Skip to content
This repository was archived by the owner on Mar 2, 2026. It is now read-only.

Update Go to 1.25.5#159

Closed
applejag wants to merge 3 commits intomainfrom
feature/go-1.25.5
Closed

Update Go to 1.25.5#159
applejag wants to merge 3 commits intomainfrom
feature/go-1.25.5

Conversation

@applejag
Copy link
Member

@applejag applejag commented Jan 8, 2026

Update Go and github.com/quic-go/quic-go to resolve some vulnerabilities:

$ govulncheck ./...
Vulnerability #1: GO-2025-4233
    HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
  More info: https://pkg.go.dev/vuln/GO-2025-4233
  Module: github.com/quic-go/quic-go
    Found in: github.com/quic-go/quic-go@v0.54.1
    Fixed in: github.com/quic-go/quic-go@v0.57.0
    Example traces found:
       #1: pkg/jira/jira.go:192:31: jira.client.StatusMustExist calls io.ReadAll, which eventually calls http3.ConfigureTLSConfig
       #2: cmd/root.go:81:24: cmd.Execute calls cobra.Command.Execute, which eventually calls http3.Error.Error

Vulnerability #2: GO-2025-4175
    Improper application of excluded DNS name constraints when verifying
    wildcard names in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4175
  Standard library
    Found in: crypto/x509@go1.25.4
    Fixed in: crypto/x509@go1.25.5
    Example traces found:
       #1: pkg/jira/jira.go:192:31: jira.client.StatusMustExist calls io.ReadAll, which eventually calls x509.Certificate.Verify

Vulnerability #3: GO-2025-4155
    Excessive resource consumption when printing error string for host
    certificate validation in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4155
  Standard library
    Found in: crypto/x509@go1.25.4
    Fixed in: crypto/x509@go1.25.5
    Example traces found:
       #1: pkg/jira/jira.go:192:31: jira.client.StatusMustExist calls io.ReadAll, which eventually calls x509.Certificate.Verify
       #2: pkg/jira/jira.go:192:31: jira.client.StatusMustExist calls io.ReadAll, which eventually calls x509.Certificate.VerifyHostname

@applejag applejag requested a review from a team as a code owner January 8, 2026 10:48
@applejag applejag added the dependencies Pull requests that update a dependency file label Jan 8, 2026
@applejag applejag requested review from codeshard and removed request for a team January 8, 2026 10:48
@applejag applejag self-assigned this Jan 8, 2026
@applejag
Copy link
Member Author

applejag commented Jan 8, 2026

Oh I didn't see #157

I'm blind

@applejag applejag closed this Jan 8, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@codeshard codeshard Awaiting requested review from codeshard codeshard is a code owner automatically assigned from RiskIdent/platform

Assignees

@applejag applejag

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@applejag