From b458dc9e81e732fdaa66dac672db36ff28d6b6c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Wed, 3 Jun 2026 15:40:57 +0200 Subject: [PATCH] update to go1.26.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This release include 3 security fixes following the security policy: - mime: quadratic complexity in WordDecoder.DecodeHeader Decoding a maliciously-crafted MIME header containing many invalid encoded-words could consume excessive CPU. The MIME decoder now better handles this case. Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue. This is CVE-2026-42504 and Go issue https://go.dev/issue/79217. - net/textproto: arbitrary input are included in errors without any escaping When returning errors, functions in the net/textproto package would include its input as part of the error, without any escaping. Note that said input is often controlled by external parties when using this package naturally. For example, a net/http client uses ReadMIMEHeader when parsing the headers it receive from a server. As a result, an attacker could inject arbitrary content into the error. Practically, this can result in an attacker injecting misleading content, terminal control bytes, etc. into a victim's output or logs. This is CVE-2026-42507 and Go issue https://go.dev/issue/79346 - crypto/x509: split candidate hostname only once (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. Thanks to Jakub Ciolek (https://ciolek.dev) for reporting this issue. This is CVE-2026-27145 and https://go.dev/issue/79694. View the release notes for more information: https://go.dev/doc/devel/release#go1.26.4 Signed-off-by: Paweł Gronowski --- .github/workflows/codeql.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/validate.yml | 2 +- .golangci.yml | 2 +- Dockerfile | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 40389f5842e3..2455fd5744a9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -63,7 +63,7 @@ jobs: name: Update Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: - go-version: "1.26.3" + go-version: "1.26.4" cache: false - name: Initialize CodeQL diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1008218ebaad..44526649a08a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -67,7 +67,7 @@ jobs: name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: - go-version: "1.26.3" + go-version: "1.26.4" cache: false - name: Test diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index bafacfe7d4bc..c376e4d1369f 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -96,7 +96,7 @@ jobs: name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: - go-version: "1.26.3" + go-version: "1.26.4" cache: false - name: Run gocompat check diff --git a/.golangci.yml b/.golangci.yml index 92b73df7ab19..dfb592403cc0 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,7 +5,7 @@ run: # which causes it to fallback to go1.17 semantics. # # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24 - go: "1.26.3" + go: "1.26.4" timeout: 5m diff --git a/Dockerfile b/Dockerfile index 09357b75b2c7..ccde94ee6df7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.23 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.26.3 +ARG GO_VERSION=1.26.4 # XX_VERSION specifies the version of the xx utility to use. # It must be a valid tag in the docker.io/tonistiigi/xx image repository. diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index e459e4da0065..c4a9a39b1ba5 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.3 +ARG GO_VERSION=1.26.4 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index d0d903e6b97d..10cc37266258 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.3 +ARG GO_VERSION=1.26.4 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index fa41236d2201..9c2f91a323b1 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.3 +ARG GO_VERSION=1.26.4 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository