Skip to content

fix: upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507)#26062

Open
Shelnutt2 wants to merge 2 commits into
release/2.29from
sshelnutt/bump-go-1.25.11-v2.29
Open

fix: upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507)#26062
Shelnutt2 wants to merge 2 commits into
release/2.29from
sshelnutt/bump-go-1.25.11-v2.29

Conversation

@Shelnutt2
Copy link
Copy Markdown
Contributor

@Shelnutt2 Shelnutt2 commented Jun 4, 2026

Summary

Upgrades Go from 1.25.10 to 1.25.11 on the release/2.29 branch to address two low-severity CVEs:

  • CVE-2026-27145 (Low): crypto/x509 VerifyHostname quadratic cost with large DNS SAN list (DoS on untrusted certs)
  • CVE-2026-42507 (Low): net/textproto attacker-controlled input included in errors without escaping (log injection)

Changes

  • go.mod: go 1.25.10 -> go 1.25.11
  • .github/actions/setup-go/action.yaml: default Go version -> 1.25.11
  • dogfood/coder/Dockerfile: GO_VERSION -> 1.25.11

Relates to: ENT-103

Generated by Coder Agents on behalf of @Shelnutt2

@Shelnutt2
fix(deps): upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507)
9f6fa37 
Bumps Go from 1.25.10 to 1.25.11 on the release/2.29 branch to address:

- CVE-2026-27145: crypto/x509 VerifyHostname quadratic cost with
  large DNS SAN list
- CVE-2026-42507: net/textproto attacker-controlled input in errors
  without escaping
@linear-code
Copy link
Copy Markdown

linear-code Bot commented Jun 4, 2026

ENT-103

@Shelnutt2 Shelnutt2 changed the title fix(deps): upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507) fix: upgrade Go to 1.25.11 (CVE-2026-27145, CVE-2026-42507) Jun 4, 2026
@Shelnutt2 Shelnutt2 requested a review from f0ssel June 4, 2026 13:40
Emyrk
Emyrk requested changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/coder/coder/blob/main/go.mod#L3

We are on 1.26.2 now. This is stale?

@Shelnutt2
Copy link
Copy Markdown
Contributor Author

Shelnutt2 commented Jun 4, 2026

https://github.com/coder/coder/blob/main/go.mod#L3

We are on 1.26.2 now. This is stale?

This is the ESR branch on 1.25.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder jdomeracki-coder is a code owner

@f0ssel f0ssel Awaiting requested review from f0ssel

Assignees

@Shelnutt2 Shelnutt2

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @Emyrk