Cherry-pick `golang.org/x/net` v0.53.0 bump to `release/2.32` to fix
HTTP/2 infinite loop DoS when processing SETTINGS frames with
`MAX_FRAME_SIZE=0`.

Original PR: #24259
Advisory: https://pkg.go.dev/vuln/GO-2026-4918
Fixes: https://linear.app/codercom/issue/ENT-28

<details><summary>Packages bumped</summary>

| Package | From | To |
|---------|------|-----|
| golang.org/x/net | v0.52.0 | v0.53.0 |
| golang.org/x/crypto | v0.49.0 | v0.50.0 |
| golang.org/x/sys | v0.42.0 | v0.43.0 |
| golang.org/x/term | v0.41.0 | v0.42.0 |
| golang.org/x/text | v0.35.0 | v0.36.0 |

</details>

> Generated by Coder Agents

Cherry-pick of #24567 (commit 869168b) to `release/2.32`.

Bumps `github.com/gomarkdown/markdown` from
`v0.0.0-20240930133441-72d49d9543d8` to
`v0.0.0-20260411013819-759bbc3e3207` to fix an out-of-bounds read in
SmartypantsRenderer
([GHSA-77fj-vx54-gvh7](GHSA-77fj-vx54-gvh7)).

Refs https://linear.app/codercom/issue/ENT-29

> Generated by Coder Agents

Co-authored-by: Lukasz <CommanderK5@users.noreply.github.com>

Cherry-pick of #24078 (commit 0552b92)
to `release/2.32`.

Bumps OpenTelemetry Go SDK from v1.42.0 to v1.43.0 to fix CVE-2026-39883
(PATH hijacking on BSD/Solaris via bare `kenv` command in
`go.opentelemetry.io/otel/sdk`).

Refs
GHSA-hfvc-g4fc-pqhx

<details>
<summary>Version changes</summary>

| Package | Before | After |
|---------|--------|-------|
| `go.opentelemetry.io/otel` | v1.42.0 | v1.43.0 |
| `go.opentelemetry.io/otel/sdk` | v1.42.0 | v1.43.0 |
| `go.opentelemetry.io/otel/trace` | v1.42.0 | v1.43.0 |
| `go.opentelemetry.io/otel/metric` | v1.42.0 | v1.43.0 |
| `go.opentelemetry.io/otel/sdk/metric` | v1.42.0 | v1.43.0 |
| `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` |
v0.67.0 | v0.68.0 |

</details>

> 🤖 Generated by Coder Agents

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Cherry-pick of go-git v5.19.0 bump to `release/2.32` to fix
CVE-2026-45022 (improper object parsing).

Original PR: #25124

Ref:
GHSA-389r-gv7p-r3rp

Supersedes #25226 (rebased on top of #25224).

> [!NOTE]
> This PR was authored by Coder Agents.

<details><summary>Context</summary>

The cherry-pick of the original commit (`c1c3b978`) had merge conflicts
in `go.mod`/`go.sum` due to dependency drift between `main` and
`release/2.32`. Instead, the bump was applied directly via `go get
github.com/go-git/go-git/v5@v5.19.0` followed by `go mod tidy`,
producing equivalent results.

Linear: ENT-24

</details>

…y-pick #24165) (#25238)

Cherry-pick of #24165 to `release/2.32`.

Moves the flaky pagination query key test from vitest to a Storybook
story. The test timed out in CI because `renderWithAuth` boots 12+ MSW
round-trips before the page mounts. The story uses decorators to
pre-seed the query cache, skipping the MSW waterfall entirely.

> 🤖 Generated by Coder Agent

Co-authored-by: Danielle Maywood <danielle@themaywoods.com>

Go 1.25.10 (released 2026-05-07) includes 11 security fixes for CVEs
affecting the go command, pack tool, html/template, net, net/http,
net/http/httputil, net/mail, and syscall packages.

Fixes IronBank v2.32.x Go stdlib CVE exposure by upgrading from Go
1.25.9 to 1.25.10.

Reference: https://groups.google.com/g/golang-dev/c/h6eZjndBMqQ

### Changed files
- `go.mod`: `go 1.25.9` to `go 1.25.10`
- `dogfood/coder/Dockerfile`: `GO_VERSION` and `GO_CHECKSUM`
- `.github/actions/setup-go/action.yaml`: default version

> Generated by Coder Agents

…VE-2026-44431) (#25249)

## Summary

Update the IronBank Dockerfile to use UBI9 (9.6) instead of UBI8 (8.7)
and explicitly remove `python3-urllib3` to address CVE-2026-44431.

### Changes
- **Dockerfile**: Upgrade base image from `ubi8-minimal:8.7` to
`ubi9-minimal:9.6`
- **Dockerfile**: Add `microdnf remove python3-urllib3` step after
package install
- **build_ironbank.sh**: Update local build args to match the new UBI9
base image

### Context
urllib3 1.26.5 is bundled in the UBI base image. Coder is a Go binary
and does not invoke Python at runtime, so this library is unused. The
removal step is a belt-and-suspenders safeguard in case UBI9 still ships
the package.

Fixes: ENT-52

> [!NOTE]
> This PR was generated by [Coder
Agents](https://coder.com/docs/agents).

…32) (#25277)

Cherry-pick of
57b11d4
to `release/2.32`.

Backport of #25274.

> [!NOTE]
> This PR was created by Coder Agents on behalf of a human.

…rt 2.32) (#25303)

The Azure instance-identity authentication endpoint parsed the PKCS7
envelope and verified the certificate chain, but never verified the
PKCS7 signature itself. An attacker could forge a PKCS7 envelope with a
legitimate, publicly obtainable Azure certificate and arbitrary vmId
content to obtain any agent auth token.

Add verifyPKCS7Signature(), a custom PKCS7 signature verification that
handles Azure non-standard use of sha256WithRSAEncryption (OID
1.2.840.113549.1.1.11) as the DigestAlgorithm. The upstream
go.mozilla.org/pkcs7 library Verify() rejects this combination.

The verification checks:
1. Content digest matches the signed message-digest attribute
2. Signature over the authenticated attributes is valid

Tests added:
- TestValidate_TamperedContent: forges a PKCS7 with modified vmId,
confirms rejection
- TestValidate_UntrustedCertWithValidSignature: valid PKCS7 signature
with untrusted cert chain, confirms rejection

Co-authored-by: Jakub Domeracki <jakub@coder.com>

…) (#24806)

Cherry-pick backport of #24474 and #24529 to `release/2.32`.

- #24474: fix(coderd): add frame-ancestors CSP directive to prevent
clickjacking
- #24529: fix(coderd): omit frame-ancestors CSP for embed routes

Both commits cherry-picked cleanly with no conflicts.

> Generated by Coder Agents