Skip to content

Update Go to 1.24.6 #31784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lucasmrod merged 2 commits into from
Aug 12, 2025
Merged

Update Go to 1.24.6 #31784

lucasmrod merged 2 commits into from
Aug 12, 2025

Conversation

@lucasmrod
Copy link
Member

@lucasmrod lucasmrod commented Aug 11, 2025
edited
Loading

Ran

make update-go version=1.24.6

And then updated the sha256s manually in the Dockerfiles.

Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.

@codecov
Copy link

codecov bot commented Aug 11, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@1ef8bc2). Learn more about missing BASE report.
⚠️ Report is 22 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #31784   +/-   ##
=======================================
  Coverage        ?   63.77%           
=======================================
  Files           ?     1965           
  Lines           ?   192264           
  Branches        ?     6278           
=======================================
  Hits            ?   122616           
  Misses          ?    60059           
  Partials        ?     9589
Flag Coverage Δ
backend 65.16% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

iansltx
iansltx previously approved these changes Aug 11, 2025
View reviewed changes
Copy link
Member

@iansltx iansltx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guessing we should cherry-pick this?

@lucasmrod
Copy link
Member Author

lucasmrod commented Aug 11, 2025

Guessing we should cherry-pick this?

I'm all ears. I'm not sure if we have any bugs that can be explained by this CVE/issue.
(We also have to account how much it will delay v4.72.0.)

@lukeheath @jmwatts @xpkoala @PezHub

@lucasmrod lucasmrod requested a review from iansltx August 11, 2025 17:47
@lucasmrod lucasmrod merged commit d849e01 into main Aug 12, 2025
40 checks passed
@lucasmrod lucasmrod deleted the update-go-to-1.24.6 branch August 12, 2025 11:10
lucasmrod added a commit that referenced this pull request Aug 12, 2025
@lucasmrod
Update Go to 1.24.6 (#31784)
be71a56 
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.

Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
@lucasmrod lucasmrod mentioned this pull request Aug 12, 2025
Merged
lukeheath pushed a commit that referenced this pull request Aug 12, 2025
@lucasmrod
Update Go to 1.24.6 (#31784) (#31824)
86e5a0b 
Cherry pick for #31784.

We decided to patch it because 1.24.6 contains a fix for a HIGH CVE:
[CVE-2025-47907](https://nvd.nist.gov/vuln/detail/CVE-2025-47907)
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
BCTBB pushed a commit that referenced this pull request Aug 19, 2025
@lucasmrod @BCTBB
Update Go to 1.24.6 (#31784)
59ca948 
Ran
```
make update-go version=1.24.6
```
And then updated the `sha256`s manually in the Dockerfiles.

Fixes https://nvd.nist.gov/vuln/detail/CVE-2025-47907
```
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call
to the Scan method of the returned Rows can result in unexpected results if other queries are being
made in parallel. This can result in a race condition that may overwrite the expected results with those
of another query, causing the call to Scan to return either unexpected results from the other
query or an error.
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iansltx iansltx iansltx approved these changes

@lukeheath lukeheath lukeheath approved these changes

@rfairburn rfairburn Awaiting requested review from rfairburn rfairburn is a code owner

@ksatter ksatter Awaiting requested review from ksatter ksatter is a code owner

@edwardsb edwardsb Awaiting requested review from edwardsb edwardsb is a code owner

@georgekarrv georgekarrv Awaiting requested review from georgekarrv georgekarrv is a code owner

@BCTBB BCTBB Awaiting requested review from BCTBB BCTBB is a code owner

@ddribeiro ddribeiro Awaiting requested review from ddribeiro ddribeiro is a code owner

@sharon-fdm sharon-fdm Awaiting requested review from sharon-fdm sharon-fdm is a code owner

@mostlikelee mostlikelee Awaiting requested review from mostlikelee

Assignees

@iansltx iansltx

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lucasmrod @iansltx @lukeheath