From 6d245daa912d338a51451cd209468f1379b6b922 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 8 Jul 2026 00:01:42 +0200 Subject: [PATCH] update to go1.26.5 go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved - full diff: https://github.com/golang/go/compare/go1.26.4...go1.26.5 From the security announcement: We have just released Go versions 1.26.5 and 1.25.12, minor point releases. These releases include 2 security fixes following the security policy: - os: Root escape via symlink plus trailing slash On Unix systems, opening a file in an os.Root improperly followed symlinks to locations outside of the Root when the final path component of the a path is a symbolic link and the path ends in /. For example, root.Open("symlink/") would open "symlink" even when "symlink" is a symbolic link pointing outside of the root. On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks in path when path ends in a /. Root failed to account for this behavior, permitting paths with a trailing / to escape. It now properly sanitizes the path parameter provided to openat. hanks to Mundur for reporting this issue. This is CVE-2026-39822 and Go issue https://go.dev/issue/79005. - crypto/tls: Encrypted Client Hello privacy leak he Encrypted Client Hello implementation would leak the pre-shared key dentities during the handshake, allowing a passive network observer who can ollect handshakes to de-anonymize the hostname of the server, even when ECH was eing used. Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. This is CVE-2026-42505 and Go issue https://go.dev/issue/79282. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/codeql.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/validate.yml | 2 +- .golangci.yml | 2 +- Dockerfile | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 259fad5c8040..8768a39e3874 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -64,7 +64,7 @@ jobs: name: Update Go uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.26.4" + go-version: "1.26.5" cache: false - name: Initialize CodeQL diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a4e84a1c1311..0903a3281f53 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -68,7 +68,7 @@ jobs: name: Set up Go uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.26.4" + go-version: "1.26.5" cache: false - name: Test diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 27d4af98c816..d2135bda2b17 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -101,7 +101,7 @@ jobs: name: Set up Go uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: - go-version: "1.26.4" + go-version: "1.26.5" cache: false - name: Run gocompat check diff --git a/.golangci.yml b/.golangci.yml index dfb592403cc0..6aec71dbb74e 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,7 +5,7 @@ run: # which causes it to fallback to go1.17 semantics. # # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24 - go: "1.26.4" + go: "1.26.5" timeout: 5m diff --git a/Dockerfile b/Dockerfile index ccde94ee6df7..2a71bf8889e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.23 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 # XX_VERSION specifies the version of the xx utility to use. # It must be a valid tag in the docker.io/tonistiigi/xx image repository. diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index c4a9a39b1ba5..b40cbb287c11 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index 10cc37266258..4f8e1b46b380 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index 9c2f91a323b1..df06caaaf3ed 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.26.4 +ARG GO_VERSION=1.26.5 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository