From 7e8457115bd4d829d621afaa89a969b89e49c0d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= Date: Fri, 16 Jan 2026 09:44:46 +0100 Subject: [PATCH] update to go1.25.6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This releases includes 6 security fixes following the security policy: - archive/zip: denial of service when parsing arbitrary ZIP archives archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Thanks to Thanks to Jakub Ciolek for reporting this issue. This is CVE-2025-61728 and Go issue https://go.dev/issue/77102. - net/http: memory exhaustion in Request.ParseForm When parsing a URL-encoded form net/http may allocate an unexpected amount of memory when provided a large number of key-value pairs. This can result in a denial of service due to memory exhaustion. Thanks to jub0bs for reporting this issue. This is CVE-2025-61726 and Go issue https://go.dev/issue/77101. - crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain The Config.Clone methods allows cloning a Config which has already been passed to a TLS function, allowing it to be mutated and reused. If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has not been called, crypto/tls will generate random session ticket keys and automatically rotate them. Config.Clone would copy these automatically generated keys into the returned Config, meaning that the two Configs would share session ticket keys, allowing sessions created using one Config could be used to resume sessions with the other Config. This can allow clients to resume sessions even though the Config may be configured such that they should not be able to do so. Config.Clone no longer copies the automatically generated session ticket keys. Config.Clone still copies keys which are explicitly provided, either by setting Config.SessionTicketKey or by calling Config.SetSessionTicketKeys. This issue was discoverd by the Go Security team while investigating another issue reported by Coia Prant (github.com/rbqvq). Additionally, on the server side only the expiration of the leaf certificate, if one was provided during the initial handshake, was checked when considering if a session could be resumed. This allowed sessions to be resumed if an intermediate or root certificate in the chain had expired. Session resumption now takes into account of the full chain when determining if the session can be resumed. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-68121 and Go issue https://go.dev/issue/77113. - cmd/go: bypass of flag sanitization can lead to arbitrary code execution Usage of 'CgoPkgConfig' allowed execution of the pkg-config binary with flags that are not explicitly safe-listed. To prevent this behavior, compiler flags resulting from usage of 'CgoPkgConfig' are sanitized prior to invoking pkg-config. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. This is CVE-2025-61731 and go.dev/issue/77100. - cmd/go: unexpected code execution when invoking toolchain The Go toolchain supports multiple VCS which are used retrieving modules and embedding build information into binaries. On systems with Mercurial installed (hg) downloading modules (e.g. via go get or go mod download) from non-standard sources (e.g. custom domains) can cause unexpected code execution due to how external VCS commands are constructed. On systems with Git installed, downloading and building modules with malicious version strings could allow an attacker to write to arbitrary files on the system the user has access to. This can only be triggered by explicitly providing the malicious version strings to the toolchain, and does not affect usage of @latest or bare module paths. The toolchain now uses safer VCS options to prevent misinterpretation of untrusted inputs. In addition, the toolchain now disallows module version strings prefixed with a "-" or "/" character. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. This is CVE-2025-68119 and Go issue https://go.dev/issue/77099. - crypto/tls: handshake messages may be processed at the incorrect encryption level During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2025-61730 and Go issue https://go.dev/issue/76443 View the release notes for more information: https://go.dev/doc/devel/release#go1.25.6 Signed-off-by: Paweł Gronowski --- .github/workflows/codeql.yml | 2 +- .github/workflows/test.yml | 2 +- .golangci.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5b9b92bbb80f..105a3ee06966 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -63,7 +63,7 @@ jobs: name: Update Go uses: actions/setup-go@v6 with: - go-version: "1.25.5" + go-version: "1.25.6" - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 066745b7d6d7..43680351fd1f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -67,7 +67,7 @@ jobs: name: Set up Go uses: actions/setup-go@v6 with: - go-version: "1.25.5" + go-version: "1.25.6" - name: Test run: | diff --git a/.golangci.yml b/.golangci.yml index 20d042cbc8d0..5b86109d3d5d 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,7 +5,7 @@ run: # which causes it to fallback to go1.17 semantics. # # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24 - go: "1.25.5" + go: "1.25.6" timeout: 5m diff --git a/Dockerfile b/Dockerfile index f1b3bb233b77..efbcc6706b45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.22 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.25.5 +ARG GO_VERSION=1.25.6 # XX_VERSION specifies the version of the xx utility to use. # It must be a valid tag in the docker.io/tonistiigi/xx image repository. diff --git a/docker-bake.hcl b/docker-bake.hcl index ddcd9413835d..d71e2c3763b4 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.25.5" + default = "1.25.6" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 841b08147942..0521a5053ac6 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.5 +ARG GO_VERSION=1.25.6 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index ddba7e9b2772..d6a5bf24f5d2 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.5 +ARG GO_VERSION=1.25.6 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index ea9b9aba7d51..a2d6a32bba78 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.5 +ARG GO_VERSION=1.25.6 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository