update to go1.24.4

[vvoland]

• https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
• full diff: golang/go@go1.24.3...go1.24.4

This release includes 3 security fixes following the security policy:

• net/http: sensitive headers not cleared on cross-origin redirect

  Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

  This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.

• os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows

  os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.

  OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

  Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.

  This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.

• crypto/x509: usage of ExtKeyUsageAny disables policy validation

  Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

  Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.

  This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.

- Description for the changelog

Update Go runtime to [1.24.4](https://go.dev/doc/devel/release#go1.24.4)

Signed-off-by: Paweł Gronowski pawel.gronowski@docker.com

[thaJeztah]

LGTM