Bump Go to 1.26.5 to fix crypto/tls ECH de-anonymization (CVE-2026-42505)#140
Merged
kevinmcconnell merged 1 commit intoJul 16, 2026
Merged
Conversation
) Bumps the go directive from 1.26.4 to 1.26.5, which patches GO-2026-5856 / CVE-2026-42505 in crypto/tls: handshakes using Encrypted Client Hello could be de-anonymized by a passive network observer due to disclosure of pre-shared key identities in the unencrypted ClientHello. Thruster's TLS-terminating proxy exercises the affected crypto/tls handshake path. Also refreshes x/net, x/crypto and x/text to their latest releases.
There was a problem hiding this comment.
Pull request overview
Updates Thruster’s Go toolchain and core golang.org/x/* dependencies to pick up the Go 1.26.5 standard library fix for the reported crypto/tls ECH de-anonymization vulnerability (CVE-2026-42505 / GO-2026-5856).
Changes:
- Bump the
godirective from1.26.4to1.26.5. - Update
golang.org/x/cryptoandgolang.org/x/netto newer releases. - Refresh
go.sumentries to match the updated module graph.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Bumps Go directive to 1.26.5 and updates golang.org/x/{crypto,net,text} versions. |
| go.sum | Removes old checksums and adds/keeps checksums consistent with the updated go.mod requirements. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
|
Thanks @rafafloresta ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the
godirective1.26.4→1.26.5to pull in the patched standard library, and refreshesx/net,x/crypto, andx/textto their latest releases.Vulnerability
GO-2026-5856 / CVE-2026-42505 —
crypto/tls. TLS handshakes using Encrypted Client Hello (ECH) could be de-anonymized by a passive network observer, because pre-shared key identities are disclosed in the unencrypted ClientHello. Fixed in go1.26.5.The affected symbols (
Conn.Handshake,Conn.Read/Conn.Write,Dial) sit on Thruster's TLS-terminating proxy path. CI builds viago-version-file: go.mod, so bumping the directive is what gets the patched toolchain into release binaries.Verification
govulncheck ./...→ 0 reachable vulnerabilities under go1.26.5go build ./...OKgo test ./...passing