Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: coder/coder
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.33.6
Choose a base ref
...
head repository: coder/coder
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: release/2.33
Choose a head ref
  • 3 commits
  • 5 files changed
  • 1 contributor

Commits on Jun 4, 2026

  1. fix: upgrade go-git to v5.19.1 (CVE-2026-45570, CVE-2026-45571) (#25773) 

    Upgrade `github.com/go-git/go-git/v5` from v5.19.0 to v5.19.1 on the
`release/2.33` branch to fix two CVEs:

| CVE | Severity | Description |
|---|---|---|
| CVE-2026-45571 | Medium | Crafted repositories may modify main and
submodule .git directories |
| CVE-2026-45570 | Low | Improper single-quote escaping in SSH transport
|

`main` already has v5.19.1. This cherry-picks the dependency bump to
`release/2.33`.

Fixes https://linear.app/codercom/issue/ENT-98

> Generated with [Coder Agents](https://coder.com/agents)
    @Shelnutt2
    Shelnutt2 authored Jun 4, 2026
    Configuration menu
    Copy the full SHA
    5e73950 View commit details
    Browse the repository at this point in the history

  2. fix: upgrade golang.org/x/net to v0.55.0 (5 CVEs) (backport 2.33) (#2… 

    …5774)

Upgrades `golang.org/x/net` from v0.53.0 to v0.55.0 on the
`release/2.33` branch to resolve five `x/net/html` CVEs discovered in
the IronBank scan.

## CVEs resolved

| CVE | Severity | Description |
|---|---|---|
| CVE-2026-25680 | Low | DoS via cubic complexity algorithm in HTML tree
construction |
| CVE-2026-25681 | Low | Incorrect handling of character references in
DOCTYPE nodes (XSS) |
| CVE-2026-27136 | Low | Incorrect handling of namespaced elements in
foreign content (XSS) |
| CVE-2026-42502 | Low | Incorrect handling of HTML elements in foreign
content (XSS) |
| CVE-2026-42506 | Low | Failure to reject ASCII-only Punycode-encoded
labels (privilege escalation) |

## Changes

- `golang.org/x/net` v0.53.0 -> v0.55.0
- `golang.org/x/crypto` v0.50.0 -> v0.51.0
- `golang.org/x/sys` v0.43.0 -> v0.45.0
- `golang.org/x/term` v0.42.0 -> v0.43.0
- `golang.org/x/text` v0.36.0 -> v0.37.0

Refs ENT-97

> [!NOTE]
> Generated by [Coder Agents](https://coder.com) on behalf of @Shelnutt2
    @Shelnutt2
    Shelnutt2 authored Jun 4, 2026
    Configuration menu
    Copy the full SHA
    921d037 View commit details
    Browse the repository at this point in the history

  3. fix: upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507) (#26065) 

    ## Summary

Upgrades the Go toolchain from 1.25.10 to 1.25.11 on the `release/2.33`
branch to address two low-severity CVEs:

- **CVE-2026-27145** (Low): `crypto/x509` `VerifyHostname` quadratic
cost with large DNS SAN list (DoS on untrusted certs)
- **CVE-2026-42507** (Low): `net/textproto` attacker-controlled input
included in errors without escaping (log injection)

## Changes

- `go.mod`: bump `go` directive from 1.25.10 to 1.25.11
- `.github/actions/setup-go/action.yaml`: update default Go version
- `dogfood/coder/ubuntu-26.04/Dockerfile`: update `GO_VERSION` and
`GO_CHECKSUM`
- `dogfood/coder/ubuntu-22.04/Dockerfile`: update `GO_VERSION` and
`GO_CHECKSUM`

Relates to: [ENT-107](https://linear.app/codercom/issue/ENT-107)

> Generated by Coder Agents
    @Shelnutt2
    Shelnutt2 authored Jun 4, 2026
    Configuration menu
    Copy the full SHA
    757e570 View commit details
    Browse the repository at this point in the history
Loading