Skip to content

chore(security): bump the Go toolchain to 1.26.5 for GO-2026-5856#533

Merged
joshua-temple merged 1 commit into
mainfrom
fix/go-toolchain-cve-2026-5856
Jul 8, 2026
Merged

chore(security): bump the Go toolchain to 1.26.5 for GO-2026-5856#533
joshua-temple merged 1 commit into
mainfrom
fix/go-toolchain-cve-2026-5856

Conversation

@joshua-temple

Copy link
Copy Markdown
Collaborator

Problem

The release pipeline's validation gate (vulnerability scan) fails on GO-2026-5856, an Encrypted Client Hello privacy leak in crypto/tls shipped with Go 1.26.4 (the pinned toolchain). This blocked the nightly release from cutting a release-candidate, so the fleet never ran.

Fix

Bump the toolchain directive from go1.26.4 to go1.26.5 (which fixes the CVE) in go.mod and e2e/go.mod. The go language directive is unchanged, and every CI job reads the version via go-version-file: go.mod, so the bump propagates without further edits.

Verification

Built on the auto-downloaded go1.26.5: go build ./..., go test ./..., golangci-lint run ./... all clean; govulncheck ./... exits 0 with no vulnerabilities (GO-2026-5856 cleared). Not a code change; single-component output and behavior are unaffected.

Go 1.26.4's crypto/tls carries GO-2026-5856, an Encrypted Client Hello privacy leak, which the release validation gate's vulnerability scan flags and which blocks the release pipeline. Go 1.26.5 fixes it. Bump the toolchain directive in go.mod and e2e/go.mod; the go language directive is unchanged, and every CI job reads the version from go.mod via go-version-file, so the bump propagates without further edits. govulncheck is clean on 1.26.5.

Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
@joshua-temple joshua-temple merged commit f231029 into main Jul 8, 2026
20 checks passed
@joshua-temple joshua-temple deleted the fix/go-toolchain-cve-2026-5856 branch July 8, 2026 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant