Skip to content

fix: upgrade Go to 1.25.8 for CVE-2025-68121, CVE-2026-27142, CVE-2026-25679#48287

Open
liliu-z wants to merge 3 commits intomilvus-io:2.6from
liliu-z:fix/cve-go1.25.8-2.6
Open

fix: upgrade Go to 1.25.8 for CVE-2025-68121, CVE-2026-27142, CVE-2026-25679#48287
liliu-z wants to merge 3 commits intomilvus-io:2.6from
liliu-z:fix/cve-go1.25.8-2.6

Conversation

@liliu-z
Copy link
Member

@liliu-z liliu-z commented Mar 16, 2026

Summary

  • Upgrade Go from 1.24.12 to 1.25.8 across all go.mod files and Dockerfiles
  • Fixes CVE-2025-68121 (CRITICAL), CVE-2026-27142 (HIGH), CVE-2026-25679 (HIGH) in Go stdlib
  • All three CVEs affect the Go standard library and are resolved by upgrading to Go 1.25.8

Changes

  • Updated go directive in go.mod files (root, pkg/, client/, tests/go_client/)
  • Updated Go download URLs in Dockerfiles (build/docker/builder/)

pr: #48286

Test plan

  • make milvus builds successfully with Go 1.25.8
  • CI passes

🤖 Generated with Claude Code

@liliu-z @claude
fix: upgrade Go to 1.25.8 for CVE-2025-68121, CVE-2026-27142, CVE-202…
f2fd003 
…6-25679

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Li Liu <li.liu@zilliz.com>
@sre-ci-robot sre-ci-robot added area/dependency Pull requests that update a dependency file area/test sig/testing labels Mar 16, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 16, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liliu-z

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sre-ci-robot sre-ci-robot added size/S Denotes a PR that changes 10-29 lines. approved labels Mar 16, 2026
@mergify mergify bot added dco-passed DCO check passed. kind/bug Issues or changes related a bug labels Mar 16, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 16, 2026

[ci-v2-notice]
Notice: New ci-v2 system is enabled for this PR.

To rerun ci-v2 checks, comment with:

  • /ci-rerun-code-check // for ci-v2/code-check
  • /ci-rerun-build // for ci-v2/build
  • /ci-rerun-build-all // for ci-v2/build-all (multi-arch builds)
  • /ci-rerun-ut-integration // for ci-v2/ut-integration, will rerun ci-v2/build
  • /ci-rerun-ut-go // for ci-v2/ut-go, will rerun ci-v2/build
  • /ci-rerun-ut-cpp // for ci-v2/ut-cpp
  • /ci-rerun-ut // for all ci-v2/ut-integration, ci-v2/ut-go, ci-v2/ut-cpp, will rerun ci-v2/build
  • /ci-rerun-e2e-arm // for ci-v2/e2e-arm
  • /ci-rerun-e2e-default // for ci-v2/e2e-default
  • /ci-rerun-ciloop // for ci-v2/ciloop (build + unit tests in one pipeline)

If you have any questions or requests, please contact @zhikunyao.

@sre-ci-robot sre-ci-robot added do-not-merge/need-merge-master-first any pr merge to release branch need to merge master first do-not-merge/need-milestone generate by v2-label-manager labels Mar 16, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 16, 2026

[INFO] PR Label Summary by Default
[FAILED] PR #48286 not merged

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@mergify
Copy link
Contributor

mergify bot commented Mar 16, 2026

@liliu-z go-sdk check failed, comment rerun go-sdk can trigger the job again.

@liliu-z @claude
fix: upgrade gotestsum to v1.13.0 for Go 1.25 compatibility
5e6b883 
gotestsum v1.12.0 depends on golang.org/x/tools v0.19.0 which is
incompatible with Go 1.25 (invalid array length error in tokeninternal).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Li Liu <li.liu@zilliz.com>
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 16, 2026

[INFO] PR Label Summary by Default
[FAILED] PR #48286 not merged

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@codecov
Copy link

codecov bot commented Mar 16, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.38%. Comparing base (f1494f6) to head (e646d43).
⚠️ Report is 9 commits behind head on 2.6.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##              2.6   #48287       +/-   ##
===========================================
+ Coverage   74.69%   83.38%    +8.68%     
===========================================
  Files        1414      542      -872     
  Lines      221810    85787   -136023     
===========================================
- Hits       165684    71533    -94151     
+ Misses      48586    14254    -34332     
+ Partials     7540        0     -7540
Components Coverage Δ
Client ∅ <ø> (∅)
Core 83.38% <ø> (∅)
Go ∅ <ø> (∅)
see 1956 files with indirect coverage changes
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sre-ci-robot sre-ci-robot added low-code-coverage add test-label from zhikun, diff coverage > 80% and removed low-code-coverage add test-label from zhikun, diff coverage > 80% labels Mar 16, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 18, 2026

Build Env Images Ready

New builder images have been built and pushed to Harbor.

Image tag: 20260318-5e6b883

Type OS Harbor Image
CPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:ubuntu22.04-20260318-5e6b883

Next Steps

To use these new builder images for CI, update the .env file in this PR:

# Update CPU builder tag
sed -i 's/^DATE_VERSION=.*/DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_DATE_VERSION=.*/LATEST_DATE_VERSION=20260318-5e6b883/' .env

Then commit and push to trigger CI with the new builder images.

Build: #10

@zhikunyao
Copy link
Collaborator

zhikunyao commented Mar 18, 2026

/ci-rerun-buildenv

1 similar comment
@zhikunyao
Copy link
Collaborator

zhikunyao commented Mar 18, 2026

/ci-rerun-buildenv

@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 18, 2026

Build Env Images Ready

New builder images have been built and pushed to Harbor.

Image tag: 20260318-5e6b883

Type OS Harbor Image
CPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:ubuntu22.04-20260318-5e6b883
CPU amazonlinux2023 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:amazonlinux2023-20260318-5e6b883
GPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:gpu-ubuntu22.04-20260318-5e6b883
GPU ubuntu20.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:gpu-ubuntu20.04-20260318-5e6b883

Next Steps

To use these new builder images for CI, update the .env file in this PR:

# Update CPU builder tag
sed -i 's/^DATE_VERSION=.*/DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_DATE_VERSION=.*/LATEST_DATE_VERSION=20260318-5e6b883/' .env
# Update GPU builder tag
sed -i 's/^GPU_DATE_VERSION=.*/GPU_DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_GPU_DATE_VERSION=.*/LATEST_GPU_DATE_VERSION=20260318-5e6b883/' .env

Then commit and push to trigger CI with the new builder images.

Build: #12

@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 18, 2026

Build Env Images Ready

New builder images have been built and pushed to Harbor.

Image tag: 20260318-5e6b883

Type OS Harbor Image
CPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:ubuntu22.04-20260318-5e6b883
CPU amazonlinux2023 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:amazonlinux2023-20260318-5e6b883

Next Steps

To use these new builder images for CI, update the .env file in this PR:

# Update CPU builder tag
sed -i 's/^DATE_VERSION=.*/DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_DATE_VERSION=.*/LATEST_DATE_VERSION=20260318-5e6b883/' .env

Then commit and push to trigger CI with the new builder images.

Build: #13

@zhikunyao
Copy link
Collaborator

zhikunyao commented Mar 18, 2026

/ci-rerun-buildenv

@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 18, 2026

Build Env Images Ready

New builder images have been built and pushed to Harbor.

Image tag: 20260318-5e6b883

Type OS Harbor Image
CPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:ubuntu22.04-20260318-5e6b883
CPU amazonlinux2023 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:amazonlinux2023-20260318-5e6b883
GPU ubuntu22.04 harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:gpu-ubuntu22.04-20260318-5e6b883

Next Steps

To use these new builder images for CI, update the .env file in this PR:

# Update CPU builder tag
sed -i 's/^DATE_VERSION=.*/DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_DATE_VERSION=.*/LATEST_DATE_VERSION=20260318-5e6b883/' .env
# Update GPU builder tag
sed -i 's/^GPU_DATE_VERSION=.*/GPU_DATE_VERSION=20260318-5e6b883/' .env
sed -i 's/^LATEST_GPU_DATE_VERSION=.*/LATEST_GPU_DATE_VERSION=20260318-5e6b883/' .env

Then commit and push to trigger CI with the new builder images.

Build: #21

@liliu-z @claude
fix: update build env image tag to 20260318-5e6b883
e646d43 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Li Liu <li.liu@zilliz.com>
@sre-ci-robot sre-ci-robot added size/M Denotes a PR that changes 30-99 lines. and removed size/S Denotes a PR that changes 10-29 lines. labels Mar 19, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 19, 2026

[INFO] PR Label Summary by Default
[FAILED] PR #48286 not merged

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@mergify
Copy link
Contributor

mergify bot commented Mar 19, 2026

@liliu-z go-sdk check failed, comment rerun go-sdk can trigger the job again.

@sre-ci-robot sre-ci-robot added size/XXL Denotes a PR that changes 1000+ lines. and removed size/M Denotes a PR that changes 30-99 lines. labels Mar 19, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 19, 2026

[INFO] PR Label Summary by Default
[FAILED] PR #48286 not merged

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@liliu-z liliu-z force-pushed the fix/cve-go1.25.8-2.6 branch from 00419e7 to e646d43 Compare March 19, 2026 06:47
@sre-ci-robot sre-ci-robot added size/M Denotes a PR that changes 30-99 lines. and removed size/XXL Denotes a PR that changes 1000+ lines. labels Mar 19, 2026
@sre-ci-robot
Copy link
Contributor

sre-ci-robot commented Mar 19, 2026

[INFO] PR Label Summary by Default
[FAILED] PR #48286 not merged

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@mergify
Copy link
Contributor

mergify bot commented Mar 19, 2026

@liliu-z go-sdk check failed, comment rerun go-sdk can trigger the job again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@congqixia congqixia Awaiting requested review from congqixia

@LoveEachDay LoveEachDay Awaiting requested review from LoveEachDay

Assignees

No one assigned

Labels

approved area/compilation area/dependency Pull requests that update a dependency file area/test dco-passed DCO check passed. do-not-merge/need-merge-master-first any pr merge to release branch need to merge master first do-not-merge/need-milestone generate by v2-label-manager kind/bug Issues or changes related a bug low-code-coverage add test-label from zhikun, diff coverage > 80% sig/testing size/M Denotes a PR that changes 30-99 lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liliu-z @sre-ci-robot @zhikunyao