Skip to content

update to go1.26.5, alpine 3.23#13920

Draft
thaJeztah wants to merge 2 commits into
docker:mainfrom
thaJeztah:update_go1.26.5
Draft

update to go1.26.5, alpine 3.23#13920
thaJeztah wants to merge 2 commits into
docker:mainfrom
thaJeztah:update_go1.26.5

Conversation

@thaJeztah

@thaJeztah thaJeztah commented Jul 7, 2026

Copy link
Copy Markdown
Member

go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details;

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

  • os: Root escape via symlink plus trailing slash

    On Unix systems, opening a file in an os.Root improperly
    followed symlinks to locations outside of the Root when
    the final path component of the a path is a symbolic link
    and the path ends in /.

    For example, root.Open("symlink/") would open "symlink"
    even when "symlink" is a symbolic link pointing outside of the root.

    On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
    in path when path ends in a /. Root failed to account for
    this behavior, permitting paths with a trailing / to escape.
    It now properly sanitizes the path parameter provided to openat.

    hanks to Mundur for reporting this issue.

    This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

  • crypto/tls: Encrypted Client Hello privacy leak

    he Encrypted Client Hello implementation would leak the pre-shared key
    dentities during the handshake, allowing a passive network observer who can
    ollect handshakes to de-anonymize the hostname of the server, even when ECH was
    eing used.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

What I did

Related issue

(not mandatory) A picture of a cute animal, if possible in relation to what you did

Copilot AI review requested due to automatic review settings July 7, 2026 22:05
@thaJeztah thaJeztah requested review from a team as code owners July 7, 2026 22:05
@thaJeztah thaJeztah requested review from glours and ndeloof July 7, 2026 22:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Go toolchain patch version to Go 1.26.5, aligning local/dev and container build environments with the latest security and bug-fix release.

Changes:

  • Bump the Go version used by the build Docker image to 1.26.5.
  • Update the repo’s .go-version to 1.26.5 to match.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
Dockerfile Updates GO_VERSION build arg to use Go 1.26.5 for containerized builds.
.go-version Updates the developer/tooling Go version pin to 1.26.5.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

Routine Go toolchain bump from 1.26.4 → 1.26.5. Both changed files (.go-version and Dockerfile) update a single version string each. No logic, no new dependencies, no API changes introduced. The update patches two CVEs (CVE-2026-39822, CVE-2026-42505) and is consistent with the repo's established pattern of regular Go point-release bumps.

No issues found.

thaJeztah added 2 commits July 8, 2026 01:26
The alpine 3.22 variant was removed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls
and os packages, as well as bug fixes to the compiler, the runtime, the
go command, and the net, os, and syscall packages. See the Go 1.26.5
milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved
- full diff: golang/go@go1.26.4...go1.26.5

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

- os: Root escape via symlink plus trailing slash

  On Unix systems, opening a file in an os.Root improperly
  followed symlinks to locations outside of the Root when
  the final path component of the a path is a symbolic link
  and the path ends in /.

  For example, root.Open("symlink/") would open "symlink"
  even when "symlink" is a symbolic link pointing outside of the root.

  On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
  in path when path ends in a /. Root failed to account for
  this behavior, permitting paths with a trailing / to escape.
  It now properly sanitizes the path parameter provided to openat.

  hanks to Mundur for reporting this issue.

  This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

- crypto/tls: Encrypted Client Hello privacy leak

  he Encrypted Client Hello implementation would leak the pre-shared key
  dentities during the handshake, allowing a passive network observer who can
  ollect handshakes to de-anonymize the hostname of the server, even when ECH was
  eing used.

  Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

  This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah changed the title update to go1.26.5 update to go1.26.5, alpine 3.23 Jul 7, 2026
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@thaJeztah thaJeztah marked this pull request as draft July 8, 2026 00:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants