release-3.0 backport PR #13755 to address CVE-2025-61729, CVE-2025-61727 (#13909)

zenador · pracucci · web-flow · commit 0b9f8b4b1b91 · 2026-01-02T06:01:58.000+08:00
#### What this PR does Update to Go v1.25.5 to address CVE-2025-61729, CVE-2025-61727. #### Which issue(s) this PR fixes or relates to N/A #### Checklist - [ ] Tests updated. - [ ] Documentation added. - [x] `CHANGELOG.md` updated - the order of entries should be `[CHANGE]`, `[FEATURE]`, `[ENHANCEMENT]`, `[BUGFIX]`. If changelog entry is not needed, please add the `changelog-not-needed` label to the PR. - [ ] [`about-versioning.md`](https://github.com/grafana/mimir/blob/main/docs/sources/mimir/configure/about-versioning.md) updated with experimental features.  --- > [!NOTE] > **Build/tooling upgrade** > > - Bumps Go to `1.25.5` in `go.mod`, GitHub Actions workflow (`setup-go`), and `mimir-build-image/Dockerfile` (new base image digest) > - Updates Makefile `LATEST_BUILD_IMAGE_TAG` to `pr13909-f969d53533` > - Adds `CHANGELOG.md` entry noting the security update to Go 1.25.5 > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 612fcf0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Signed-off-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: Marco Pracucci <marco@pracucci.com> Co-authored-by: pracucci <pracucci@users.noreply.github.com>
diff --git a/.github/workflows/update-vendored-mimir-prometheus.yml b/.github/workflows/update-vendored-mimir-prometheus.yml
@@ -72,7 +72,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           # We only use this to run `go mod` commands, so it doesn't need to follow the version used in the Dockerfile.
-          go-version: "1.25.1"
+          go-version: "1.25.5"
 
       # This job uses "mimir-vendoring bot" instead of "github-actions bot" (secrets.GITHUB_TOKEN)
       # because any events triggered by the later don't spawn GitHub actions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## main / unreleased
 
+### Grafana Mimir
+
+* [BUGFIX] Update to Go v1.25.5 to address [CVE-2025-61729](https://pkg.go.dev/vuln/GO-2025-4155). #13909
+
 ## 3.0.1
 
 ### Grafana Mimir
diff --git a/Makefile b/Makefile
@@ -225,7 +225,7 @@ mimir-build-image/$(UPTODATE): mimir-build-image/*
 # All the boiler plate for building golang follows:
 SUDO := $(shell docker info >/dev/null 2>&1 || echo "sudo -E")
 BUILD_IN_CONTAINER ?= true
-LATEST_BUILD_IMAGE_TAG ?= pr13692-ed0e12ca15
+LATEST_BUILD_IMAGE_TAG ?= pr13909-f969d53533
 
 # TTY is parameterized to allow CI and scripts to run builds,
 # as it currently disallows TTY devices.
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/grafana/mimir
 
-go 1.25.4
+go 1.25.5
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.2
diff --git a/mimir-build-image/Dockerfile b/mimir-build-image/Dockerfile
@@ -5,7 +5,7 @@
 
 FROM registry.k8s.io/kustomize/kustomize:v5.4.3 AS kustomize
 FROM alpine/helm:3.17.2 AS helm
-FROM golang:1.25.4-trixie@sha256:a02d35efc036053fdf0da8c15919276bf777a80cbfda6a35c5e9f087e652adfc
+FROM golang:1.25.5-trixie@sha256:4f9d98ebaa759f776496d850e0439c48948d587b191fc3949b5f5e4667abef90
 ARG goproxyValue
 ENV GOPROXY=${goproxyValue}
 ENV SKOPEO_DEPS="libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config"
