Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aeILrE9J6sYYPmEh@xoff>
Date: Fri, 17 Apr 2026 12:30:04 +0200
From: Matthias Ferdinand <ml.oss-security@...dv.net>
To: oss-security@...ts.openwall.com
Subject: Re: Go 1.26.2 and Go 1.25.9 are released with 10
 security fixes

On Fri, Apr 10, 2026 at 04:58:03AM +0200, Solar Designer wrote:
> On Wed, Apr 08, 2026 at 04:24:34PM -0700, Alan Coopersmith wrote:
> > https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU announces:
> > >We have just released Go versions 1.26.2 and 1.25.9, minor point releases.
> > >
> > >These releases include 10 security fixes following the security policy:
> 
> This includes 2 issues in the compiler itself, which made some Go
> programs not memory safe:
  ...


I did not see any Linux distribution advisories for compiled Go programs
yet, but some projects using Go have released upates:

  - https://rclone.org/changelog/#v1-73-4-2026-04-08
        Update to go 1.25.9 to fix multiple CVEs

  - https://github.com/grafana/grafana/releases/tag/v12.4.3
        2026-04-14: Go: Update to 1.25.9

I looked at https://github.com/gopasspw/gopass and
https://github.com/restic/restic, but they have not yet issued updated
releases.

Perhaps the message did not spread wide enough. Or are many Go programs
just not affected?


Matthias

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.