Skip to content

[release-v0.42.x] Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11#3007

Open
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12628-cve-2026-27145-stdlib-crypto-x509-release-v0.42.x-attempt-1
Open

[release-v0.42.x] Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11#3007
divyansh42 wants to merge 1 commit into
release-v0.42.xfrom
fix/SRVKP-12628-cve-2026-27145-stdlib-crypto-x509-release-v0.42.x-attempt-1

Conversation

@divyansh42

Copy link
Copy Markdown
Member

Summary

This PR fixes CVE-2026-27145 by updating the Go toolchain requirement from go 1.25.9 to go 1.25.11 in go.mod.

CVE Details

  • CVE-2026-27145 (GO-2026-5037, BIT-golang-2026-27145): golang crypto/x509 — Denial of Service via excessive processing of DNS SAN entries
    • Affected: Go stdlib versions < 1.25.11 and < 1.26.4
    • Fixed version: Go 1.25.11 (patch in same minor line)
    • Jira: SRVKP-12628

Changes

  • Updated go directive in go.mod: 1.25.9 → 1.25.11
  • No vendor/ changes required (stdlib version bump only)

Vulnerability Scan

  • Tool: govulncheck v1.5.0 (go1.25.11)
  • CVE identified via OSV advisory GO-2026-5037

Test Results

Status: ✅ All tests passed
Summary: All unit test packages pass with go1.25.11 toolchain

Jira References

SRVKP-12628

Testing Checklist

  • Pre-PR automated tests executed (all packages pass)
  • go mod tidy && go mod verify && go mod vendor passed
  • Verify CVE is resolved with security scan post-merge

Risk Assessment

Low — minor patch version bump to the Go stdlib toolchain requirement; no API changes; all tests pass.


🤖 Generated by CVE Fixer Workflow

Security fix: update Go toolchain from 1.25.9 to 1.25.11 to address CVE-2026-27145 (crypto/x509 DoS)

- Update go directive from 1.25.9 to 1.25.11 in go.mod
- Addresses Denial of Service via excessive processing of DNS SAN entries
  in crypto/x509 (Go stdlib)
- Fixed in Go 1.25.11 and 1.26.4 (per GO-2026-5037)
- All unit tests pass with go1.25.11 toolchain

Jira: SRVKP-12628

Co-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Jul 7, 2026
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 7, 2026
@pratap0007

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pratap0007
To complete the pull request process, please assign vdemeester after the PR has been reviewed.
You can assign the PR to them by writing /assign @vdemeester in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11 (SRVKP-12628) Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11 Jul 8, 2026
@divyansh42 divyansh42 changed the title Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11 [release-v0.42.x] Security: Fix CVE-2026-27145 - update Go toolchain to 1.25.11 Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants