update to go1.26.4

[vvoland]

• https://github.com/golang/go/issues?q=milestone%3AGo1.26.4+label%3ACherryPickApproved
• full diff: golang/go@go1.26.3...go1.26.4

- Description for the changelog

Update Go runtime to [1.26.4](https://go.dev/doc/devel/release#go1.26.4)

This release include 3 security fixes following the security policy:

• mime: quadratic complexity in WordDecoder.DecodeHeader

  Decoding a maliciously-crafted MIME header containing many invalid
  encoded-words could consume excessive CPU.
  The MIME decoder now better handles this case.

  Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.

  This is CVE-2026-42504 and Go issue https://go.dev/issue/79217.

• net/textproto: arbitrary input are included in errors without any escaping

  When returning errors, functions in the net/textproto package would
  include its input as part of the error, without any escaping. Note that
  said input is often controlled by external parties when using this
  package naturally. For example, a net/http client uses ReadMIMEHeader
  when parsing the headers it receive from a server.

  As a result, an attacker could inject arbitrary content into the error.
  Practically, this can result in an attacker injecting misleading
  content, terminal control bytes, etc. into a victim's output or logs.

  This is CVE-2026-42507 and Go issue https://go.dev/issue/79346

• crypto/x509: split candidate hostname only once

  (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop
  over all DNS Subject Alternative Name (SAN) entries. This caused
  strings.Split(host, ".") to execute repeatedly on the same input hostname.

  With a large DNS SAN list, verification costs scaled quadratically based on the
  number of SAN entries multiplied by the hostname's label count. Because
  x509.Verify validates hostnames before building the certificate chain, this
  overhead occurred even for untrusted certificates.

  Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue.

  This is CVE-2026-27145 and https://go.dev/issue/79694.

View the release notes for more information: https://go.dev/doc/devel/release#go1.26.4

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[vvoland]

--- FAIL: TestConvertToHostname (0.00s)
    --- FAIL: TestConvertToHostname/https://::1:6555/v2/ (0.00s)
        file_store_test.go:299: assertion failed: https: (actual string) != [::1]:6555 (tc.expected string)
FAIL
coverage: 80.2% of statements

Hmm, failure related?

[vvoland]

Looks like Go stopped parsing IPv6 without brackets: golang/go@0c28789

We can opt-into the old behavior with GODEBUG=urlstrictcolons=0 - perhaps fine for a patch release, but then remove for minor?

[thaJeztah]

Wow, that's a fun breaking change. But wasn't the bracketed notation only required if a port is provided (so ambiguous), and not for anything else?

[thaJeztah]

Oh; but that's not in the last patch-release, right? So why didn't it break before? 🤔

[vvoland]

The change was included in the 1.26.4 patch release

[vvoland]

I added a fallback on our side.. I don't really like having to use GODEBUG.

[thaJeztah]

The change was included in the 1.26.4 patch release

I'm trying to see where it is, but maybe I'm overlooking; golang/go@go1.26.3...go1.26.4

[thaJeztah]

And the commit shows as it's included in all the go1.26 versions; golang/go@0c28789

[vvoland]

Oh hmm, right 🤔

EDIT: Ah, I updated the vendor.mod go directive, that's why it only showed now

With go directive set to older version, it already defaults urlstrictcolons to 0.

https://go.dev/doc/godebug

[thaJeztah]

It's happy on go1.26.3 🤔

go version
go version go1.26.3 darwin/arm64

go test -run ConvertToHostname ./cli/config/credentials/
ok  	github.com/docker/cli/cli/config/credentials	0.222s

And inside the dev-container;

root@docker-cli-dev# go version
go version go1.26.3 linux/arm64
root@docker-cli-dev# go test -run ConvertToHostname ./cli/config/credentials/
ok  	github.com/docker/cli/cli/config/credentials	0.002s

[thaJeztah]

Also with 1.26.4;

go version
go version go1.26.4 darwin/arm64

go test -run ConvertToHostname ./cli/config/credentials/
ok  	github.com/docker/cli/cli/config/credentials	0.503s

[thaJeztah]

Right, so it fails if I change go.mod / vendor.mod to go1.26

[thaJeztah]

Mystery solved; it's indeed go language version (I couldn't find where it was controlled), but @vvoland found it;

https://github.com/golang/go/blob/2ce1819e0c817f18edd77c0dac5754eaf7c49c26/src/net/url/url.go#L29

var urlstrictcolons = godebug.New("urlstrictcolons")

https://github.com/golang/go/blob/2ce1819e0c817f18edd77c0dac5754eaf7c49c26/doc/godebug.md?plain=1#L210-L213

Go 1.26 added a new `urlstrictcolons` setting that controls whether `net/url.Parse`
allows malformed hostnames containing colons outside of a bracketed IPv6 address.
The default `urlstrictcolons=1` rejects URLs such as `http://localhost:1:2` or `http://::1/`.
Colons are permitted as part of a bracketed IPv6 address, such as `http://[::1]/`.

And .. the last bit; https://go.dev/doc/godebug

When a GODEBUG setting is not listed in the environment variable, its value is derived from three sources: the defaults for the Go toolchain used to build the program, amended to match the Go version listed in go.mod, and then overridden by explicit //go:debug lines in the program.
When compiling a work module or workspace that declares an older Go version, the Go toolchain amends its defaults to match that older Go version as closely as possible.

[thaJeztah]

LGTM