update to go1.26.5, alpine 3.23#13920
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the project’s Go toolchain patch version to Go 1.26.5, aligning local/dev and container build environments with the latest security and bug-fix release.
Changes:
- Bump the Go version used by the build Docker image to
1.26.5. - Update the repo’s
.go-versionto1.26.5to match.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Dockerfile | Updates GO_VERSION build arg to use Go 1.26.5 for containerized builds. |
| .go-version | Updates the developer/tooling Go version pin to 1.26.5. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
Routine Go toolchain bump from 1.26.4 → 1.26.5. Both changed files (.go-version and Dockerfile) update a single version string each. No logic, no new dependencies, no API changes introduced. The update patches two CVEs (CVE-2026-39822, CVE-2026-42505) and is consistent with the repo's established pattern of regular Go point-release bumps.
No issues found.
The alpine 3.22 variant was removed. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved - full diff: golang/go@go1.26.4...go1.26.5 From the security announcement: We have just released Go versions 1.26.5 and 1.25.12, minor point releases. These releases include 2 security fixes following the security policy: - os: Root escape via symlink plus trailing slash On Unix systems, opening a file in an os.Root improperly followed symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, root.Open("symlink/") would open "symlink" even when "symlink" is a symbolic link pointing outside of the root. On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks in path when path ends in a /. Root failed to account for this behavior, permitting paths with a trailing / to escape. It now properly sanitizes the path parameter provided to openat. hanks to Mundur for reporting this issue. This is CVE-2026-39822 and Go issue https://go.dev/issue/79005. - crypto/tls: Encrypted Client Hello privacy leak he Encrypted Client Hello implementation would leak the pre-shared key dentities during the handshake, allowing a passive network observer who can ollect handshakes to de-anonymize the hostname of the server, even when ECH was eing used. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2026-42505 and Go issue https://go.dev/issue/79282. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
72e09f2 to
77a0c41
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details;
From the security announcement:
We have just released Go versions 1.26.5 and 1.25.12, minor point releases.
These releases include 2 security fixes following the security policy:
os: Root escape via symlink plus trailing slash
On Unix systems, opening a file in an os.Root improperly
followed symlinks to locations outside of the Root when
the final path component of the a path is a symbolic link
and the path ends in /.
For example, root.Open("symlink/") would open "symlink"
even when "symlink" is a symbolic link pointing outside of the root.
On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
in path when path ends in a /. Root failed to account for
this behavior, permitting paths with a trailing / to escape.
It now properly sanitizes the path parameter provided to openat.
hanks to Mundur for reporting this issue.
This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.
crypto/tls: Encrypted Client Hello privacy leak
he Encrypted Client Hello implementation would leak the pre-shared key
dentities during the handshake, allowing a passive network observer who can
ollect handshakes to de-anonymize the hostname of the server, even when ECH was
eing used.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.
What I did
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did