The Wire · Showcase
GOPLS CRASHES ON MALFORMED CACHE, CRYPTO HARDENS SSH AGAINST HOSTILE PEERS
By RepoJournal · Filed · About Go
The gopls language server has a mystery crash in its frob decoder that defenders are now treating as a hardware fault scenario, while the crypto team closes two SSH attack surfaces that silently drain memory and corrupt terminal output.
gopls is getting defensive. A "surplus bytes" error in frob decoding [1] that should be theoretically impossible is now being handled with explicit assertions and fallbacks, because field reports suggest it's happening anyway. That same cache rewrite is getting a stability pass across the board: a flaky module index initialization bug [2] is being fixed with explicit synchronization, the semantic token benchmarks are no longer panicking [3], and dead gob encoding code is being removed [4]. The vulncheck action parsing was also shadowed into invisibility [5], now fixed. On the crypto side, SSH agent forwarders are leaking 2 MiB per channel [6] because they ignore stderr stream data, letting receive windows go unreplenished. More critically, malicious SSH peers can send control characters and escape sequences in disconnect messages [7], which now get sanitized and escaped before display. The image library is also clarifying its threat model [8]: malicious images are defended against, but malicious fonts are not.
Action items
- → Pull golang/tools with the gopls cache fixes before your next build, especially if you have flaky test reports golang/tools [plan]
- → Update golang/crypto immediately if you use SSH agent forwarding; the 2 MiB leak per channel can degrade production systems under sustained connections golang/crypto [immediate]
- → Review golang/image font usage; document any assumptions about font source trust in your codebase golang/image [monitor]
References
- [1] gopls: two mitigations for "surplus bytes" crash golang/tools
- [2] gopls/test/integration/mist: Fix flaky test golang/tools
- [3] gopls/internal/test: address out of bounds panic in BenchmarkSemanticTokens golang/tools
- [4] gopls/internal/cache: delete dead (gob) code golang/tools
- [5] gopls/internal/server: fix parsing vulncheck action golang/tools
- [6] ssh/agent: drain channel stderr in agent forwarders golang/crypto
- [7] ssh: sanitize client disconnect messages golang/crypto
- [8] font: document (lack of) security hardening in font packages golang/image
FAQ
- What changed in Go on June 30, 2026?
- The gopls language server has a mystery crash in its frob decoder that defenders are now treating as a hardware fault scenario, while the crypto team closes two SSH attack surfaces that silently drain memory and corrupt terminal output.
- What should Go teams do about it?
- Pull golang/tools with the gopls cache fixes before your next build, especially if you have flaky test reports • Update golang/crypto immediately if you use SSH agent forwarding; the 2 MiB leak per channel can degrade production systems under sustained connections • Review golang/image font usage; document any assumptions about font source trust in your codebase
- Which Go repositories shipped on June 30, 2026?
- golang/tools, golang/crypto, golang/image