From 74506eaffa5a21eea0f7a4990c513495bbfc4ff4 Mon Sep 17 00:00:00 2001 From: "chainloop-platform[bot]" <266818671+chainloop-platform[bot]@users.noreply.github.com> Date: Sun, 10 May 2026 09:01:44 +0000 Subject: [PATCH 1/2] fix: upgrade Go to 1.26.3 to resolve CVE-2026-33814 CVE-2026-33814 is an infinite loop vulnerability in Go's HTTP/2 transport implementation. When an HTTP/2 client receives a SETTINGS frame with SETTINGS_MAX_FRAME_SIZE set to 0 from a malicious server, the transport enters an infinite loop writing CONTINUATION frames. This vulnerability affects all gRPC clients in the Chainloop codebase, including the CLI and inter-service communication components, as gRPC uses HTTP/2 transport. Upgrading to Go 1.26.3 includes the fix that properly validates SETTINGS_MAX_FRAME_SIZE values to prevent the infinite loop condition. Assisted-by: Claude Code --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0179b04ef..251963644 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/chainloop-dev/chainloop -go 1.26.2 +go 1.26.3 require ( cloud.google.com/go/secretmanager v1.16.0 From 84ebac49a028b6202def9113147a0e2e63367f2d Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Sun, 10 May 2026 11:08:27 +0200 Subject: [PATCH 2/2] chore: update Dockerfiles and docs to Go 1.26.3 Propagate the Go 1.26.3 upgrade to the goreleaser Dockerfiles and CLAUDE.md so the runtime images and documentation match go.mod. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino --- CLAUDE.md | 2 +- app/artifact-cas/Dockerfile.goreleaser | 2 +- app/cli/Dockerfile.goreleaser | 2 +- app/controlplane/Dockerfile.goreleaser | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 6467f03c0..34708eca3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -135,7 +135,7 @@ make migration_lint # Lint migration files ## Key Technologies -- **Language**: Go 1.26.2 +- **Language**: Go 1.26.3 - **API**: gRPC with HTTP/JSON gateway, Protocol Buffers with buf - **Database**: PostgreSQL with Ent ORM, Atlas for migrations - **Authentication**: OIDC, JWT tokens diff --git a/app/artifact-cas/Dockerfile.goreleaser b/app/artifact-cas/Dockerfile.goreleaser index 020a19471..1d53ba848 100644 --- a/app/artifact-cas/Dockerfile.goreleaser +++ b/app/artifact-cas/Dockerfile.goreleaser @@ -1,4 +1,4 @@ -FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61 AS builder +FROM golang:1.26.3@sha256:2981696eed011d747340d7252620932677929cce7d2d539602f56a8d7e9b660b AS builder FROM scratch diff --git a/app/cli/Dockerfile.goreleaser b/app/cli/Dockerfile.goreleaser index 175fbc1ea..3027de830 100644 --- a/app/cli/Dockerfile.goreleaser +++ b/app/cli/Dockerfile.goreleaser @@ -1,4 +1,4 @@ -FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61 AS builder +FROM golang:1.26.3@sha256:2981696eed011d747340d7252620932677929cce7d2d539602f56a8d7e9b660b AS builder RUN mkdir -p /.config/chainloop FROM scratch diff --git a/app/controlplane/Dockerfile.goreleaser b/app/controlplane/Dockerfile.goreleaser index 93cd4c402..98de01faa 100644 --- a/app/controlplane/Dockerfile.goreleaser +++ b/app/controlplane/Dockerfile.goreleaser @@ -1,4 +1,4 @@ -FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61 AS builder +FROM golang:1.26.3@sha256:2981696eed011d747340d7252620932677929cce7d2d539602f56a8d7e9b660b AS builder FROM scratch