Skip to content

Bump Go toolchain version to 1.25.8#1309

Merged
adombeck merged 1 commit intomainfrom
go-1.25.8
Mar 11, 2026
Merged

Bump Go toolchain version to 1.25.8#1309
adombeck merged 1 commit intomainfrom
go-1.25.8

Conversation

@adombeck
Copy link
Contributor

@adombeck adombeck commented Mar 10, 2026

govulncheck reports the following vulnerabilities in go1.25.7:

Vulnerability #1: GO-2026-4603
    URLs in meta content attribute actions are not escaped in html/template
  More info: https://pkg.go.dev/vuln/GO-2026-4603
  Standard library
    Found in: html/template@go1.25.7
    Fixed in: html/template@go1.25.8
    Example traces found:
Error:       #1: examplebroker/broker.go:1000:14: examplebroker.userInfoFromName calls template.Template.Execute
Error:       #2: pam/integration-tests/ssh_test.go:720:30: integration.startSSHD calls httptest.NewServer, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2026-4602
    FileInfo can escape from a Root in os
  More info: https://pkg.go.dev/vuln/GO-2026-4602
  Standard library
    Found in: os@go1.25.7
    Fixed in: os@go1.25.8
    Example traces found:
Error:       #1: internal/users/proc/proc.go:42:33: proc.CheckUserBusy calls os.File.Readdir
Error:       #2: internal/brokers/manager.go:65:29: brokers.NewManager calls os.ReadDir

Vulnerability #3: GO-2026-4601
    Incorrect parsing of IPv6 host literals in net/url
  More info: https://pkg.go.dev/vuln/GO-2026-4601
  Standard library
    Found in: net/url@go1.25.7
    Fixed in: net/url@go1.25.8
    Example traces found:
Error:       #1: internal/testutils/daemon.go:249:29: testutils.StartAuthdWithCancel calls grpc.NewClient, which eventually calls url.Parse
Error:       #2: pam/integration-tests/ssh_test.go:720:30: integration.startSSHD calls httptest.NewServer, which eventually calls url.ParseRequestURI

@adombeck
Bump Go toolchain version to 1.25.8
8a649d2 
govulncheck reports the following vulnerabilities in go1.25.7:

Vulnerability #1: GO-2026-4603
    URLs in meta content attribute actions are not escaped in html/template
  More info: https://pkg.go.dev/vuln/GO-2026-4603
  Standard library
    Found in: html/template@go1.25.7
    Fixed in: html/template@go1.25.8
    Example traces found:
Error:       #1: examplebroker/broker.go:1000:14: examplebroker.userInfoFromName calls template.Template.Execute
Error:       #2: pam/integration-tests/ssh_test.go:720:30: integration.startSSHD calls httptest.NewServer, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2026-4602
    FileInfo can escape from a Root in os
  More info: https://pkg.go.dev/vuln/GO-2026-4602
  Standard library
    Found in: os@go1.25.7
    Fixed in: os@go1.25.8
    Example traces found:
Error:       #1: internal/users/proc/proc.go:42:33: proc.CheckUserBusy calls os.File.Readdir
Error:       #2: internal/brokers/manager.go:65:29: brokers.NewManager calls os.ReadDir

Vulnerability #3: GO-2026-4601
    Incorrect parsing of IPv6 host literals in net/url
  More info: https://pkg.go.dev/vuln/GO-2026-4601
  Standard library
    Found in: net/url@go1.25.7
    Fixed in: net/url@go1.25.8
    Example traces found:
Error:       #1: internal/testutils/daemon.go:249:29: testutils.StartAuthdWithCancel calls grpc.NewClient, which eventually calls url.Parse
Error:       #2: pam/integration-tests/ssh_test.go:720:30: integration.startSSHD calls httptest.NewServer, which eventually calls url.ParseRequestURI
@codecov
Copy link

codecov bot commented Mar 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.65%. Comparing base (5576f3f) to head (8a649d2).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1309      +/-   ##
==========================================
+ Coverage   80.08%   85.65%   +5.57%     
==========================================
  Files          20      119      +99     
  Lines         984     7669    +6685     
  Branches        0      111     +111     
==========================================
+ Hits          788     6569    +5781     
- Misses        196     1044     +848     
- Partials        0       56      +56

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@adombeck adombeck marked this pull request as ready for review March 11, 2026 10:57
@adombeck adombeck requested a review from denisonbarbosa March 11, 2026 10:57
@adombeck
Copy link
Contributor Author

adombeck commented Mar 11, 2026

The failure of the Build Debian package job (devel) job is unrelated and tracked here.

@adombeck adombeck merged commit 5694ba8 into main Mar 11, 2026
32 of 41 checks passed
@adombeck adombeck deleted the go-1.25.8 branch March 11, 2026 10:58
@adombeck adombeck mentioned this pull request Mar 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@denisonbarbosa denisonbarbosa denisonbarbosa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adombeck @denisonbarbosa