#1138256 gopls: CVE-2026-42503

Package:
src:gopls
Source:
src:gopls
Submitter:
Salvatore Bonaccorso
Date:
2026-06-29 11:39:01 UTC
Severity:
normal
Tags:
#1138256#5
Date:
2026-05-30 07:53:45 UTC
From:
To:
Hi,

The following vulnerability was published for gopls.

CVE-2026-42503[0]:
| gopls by default communicates via pipe. However, -port and -listen
| flags are supported as means of debugging. If -listen is given a
| value without an explicit host (e.g. :8080), or -port is used, gopls
| will listen on 0.0.0.0.  As a result, users might inadvertently
| cause gopls to bind 0.0.0.0. This can allow a malicious party on the
| same network to execute code arbitrarily via gopls.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-42503
https://www.cve.org/CVERecord?id=CVE-2026-42503
[1] https://github.com/golang/go/issues/79211
[2] https://go-review.googlesource.com/c/tools/+/774381/
[3] https://github.com/golang/tools/commit/90abdab4cf0af205d3d2212c73526b58c97d0bf6

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1138256#12
Date:
2026-06-25 12:19:33 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gopls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated gopls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 25 Jun 2026 13:57:17 +0200
Source: gopls
Architecture: source
Version: 2:0.22.0+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 1138256
Changes:
 gopls (2:0.22.0+ds-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 0.22.0+ds
     - Refresh patches
     - New Build-Depends: golang-1.26, golang-github-segmentio-encoding-dev,
       golang-golang-x-oauth2-dev
     - Update copy of modelcontextprotocol/go-sdk to v1.6.1
     - CVE-2026-42503 (Closes: #1138256):
       gopls by default communicates via pipe. However, -port and -listen flags
       are supported as means of debugging. If -listen is given a value
       without an explicit host (e.g. :8080), or -port is used, gopls will
       listen on 0.0.0.0.  As a result, users might inadvertently cause gopls
       to bind 0.0.0.0. This can allow a malicious party on the same network
       to execute code arbitrarily via gopls.
   * Update Standards-Version to 4.7.4, no changes needed
Checksums-Sha1:
 5d54b5f5a0dc53891ef362af1c0bf2987853ca66 2682 gopls_0.22.0+ds-1.dsc
 763f388dfdd11f96d214e81ce003439c6a74788e 7417184 gopls_0.22.0+ds.orig.tar.xz
 1d2215912a506ac01deee338f49a536fac98c3e7 331948 gopls_0.22.0+ds-1.debian.tar.xz
 ba6fbbd8f4d4a8fa2b475a4999092b45e341b5e3 7188 gopls_0.22.0+ds-1_amd64.buildinfo
Checksums-Sha256:
 fdae7cdecf99c2c4165fce6c9ab3f553895de67e2d933a6e23a7717852b50ffa 2682 gopls_0.22.0+ds-1.dsc
 cd58bfae8c92d3777172d52f0b7b17f9f872213219bdd29dd2babca3b4092aff 7417184 gopls_0.22.0+ds.orig.tar.xz
 b443f31114357ee449ffc8e095afc9677bdf55bda6ad47259867c22db908813e 331948 gopls_0.22.0+ds-1.debian.tar.xz
 b3857b5e7d29e88ec7b547aa724632df7bdea8843e377e2151582cd2c7ee224b 7188 gopls_0.22.0+ds-1_amd64.buildinfo
Files:
 91a6acef23133d4bc4d1d3b48ce848d8 2682 golang optional gopls_0.22.0+ds-1.dsc
 49b5d073210f8fc72f54db68958b3f3d 7417184 golang optional gopls_0.22.0+ds.orig.tar.xz
 03240fadc79d5f09e3682be002dd6b4b 331948 golang optional gopls_0.22.0+ds-1.debian.tar.xz
 d70bfa24ceafc5346835d58e92ed3a10 7188 golang optional gopls_0.22.0+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAmo9GFYACgkQEwLx8Dbr
6xk7VQ/+IJvO2jiqLspligwq9aCRRx9S5goycdwzN7YFdz1/broybpIkNf9y8toG
X7qIYA5KfrDAsLIqCyxX6R9jaz4qULsi4PUf68KzSPY+NHt/CtjIhEqw7O4PKs+i
C3jx277ytWndJ+hotWpRDRs7oBluY4dNl/Ro3/F+YHP5JLWl+Ov/fnp19/Vz69d5
I3bylzXrVudDH3YKaU4sHPzIGMEirS8gRSXfUIB8dRzHP9lXKqTA3i+JuDNJJ+ce
Nb2+9A0Twh3/poWm3EOd7moTzuvdIIBto/VLWmTagezOcRUJOu519yf8z99MetRC
YzcBkh3r+pBlzICbJ519W/rT8bN7rsqLoBX7k+Me85qD1aphyVZ5gFaIm9rwHona
uUiMpq4ncog6SyzLvBVDGn4J/LandN2zuK4aVPSdbGOBv942fQDE8GB1TbSFzVZ5
DpNpju6pRgiT8QM83tDTDNWHr1rDlLTVaL7jKu1Gej0I95pY9/Jw/SERpP5FrLTv
6oPcPK1CIG71OoGqTsPX50DFLmC/KC437RioOQCJTE+437l3duX1nC0sQpvcOhbY
S4aJ/ml0190iXqnDgSSkimkPum38i4ApWyB7tAReOTdaxguZ91UQKvEUqNGNfXw3
wqeid0JNlwkACyLz1uOQpVQ4ilPeZly+rHr63/rJ23FLXKkNhHk=
=AyDJ
-----END PGP SIGNATURE-----