Skip to content

Commit 271edd9

Browse files
rossnelsonrossnelson
authored
fix: update Go to 1.24.11 to fix stdlib security vulnerabilities (#3059)
Addresses Go stdlib CVEs: - CVE-2025-61724 (net/textproto) - fixed in Go 1.24.8 - CVE-2025-58189 (crypto/tls) - fixed in Go 1.24.8 - CVE-2025-58185 (encoding/asn1) - fixed in Go 1.24.8 - CVE-2025-61723 (encoding/pem) - fixed in Go 1.24.8 - CVE-2025-47912 (net/url) - fixed in Go 1.24.8 - GO-2025-4175 (crypto/x509) - fixed in Go 1.24.11 - GO-2025-4155 (crypto/x509) - fixed in Go 1.24.11 - GO-2025-4007 (crypto/x509) - fixed in Go 1.24.9 Also adds: - golang version to .tool-versions for asdf users - scripts/check-go-vulnerabilities.sh for local vulnerability scanning Closes #3036, #3037, #3038, #3039, #3040
1 parent 4495de9 commit 271edd9

4 files changed

Lines changed: 32 additions & 3 deletions

File tree

.tool-versions

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
11
pnpm 8.15.7
2+
golang 1.24.11

scripts/check-go-vulnerabilities.sh

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#!/bin/bash
2+
set -e
3+
4+
# Check Go vulnerabilities using govulncheck
5+
# Requires govulncheck: go install golang.org/x/vuln/cmd/govulncheck@latest
6+
7+
GO_MOD_PATH="${1:-server}"
8+
9+
if [[ ! -d "$GO_MOD_PATH" ]]; then
10+
echo "Error: directory not found at $GO_MOD_PATH"
11+
exit 1
12+
fi
13+
14+
if ! command -v govulncheck &> /dev/null; then
15+
echo "Installing govulncheck..."
16+
go install golang.org/x/vuln/cmd/govulncheck@latest
17+
fi
18+
19+
echo "Checking Go vulnerabilities in $GO_MOD_PATH"
20+
echo "================================================================"
21+
22+
cd "$GO_MOD_PATH"
23+
24+
GO_VERSION=$(grep "^go " go.mod | awk '{print $2}')
25+
echo "Go version: $GO_VERSION"
26+
echo ""
27+
28+
govulncheck -json ./... 2>&1 || true

server/Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.24-alpine3.22 AS server-builder
1+
FROM golang:1.24.11-alpine3.22 AS server-builder
22

33
RUN apk upgrade --no-cache && \
44
apk add --no-cache \
@@ -15,7 +15,7 @@ COPY . ./
1515

1616
RUN make build-server
1717

18-
FROM golang:1.24-alpine3.22 AS dockerize-builder
18+
FROM golang:1.24.11-alpine3.22 AS dockerize-builder
1919

2020
ARG DOCKERIZE_VERSION=v0.9.2
2121
RUN go install github.com/jwilder/dockerize@${DOCKERIZE_VERSION} && \

server/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/temporalio/ui-server/v2
22

3-
go 1.24.0
3+
go 1.24.11
44

55
require (
66
github.com/Masterminds/sprig/v3 v3.3.0

0 commit comments

Comments
 (0)