Skip to content

Bump go directive to 1.26.4 to fix stdlib CVEs#4334

Open
reinkrul wants to merge 1 commit into
masterfrom
fix/go-1.26.4-stdlib-cves
Open

Bump go directive to 1.26.4 to fix stdlib CVEs#4334
reinkrul wants to merge 1 commit into
masterfrom
fix/go-1.26.4-stdlib-cves

Conversation

@reinkrul
Copy link
Copy Markdown
Member

@reinkrul reinkrul commented Jun 5, 2026

Summary

  • Bump the go directive in go.mod from 1.26.3 to 1.26.4.

The Dockerfile already builds with golang:1.26.4-alpine; the go.mod directive is what pins the govulncheck scan (and the toolchain it resolves) to the vulnerable 1.26.3 stdlib. Bumping it clears the scan. No code changes.

Fixes the following vulnerabilities:

Advisory Package Description
GO-2026-5039 net/textproto User input included in error messages, allowing log/error injection (CVE-2026-42507)
GO-2026-5037 crypto/x509 VerifyHostname scales quadratically over large DNS SAN lists, enabling DoS on untrusted certs (CVE-2026-27145)

Both are fixed in Go 1.26.4.

Assisted by AI

@reinkrul
Bump go directive to 1.26.4 to fix stdlib CVEs
da1a6da 
Fixes GO-2026-5039 (net/textproto error message injection) and
GO-2026-5037 (crypto/x509 VerifyHostname quadratic DoS), both fixed
in Go 1.26.4. The Dockerfile already builds with golang:1.26.4; this
aligns the go.mod directive used by the govulncheck scan.

Assisted by AI
@qltysh
Copy link
Copy Markdown
Contributor

qltysh Bot commented Jun 5, 2026

Qlty


Coverage Impact

⬆️ Merging this pull request will increase total coverage on master by 0.03%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

@stevenvegt stevenvegt Awaiting requested review from stevenvegt stevenvegt is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@reinkrul