile: //go:build file version ignored when using generic function from package "slices" in Go 1.21
  * go#66411 cmd/link: bad carrier sym for symbol runtime.elf_savegpr0.args_stackmap on ppc64le (forwarded request 1164435 from jfkw)

• Files Changed
• Browse Source

- go1.21.8 (released 2024-03-05) includes security fixes to the
  crypto/x509, html/template, net/http, net/http/cookiejar, and
  net/mail packages, as well as bug fixes to the go command and the
  runtime.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24785
  * go#65385 go#65065 boo#1221000 security: fix CVE-2023-45289 net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
  * go#65389 go#65383 boo#1221001 security: fix CVE-2023-45290 net/http: memory exhaustion in Request.ParseMultipartForm
  * go#65392 go#65390 boo#1220999 security: fix CVE-2024-24783 crypto/x509: Verify panics on certificates with an unknown public key algorithm
  * go#65848 go#65083 boo#1221002 security: fix CVE-2024-24784 net/mail: comments in display names are incorrectly handled
  * go#65968 go#65697 boo#1221003 security: fix CVE-2024-24785 html/template: errors returned from MarshalJSON methods may break template escaping
  * go#65472 internal/testenv: TestHasGoBuild failures on the LUCI noopt builders
  * go#65475 internal/testenv: support LUCI mobile builders in testenv tests
  * go#65478 runtime: don't let the tests leave core files behind
  * go#65640 cmd/cgo/internal/testsanitizers,x/build: LUCI clang15 builders failing
  * go#65851 cmd/go: "missing ziphash" error with go.work
  * go#65882 internal/poll: invalid uintptr conversion in call to windows.SetFileInformationByHandle (forwarded request 1155400 from jfkw)

• Files Changed
• Browse Source

- Packaging improvements:
  * Use %patch -P N instead of deprecated %patchN (forwarded request 1151997 from jfkw)

• Files Changed
• Browse Source

- Packaging improvements:
  * boo#1219988 ensure VERSION file is present in GOROOT
    as required by go tool dist and go tool distpack (forwarded request 1147333 from jfkw)

• Files Changed
• Browse Source

- go1.21.7 (released 2024-02-06) includes fixes to the compiler,
  the go command, the runtime, and the crypto/x509 package.
  Refs boo#1212475 go1.21 release tracking
  * go#63209 runtime: "fatal: morestack on g0" on amd64 after upgrade to Go 1.21
  * go#63768 runtime: pinner.Pin doesn't panic when it says it will
  * go#64497 cmd/go: flag modcacherw does not take effect in the target package
  * go#64761 staticlockranking builders failing on release branches on LUCI
  * go#64935 runtime: "traceback: unexpected SPWRITE function runtime.systemstack"
  * go#65023 x/tools/go/analysis/unitchecker,slices: TestVetStdlib failing due to vet errors in panic tests
  * go#65053 cmd/compile: //go:build file version ignored when calling generic fn which has related type params
  * go#65323 crypto: rollback BoringCrypto fips-20220613 update
  * go#65351 cmd/go: go generate fails silently when run on a package in a nested workspace module
  * go#65380 crypto/x509: TestIssue51759 consistently failing on gotip-darwin-amd64_10.15 LUCI builder
  * go#65449 runtime/trace: frame pointer unwinding crash on arm64 during async preemption (forwarded request 1144736 from jfkw)

• Files Changed
• Browse Source

- go1.21.6 (released 2024-01-09) includes fixes to the compiler,
  the runtime, and the crypto/tls, maps, and runtime/pprof
  packages.
  Refs boo#1212475 go1.21 release tracking
  * go#63911 x/build,os/signal: TestDetectNohup and TestNohup fail on replacement darwin LUCI builders
  * go#64410 runtime: ReadMemStats fatal error: mappedReady and other memstats are not equal
  * go#64472 cmd/compile: linux/s390x: inlining bug in s390x
  * go#64475 maps: maps.Clone reference semantics when cloning a map with large value types
  * go#64561 runtime: excessive memory use between 1.21.0 -> 1.21.1
  * go#64567 cmd/compile: max/min builtin broken when used with string(byte) conversions
  * go#64609 runtime/pprof: incorrect function names for generics functions
  * go#64719 crypto: upgrade to BoringCrypto fips-20220613 and enable TLS 1.3
  * go#64757 runtime: race condition raised with parallel tests, panic(nil) and -race (forwarded request 1137838 from jfkw)

• Files Changed
• Browse Source

- go1.21.5 (released 2023-12-05) includes security fixes to the go
  command, and the net/http and path/filepath packages, as well as
  bug fixes to the compiler, the go command, the runtime, and the
  crypto/rand, net, os, and syscall packages.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-45285 CVE-2023-45284 CVE-2023-39326
  * go#63973 go#63845 boo#1217834 security: fix CVE-2023-45285 cmd/go: git VCS qualifier in module path uses git:// scheme
  * go#64041 go#63713 boo#1216943 security: fix CVE-2023-45284 path/filepath: Clean removes ending slash for volume on Windows in Go 1.21.4
  * go#64435 go#64433 boo#1217833 security: fix CVE-2023-39326 net/http: limit chunked data overhead
  * go#62055 cmd/go: go mod download needs to support toolchain upgrades
  * go#63743 cmd/compile: invalid pointer found on stack when compiled with -race
  * go#63764 os: NTFS deduped file changed from regular to irregular
  * go#63801 net: TCPConn.ReadFrom hangs when io.Reader is TCPConn or UnixConn, Linux kernel < 5.1
  * go#63984 cmd/compile: internal compiler error: panic during prove while compiling: unexpected induction with too many parents
  * go#63994 syscall: TestOpenFileLimit unintentionally runs on non-Unix platforms
  * go#64073 runtime: self-deadlock on mheap_.lock
  * go#64413 crypto/rand: Legacy RtlGenRandom use on Windows (forwarded request 1131273 from jfkw)

• Files Changed
• Browse Source

- go1.21.4 (released 2023-11-07) includes security fixes to the
  path/filepath package, as well as bug fixes to the linker, the
  runtime, the compiler, and the go/types, net/http, and
  runtime/cgo packages.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-45283 CVE-2023-45284
  * go#63715 go#63713 boo#1216943 boo#1216944 security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths
  * go#62207 spec: update unification rules
  * go#62545 cmd/compile: internal compiler error: expected struct value to have type struct
  * go#63317 cmd/link: split text sections for arm 32-bit
  * go#63335 runtime: MADV_COLLAPSE causes production performance issues on Linux
  * go#63339 go/types, x/tools/go/ssa: panic: type param without replacement encountered
  * go#63509 cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64
  * go#63560 net/http: http2 page fails on firefox/safari if pushing resources (forwarded request 1124117 from jfkw)

• Files Changed
• Browse Source

- go1.21.3 (released 2023-10-10) includes a security fix to the
  net/http package.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-39325 CVE-2023-44487
  * go#63427 go#63417 boo#1216109 security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (forwarded request 1116741 from jfkw)

• Files Changed
• Browse Source

- go1.21.2 (released 2023-10-05) includes one security fixes to the
  cmd/go package, as well as bug fixes to the compiler, the go
  command, the linker, the runtime, and the runtime/metrics
  package.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-39323
  * go#63214 go#63211 boo#1215985 security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build
  * go#62464 runtime: "traceback did not unwind completely"
  * go#62478 runtime/metrics: /gc/scan* metrics return zero
  * go#62505 plugin: variable not initialized properly
  * go#62506 cmd/compile: internal compiler error: InvertFlags should never make it to codegen v100 = InvertFlags v123
  * go#62509 runtime: scheduler change causes Delve's function call injection to fail intermittently
  * go#62537 runtime: "fatal: morestack on g0" with PGO enabled on arm64
  * go#62598 cmd/link: issues with Apple's new linker in Xcode 15 beta
  * go#62668 cmd/compile: slow to compile 17,000 line switch statement?
  * go#62711 cmd/go: TestScript/gotoolchain_path fails if golang.org/dl/go1.21.1 is installed in the user's $PATH (forwarded request 1115932 from jfkw)

• Files Changed
• Browse Source

- go1.21.1 (released 2023-09-06) includes four security fixes to
  the cmd/go, crypto/tls, and html/template packages, as well as
  bug fixes to the compiler, the go command, the linker, the
  runtime, and the context, crypto/tls, encoding/gob, encoding/xml,
  go/types, net/http, os, and path/filepath packages.
  Refs boo#1212475 go1.21 release tracking
  CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322

- Add missing directory pprof html asset directory to package.
  Refs boo#1215090
  * src/cmd/vendor/github.com/google/pprof/internal/driver/html/
    dir containing html assets is present in upstream Go
    distribution but missing from SUSE go1.x packages
  * Go programs importing runtime/pprof may fail with error:
    /usr/lib64/go/1.21/src/cmd/vendor/github.com/google/pprof/internal/driver/webhtml.go
    pattern html: no matching files found
  * Reformat adjacent commment in spec file (forwarded request 1109619 from jfkw)

• Files Changed
• Browse Source

- go1.21 (released 2023-08-08) is a major release of Go.
  go1.21.x minor releases will be provided through August 2024.
  https://github.com/golang/go/wiki/Go-Release-Cycle
  go1.21 arrives six months after go1.20. Most of its changes are
  in the implementation of the toolchain, runtime, and libraries.
  As always, the release maintains the Go 1 promise of
  compatibility. We expect almost all Go programs to continue to
  compile and run as before.
  Refs boo#1212475 go1.21 release tracking (forwarded request 1103035 from jfkw)

• Files Changed
• Browse Source

- go1.21rc4 (released 2023-08-02) is a release candidate version of
  go1.21 cut from the master branch at the revision tagged
  go1.21rc4.
  Refs boo#1212475 go1.21 release tracking (forwarded request 1102035 from jfkw)

• Files Changed
• Browse Source

- go1.21rc3 (released 2023-07-14) is a release candidate version of
  go1.21 cut from the master branch at the revision tagged
  go1.21rc3.
  Refs boo#1212475 go1.21 release tracking (forwarded request 1098741 from jfkw)

• Files Changed
• Browse Source

- go1.21rc2 (released 2023-06-21) is a release candidate version of
  go1.21 cut from the master branch at the revision tagged
  go1.21rc2. https://go.dev/blog/go1.21rc
  Refs boo#1212475 go1.21 release tracking
- Add missing go.env to package. go.env sets defaults including:
  GOPROXY GOSUMDB GOTOOLCHAIN
  Refs boo#1212667
- go1.21+ change default GOTOOLCHAIN=auto to local to prevent go
  tool commands from downloading upstream go1.x toolchain binaries
  Refs boo#1212669

• Browse Source