Skip to content

update to go1.26.5#7087

Open
thaJeztah wants to merge 1 commit into
docker:masterfrom
thaJeztah:update_go1.26.5
Open

update to go1.26.5#7087
thaJeztah wants to merge 1 commit into
docker:masterfrom
thaJeztah:update_go1.26.5

Conversation

@thaJeztah

Copy link
Copy Markdown
Member

go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details;

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

  • os: Root escape via symlink plus trailing slash

    On Unix systems, opening a file in an os.Root improperly
    followed symlinks to locations outside of the Root when
    the final path component of the a path is a symbolic link
    and the path ends in /.

    For example, root.Open("symlink/") would open "symlink"
    even when "symlink" is a symbolic link pointing outside of the root.

    On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
    in path when path ends in a /. Root failed to account for
    this behavior, permitting paths with a trailing / to escape.
    It now properly sanitizes the path parameter provided to openat.

    hanks to Mundur for reporting this issue.

    This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

  • crypto/tls: Encrypted Client Hello privacy leak

    he Encrypted Client Hello implementation would leak the pre-shared key
    dentities during the handshake, allowing a passive network observer who can
    ollect handshakes to de-anonymize the hostname of the server, even when ECH was
    eing used.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

- What I did

- How I did it

- How to verify it

- Human readable description for the release notes

Update Go runtime to [1.26.5](https://go.dev/doc/devel/release#go1.26.5)

- A picture of a cute animal (not mandatory but encouraged)

go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls
and os packages, as well as bug fixes to the compiler, the runtime, the
go command, and the net, os, and syscall packages. See the Go 1.26.5
milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved
- full diff: golang/go@go1.26.4...go1.26.5

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

- os: Root escape via symlink plus trailing slash

  On Unix systems, opening a file in an os.Root improperly
  followed symlinks to locations outside of the Root when
  the final path component of the a path is a symbolic link
  and the path ends in /.

  For example, root.Open("symlink/") would open "symlink"
  even when "symlink" is a symbolic link pointing outside of the root.

  On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
  in path when path ends in a /. Root failed to account for
  this behavior, permitting paths with a trailing / to escape.
  It now properly sanitizes the path parameter provided to openat.

  hanks to Mundur for reporting this issue.

  This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

- crypto/tls: Encrypted Client Hello privacy leak

  he Encrypted Client Hello implementation would leak the pre-shared key
  dentities during the handshake, allowing a passive network observer who can
  ollect handshakes to de-anonymize the hostname of the server, even when ECH was
  eing used.

  Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

  This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah added this to the 29.7.0 milestone Jul 7, 2026
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR updates the Go runtime from 1.26.4 to 1.26.5 across all four Dockerfiles. The bump is consistent across all files and addresses two security CVEs (CVE-2026-39822 and CVE-2026-42505). No issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants