Skip to content

Bump Go to 1.26.5 to fix crypto/tls ECH de-anonymization (CVE-2026-42505)#140

Merged
kevinmcconnell merged 1 commit into
basecamp:mainfrom
rafafloresta:bump-go-1.26.5-security
Jul 16, 2026
Merged

Bump Go to 1.26.5 to fix crypto/tls ECH de-anonymization (CVE-2026-42505)#140
kevinmcconnell merged 1 commit into
basecamp:mainfrom
rafafloresta:bump-go-1.26.5-security

Conversation

@rafafloresta

Copy link
Copy Markdown
Contributor

Summary

Bumps the go directive 1.26.41.26.5 to pull in the patched standard library, and refreshes x/net, x/crypto, and x/text to their latest releases.

Vulnerability

GO-2026-5856 / CVE-2026-42505crypto/tls. TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer, because pre-shared key identities are disclosed in the unencrypted ClientHello. Fixed in go1.26.5.

The affected symbols (Conn.Handshake, Conn.Read/Conn.Write, Dial) sit on Thruster's TLS-terminating proxy path. CI builds via go-version-file: go.mod, so bumping the directive is what gets the patched toolchain into release binaries.

Verification

  • govulncheck ./... → 0 reachable vulnerabilities under go1.26.5
  • go build ./... OK
  • go test ./... passing

)

Bumps the go directive from 1.26.4 to 1.26.5, which patches
GO-2026-5856 / CVE-2026-42505 in crypto/tls: handshakes using
Encrypted Client Hello could be de-anonymized by a passive network
observer due to disclosure of pre-shared key identities in the
unencrypted ClientHello. Thruster's TLS-terminating proxy exercises
the affected crypto/tls handshake path.

Also refreshes x/net, x/crypto and x/text to their latest releases.
Copilot AI review requested due to automatic review settings July 16, 2026 15:35

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Thruster’s Go toolchain and core golang.org/x/* dependencies to pick up the Go 1.26.5 standard library fix for the reported crypto/tls ECH de-anonymization vulnerability (CVE-2026-42505 / GO-2026-5856).

Changes:

  • Bump the go directive from 1.26.4 to 1.26.5.
  • Update golang.org/x/crypto and golang.org/x/net to newer releases.
  • Refresh go.sum entries to match the updated module graph.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Bumps Go directive to 1.26.5 and updates golang.org/x/{crypto,net,text} versions.
go.sum Removes old checksums and adds/keeps checksums consistent with the updated go.mod requirements.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kevinmcconnell

Copy link
Copy Markdown
Collaborator

Thanks @rafafloresta !

@kevinmcconnell
kevinmcconnell merged commit 900411c into basecamp:main Jul 16, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants