Fix CVE-2026-27143: bump Go toolchain to 1.25.9#21411
Merged
Merged
Conversation
Daily vulnerability scan (CLC-2243) flagged 13 Classic component images with a critical Go stdlib vulnerability: - CVE-2026-27143 (GO-2026-4868): compiler did not correctly check underflow/overflow on arithmetic over induction variables in loops, allowing invalid indexing at runtime that could lead to memory corruption. The vulnerability is fixed in Go 1.25.9 (and 1.26.2). Bump the toolchain across the workspace: - Set toolchain to go1.25.9 in all 71 go.mod files - Update GO_VERSION in dev/image/Dockerfile and bump TRIGGER_REBUILD so the CI dev-environment image installs the patched compiler - Update GO_VERSION in .devcontainer/Dockerfile for dev consistency Verified locally by rebuilding all 13 affected components with GOTOOLCHAIN=go1.25.9 and confirming grype reports zero critical findings. Co-authored-by: Ona <no-reply@ona.com>
The CI dev-environment image bundles golangci-lint v1.64.8 built with Go 1.24, which refuses to lint code declaring "toolchain go1.25.9". Pin the lint target to 1.24 so the existing image keeps working without a rebuild. We don't use any 1.25 language features; the toolchain bump only addresses CVE-2026-27143 in the Go stdlib. Co-authored-by: Ona <no-reply@ona.com>
The previous commit bumped 'toolchain go1.25.9' across all 71 go.mod
files. That worked locally but broke the existing CI dev-environment
image, which:
1. ships golangci-lint v1.64.8 built with Go 1.24 (rejects modules
declaring toolchain >= 1.25)
2. has system Go 1.24.13, so GOTOOLCHAIN=auto downloads the 1.25.9
toolchain module — but that module's prebuilt tools dir lacks
'covdata', breaking 'go test -coverprofile' for any Go library
package.
Instead, leave the 'toolchain' directive at go1.24.13 and rely on the
new dev-environment image (which has system Go 1.25.9 from
dev/image/Dockerfile) to compile binaries with the patched stdlib.
Once branch CI publishes the new image, a follow-up commit will update
the image tag references in .gitpod.yml and the workflow files (same
two-step pattern as #21327).
Co-authored-by: Ona <no-reply@ona.com>
corneliusludmann
approved these changes
Apr 23, 2026
…go-gha.275 This image was published by the previous run of this PR and contains Go 1.25.9, which is needed to compile binaries free of CVE-2026-27143. Switching the workflow and devcontainer references over so subsequent CI runs use the patched toolchain. Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
ona/clc-2243-fix-cve-2026-27143-bump-go
branch
from
68027f5 to
60d9240
Compare
Contributor
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The daily vulnerability scan on
main(build run) flagged 13 Classic component images with a single critical Go stdlib vulnerability:1.25.9(or1.26.2)Affected images (all are pure-Go binaries on the same Wolfi base):
image-builder-mk3,blobserve,registry-facade,public-api-server,ide-service,content-service,ee/agent-smith,ide-metrics,node-labeler,openvsx-proxy,service-waiter,ws-manager-mk2,ws-proxy.This PR bumps the Go toolchain across the workspace from
1.24.13to1.25.9:toolchain go1.25.9in all 71go.modfilesGO_VERSIONindev/image/Dockerfileand bumpTRIGGER_REBUILDso the CI dev-environment image installs the patched compilerGO_VERSIONin.devcontainer/Dockerfilefor dev-environment consistencyNote
A follow-up commit will be needed to update the
dev-environmentimage tag references in.gitpod.ymland.github/workflows/*.ymlonce the new image is published, as was done in #21327.Related Issue(s)
Fixes CLC-2243
How to test
Verified locally by rebuilding all 13 affected components with
GOTOOLCHAIN=go1.25.9and scanning each binary with grype:Before the bump the same scan reports
CVE-2026-27143as Critical forstdlib@go1.24.13.Documentation
Preview status
gitpod:summary
Build Options
Build
Publish
Installer
Preview Environment / Integration Tests
/hold