Bump Go to 1.24.12+ to fix CVE-2025-61726, CVE-2025-61728, CVE-2025-61729

## Summary

Go 1.24.12 fixes three CVEs affecting tkn:

- **CVE-2025-61726**: Memory exhaustion in `net/url` query parameter parsing
- **CVE-2025-61728**: Excessive CPU consumption in `archive/zip` index building  
- **CVE-2025-61729**: Resource exhaustion in `crypto/x509` certificate validation

## Current State

- main: Go 1.24.6
- release-v0.42.0: Go 1.24.3
- release-v0.37.2: Go 1.23.0

## Required

Bump to Go 1.24.12+ on main and backport to active release branches.

## References

- https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
- https://github.com/golang/go/issues/77101
- https://github.com/golang/go/issues/77102
- https://pkg.go.dev/vuln/GO-2025-4155

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump Go to 1.24.12+ to fix CVE-2025-61726, CVE-2025-61728, CVE-2025-61729 #2716

Summary

Current State

Required

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Bump Go to 1.24.12+ to fix CVE-2025-61726, CVE-2025-61728, CVE-2025-61729 #2716

Description

Summary

Current State

Required

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions