From b301120ca8aa035fee57302e202fd5900a8a1f22 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 Jul 2026 01:26:38 +0200 Subject: [PATCH 1/2] Dockerfile: update golang image to alpine 3.23 The alpine 3.22 variant was removed. Signed-off-by: Sebastiaan van Stijn --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4be1236038b..e663cdfca1f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,7 @@ FROM crazymax/osxcross:15.5-alpine AS osxcross FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense -FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine3.22 AS base +FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine3.23 AS base COPY --from=xx / / RUN apk add --no-cache \ clang \ From 77a0c415ae727e2238e3486ad6da98bcab1ea26e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 Jul 2026 00:05:34 +0200 Subject: [PATCH 2/2] update to go1.26.5 go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.26.4...go1.26.5 From the security announcement: We have just released Go versions 1.26.5 and 1.25.12, minor point releases. These releases include 2 security fixes following the security policy: - os: Root escape via symlink plus trailing slash On Unix systems, opening a file in an os.Root improperly followed symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, root.Open("symlink/") would open "symlink" even when "symlink" is a symbolic link pointing outside of the root. On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks in path when path ends in a /. Root failed to account for this behavior, permitting paths with a trailing / to escape. It now properly sanitizes the path parameter provided to openat. hanks to Mundur for reporting this issue. This is CVE-2026-39822 and Go issue https://go.dev/issue/79005. - crypto/tls: Encrypted Client Hello privacy leak he Encrypted Client Hello implementation would leak the pre-shared key dentities during the handshake, allowing a passive network observer who can ollect handshakes to de-anonymize the hostname of the server, even when ECH was eing used. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2026-42505 and Go issue https://go.dev/issue/79282. Signed-off-by: Sebastiaan van Stijn --- .go-version | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.go-version b/.go-version index ea0928cedf0..8fe00a57fe1 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.26.4 +1.26.5 diff --git a/Dockerfile b/Dockerfile index e663cdfca1f..0b4ca54f5d6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 ARG XX_VERSION=1.9.0 ARG GOLANGCI_LINT_VERSION=v2.11.3 ARG ADDLICENSE_VERSION=v1.0.0