go: Fix CVE-2025-61729

[oshoval]

What this PR does / why we need it:
https://pkg.go.dev/vuln/GO-2025-4155
Update go toolchain to 1.24.11,
make vendor removes the toolchain line once both equal.

Special notes for your reviewer:

Release note:

None

Summary by CodeRabbit

• Chores
  • Updated project tooling to target Go 1.24.11

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated the Go version directive in the module file from version 1.23.0 to 1.24.11. No changes to module dependencies or other configuration blocks.

Changes

Cohort / File(s)	Summary
Go Version Update go.mod	Updated Go directive from go 1.23.0 to go 1.24.11

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'go: Fix CVE-2025-61729' clearly and specifically identifies the main change: updating the Go toolchain to address a security vulnerability. It directly matches the changeset's purpose.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oshoval]

/hold

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

1-89: Address the bot-flagged release-note requirement and ensure approver sign-off.

The kubevirt-bot flagged the PR as requiring a release-note block and approval from the designated approver (phoracek). These are process requirements separate from the code change itself—the go.mod modification is technically correct and properly addresses the CVE. Ensure the PR is updated with a release-note block describing the security fix before merge.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b82915b and e3a86f7.

📒 Files selected for processing (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-image

🔇 Additional comments (1)

go.mod (1)

3-3: Correct security patch for CVE-2025-61729—Go 1.24.11 is confirmed.

Go 1.24.11 (released 2025-12-02) includes two security fixes to the crypto/x509 package, directly addressing CVE-2025-61729, which exposes a denial-of-service vector in the crypto/x509 package where the HostnameError.Error() method will print an unbounded number of hosts and constructs the error text via repeated string concatenation, producing quadratic runtime. The update from Go 1.23.0 to 1.24.11 is the correct remediation.

[oshoval]

/hold cancel

@phoracek can you please take a look?

[oshoval]

cc @RamLavi

[RamLavi]

/lgtm
/approve

[RamLavi]

/lgtm
/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oshoval, RamLavi
Once this PR has been reviewed and has the lgtm label, please assign phoracek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oshoval, RamLavi
Once this PR has been reviewed and has the lgtm label, please assign phoracek for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[oshoval]

Thanks

once it is merged please release a tag so we can point to it manually
https://github.com/kubevirt/cluster-network-addons-operator/blob/4b23be4663c7ffef70c3b804275c18d12519a912/components.yaml#L51

[oshoval]

see discussion on #421 (comment)

[oshoval]

/hold

[oshoval]

@SchSeba

will updating to go 1.24.11 will do problems for your projects ?
if so we can wait for 1.25.5, otherwise lets merge it please

[oshoval]

lets update once we have 1.25.5