Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted golang-1.26 1.26.3-1 (source) into unstable
Date: Thu, 07 May 2026 22:24:27 +0000
Signed by: Dr. Tobias Quathamer <toddy@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 May 2026 22:46:34 +0200
Source: golang-1.26
Architecture: source
Version: 1.26.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Compiler Team <team+go-compiler@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Changes:
 golang-1.26 (1.26.3-1) unstable; urgency=medium
 .
   * New upstream version 1.26.3
     - CVE-2026-42501
       cmd/go: malicious module proxy can bypass checksum database
     - CVE-2026-39820
       Well-crafted inputs reaching ParseAddress, ParseAddressList, and
       ParseDate were able to trigger excessive CPU exhaustion and memory
       allocations.
     - CVE-2026-39823
       Vulnerability in which URLs were not correctly escaped inside of a
       <meta> tag's <content> attribute.
     - CVE-2026-33811
       When using LookupCNAME with the cgo DNS resolver, a very long
       CNAME response can trigger a double-free of C memory and a crash.
     - CVE-2026-39826
       If a trusted template author were to write a <script> tag
       containing an empty 'type' attribute or a 'type' attribute with an
       ASCII whitespace, the execution of the template would incorrectly
       escape any data passed into the <script> block.
     - CVE-2026-39817
       The "go tool pack" subcommand (usually used only by the compiler
       as an internal tool with known-good inputs) does not sanitize
       output filenames. Extracting a malicious archive file with the
       "pack" subcommand can write files to arbitrary locations on the
       filesystem.
     - CVE-2026-39819
       The "go bug" command writes to two files with predictable names in
       the system temporary directory (for example, "/tmp"). An attacker
       with access to the temporary directory can create a symlink in one
       of these names, causing "go bug" to overwrite the target of the
       symlink.
     - CVE-2026-42499
       Pathological inputs could cause DoS through consumePhrase when
       parsing an email address according to RFC 5322.
     - CVE-2026-39825
       ReverseProxy can forward queries containing parameters not visible
       to Rewrite functions.
Checksums-Sha1:
 6b1c65fb39a54d029b3b44f74263777d303704c3 2915 golang-1.26_1.26.3-1.dsc
 f34f9258fb3dde598fcc4c06d7d866fdd572ac39 34119059 golang-1.26_1.26.3.orig.tar.gz
 2db2e89f7080e9c97105cbad4f0cd8976bed71a1 833 golang-1.26_1.26.3.orig.tar.gz.asc
 c69c6879a92d1a7df35397a99b0ecf879200e296 46992 golang-1.26_1.26.3-1.debian.tar.xz
 fcd846443b5a060d2f7c37323bdc8bc057ee7fef 6685 golang-1.26_1.26.3-1_amd64.buildinfo
Checksums-Sha256:
 3ffb7eaa7d2eb93169145675cd69a71365d8929fab2e70027c5c601ac5e3a26e 2915 golang-1.26_1.26.3-1.dsc
 1c646875d0aa8799133184ed57cf79ff24bdefe8c8820470602a9d3d6d9192b8 34119059 golang-1.26_1.26.3.orig.tar.gz
 607f70509ad2a008e9add7a2d0b2b90df250c7a7525572a1194ca74a96adea9f 833 golang-1.26_1.26.3.orig.tar.gz.asc
 2c11668c20a214c8eea13bc997cc0b6b4a0c69a1c6bd89ceb2fa73274392ffcf 46992 golang-1.26_1.26.3-1.debian.tar.xz
 bb5beb745cecc613fe940ab74f273c62fd5170eb856c0fa36e1227e9a875cc41 6685 golang-1.26_1.26.3-1_amd64.buildinfo
Files:
 4815dfcf5a165be07b739210fcb4813d 2915 golang optional golang-1.26_1.26.3-1.dsc
 dc451e9bb76af204f67352eff4cfee36 34119059 golang optional golang-1.26_1.26.3.orig.tar.gz
 2e9bc969703a16b7e589290585b86a2b 833 golang optional golang-1.26_1.26.3.orig.tar.gz.asc
 82f49b31fe8deb91938debd5a03a067f 46992 golang optional golang-1.26_1.26.3-1.debian.tar.xz
 18034309371717d958237549100c6680 6685 golang optional golang-1.26_1.26.3-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmn8/FcACgkQEwLx8Dbr
6xkM1w//cwQ1HrOKvU69h+qVQkVtsj6STWYvBclzdsYRjDpgdCbR4O9pbXoV6NAA
nR8cwZjM9WyNveHqzt1oDLNu43keI4oedyD9qmAqtVL0sV3oJalW4Y1JjQkiy6Pk
secf+nF2i4NF506TSX/x7C7QAsToE+uu1fR/zk+HLeRWnqjz6BnF6zm/0bpULdKy
CLZhA0coT/VVjE3ZyKx8/Q3LsH8uKqA3xvht7GsnXKDw777FEiWkb90Q7jlzn26K
zcoAm1MpjBvpEp+D7Hz+WX8MS8ENnb8CZD7gsgvSrQGEeeDiZ85ibplPTBziJBDZ
2NzBUvUzUfB1e1uqNoU6OzwDmtqBouVbP9p4fBpJyDlERwqr6kO/OoZhzsjb6SWR
mPA7cl3LOe1P/5tZPlcm/sy8ANkSYBx2AdgvqeCoR35vtlN8tvof8ANHGRUwHz/f
dmUh9hNYfi6UwG7ChJ/0IXZ97jt9feIx9uJXSyow/la7d+SfRMVPYIl9ijcP0+OZ
F7S25lepGO3WZg3hwUOyIXfiURYRMiDJe1SYUFBWLuIXSuJs6ooXkFgjfqm8Led3
YsJ28IvWn7MYjWXsUlR1IuJBa1fExsjTf0OW2ae6Yod883S5gGgE3I7bwe0YuR9H
1pMmB0NhGmyqOD7V93CyWtN6BfmuOI1gi5RvUHocfxkiJekx9jE=
=d2zB
-----END PGP SIGNATURE-----
News for package golang-1.26
