Update Go from 1.23.1 to 1.24.7 [security]

philwo · copybara-github · commit 9032f6e31516 · 2025-09-09T13:28:32.000-07:00
The following vulnerabilities were identified by running govulncheck on the currently latest reproxy binary v0.182.0.8eb62dcb and are addressed by upgrading Go to the latest 1.24.x version. We could also upgrade to Go 1.25, but as this version drops support for older macOS versions, which might still be used by some of our users, it's better to stick to 1.24.x for now. Vulnerability #1: GO-2025-3751 Sensitive headers not cleared on cross-origin redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3751 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.10 Vulnerability #2: GO-2025-3750 Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows in os in syscall More info: https://pkg.go.dev/vuln/GO-2025-3750 Standard library Found in: syscall@go1.23.1 Fixed in: syscall@go1.23.10 Vulnerability #3: GO-2025-3563 Request smuggling due to acceptance of invalid chunked data in net/http More info: https://pkg.go.dev/vuln/GO-2025-3563 Standard library Found in: net/http/internal@go1.23.1 Fixed in: net/http/internal@go1.23.8 Vulnerability #4: GO-2025-3447 Timing sidechannel for P-256 on ppc64le in crypto/internal/nistec More info: https://pkg.go.dev/vuln/GO-2025-3447 Standard library Found in: crypto/internal/nistec@go1.23.1 Fixed in: crypto/internal/nistec@go1.23.6 Vulnerability #5: GO-2025-3420 Sensitive headers incorrectly sent after cross-domain redirect in net/http More info: https://pkg.go.dev/vuln/GO-2025-3420 Standard library Found in: net/http@go1.23.1 Fixed in: net/http@go1.23.5 Vulnerability #6: GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2025-3373 Standard library Found in: crypto/x509@go1.23.1 Fixed in: crypto/x509@go1.23.5 Change-Id: I67b23dd1566a5d5a156ece05630c0e6b50c8eb77 Bug: NA Test: NA GitOrigin-RevId: 41e91ef42ed93ebc43fb7a1b5342c37e90fe41ab
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -119,7 +119,7 @@ use_repo(android_toolchain_extension, "linux_android1404", "linux_android1404_an
 go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(
     name = "go_sdk",
-    version = "1.23.1",  # remember to update go.mod as well
+    version = "1.24.7",  # remember to update go.mod as well
 )
 use_repo(go_sdk, "go_sdk")
 go_sdk.nogo(nogo = "//tools:nogo")
diff --git a/go.mod b/go.mod
@@ -1,8 +1,6 @@
 module github.com/bazelbuild/reclient
 
-go 1.23.1 // Remember to also update the go sdks in MODULE.bazel
-
-toolchain go1.23.4
+go 1.24.7 // Remember to also update the go sdks in MODULE.bazel
 
 require (
 	cloud.google.com/go/bigquery v1.65.0

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ use_repo(android_toolchain_extension, "linux_android1404", "linux_android1404_an`
`119`	`119`	`go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")`
`120`	`120`	`go_sdk.download(`
`121`	`121`	`name = "go_sdk",`
`122`		`- version = "1.23.1", # remember to update go.mod as well`
	`122`	`+ version = "1.24.7", # remember to update go.mod as well`
`123`	`123`	`)`
`124`	`124`	`use_repo(go_sdk, "go_sdk")`
`125`	`125`	`go_sdk.nogo(nogo = "//tools:nogo")`