From 2d5d0842c57a2770c2c54d263968598088b8c680 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 5 Feb 2026 12:42:11 +0100 Subject: [PATCH] update to go1.25.7 go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn --- .github/workflows/codeql.yml | 2 +- .github/workflows/test.yml | 2 +- .golangci.yml | 2 +- Dockerfile | 2 +- docker-bake.hcl | 2 +- dockerfiles/Dockerfile.dev | 2 +- dockerfiles/Dockerfile.lint | 2 +- dockerfiles/Dockerfile.vendor | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 105a3ee06966..cf7dcf1742df 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -63,7 +63,7 @@ jobs: name: Update Go uses: actions/setup-go@v6 with: - go-version: "1.25.6" + go-version: "1.25.7" - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 43680351fd1f..a11784cb25f2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -67,7 +67,7 @@ jobs: name: Set up Go uses: actions/setup-go@v6 with: - go-version: "1.25.6" + go-version: "1.25.7" - name: Test run: | diff --git a/.golangci.yml b/.golangci.yml index 5b86109d3d5d..764185372160 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,7 +5,7 @@ run: # which causes it to fallback to go1.17 semantics. # # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24 - go: "1.25.6" + go: "1.25.7" timeout: 5m diff --git a/Dockerfile b/Dockerfile index c4317bab23f0..30e2a400ea65 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine ARG ALPINE_VERSION=3.22 ARG BASE_DEBIAN_DISTRO=bookworm -ARG GO_VERSION=1.25.6 +ARG GO_VERSION=1.25.7 # XX_VERSION specifies the version of the xx utility to use. # It must be a valid tag in the docker.io/tonistiigi/xx image repository. diff --git a/docker-bake.hcl b/docker-bake.hcl index d71e2c3763b4..6f7320062c40 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -1,5 +1,5 @@ variable "GO_VERSION" { - default = "1.25.6" + default = "1.25.7" } variable "VERSION" { default = "" diff --git a/dockerfiles/Dockerfile.dev b/dockerfiles/Dockerfile.dev index 0521a5053ac6..f2e71577a8e3 100644 --- a/dockerfiles/Dockerfile.dev +++ b/dockerfiles/Dockerfile.dev @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.6 +ARG GO_VERSION=1.25.7 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.lint b/dockerfiles/Dockerfile.lint index d6a5bf24f5d2..6c5008f2d55c 100644 --- a/dockerfiles/Dockerfile.lint +++ b/dockerfiles/Dockerfile.lint @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.6 +ARG GO_VERSION=1.25.7 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository diff --git a/dockerfiles/Dockerfile.vendor b/dockerfiles/Dockerfile.vendor index a2d6a32bba78..2296e1336c58 100644 --- a/dockerfiles/Dockerfile.vendor +++ b/dockerfiles/Dockerfile.vendor @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.25.6 +ARG GO_VERSION=1.25.7 # ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image. # It must be a supported tag in the docker.io/library/alpine image repository