Skip to content

update to go1.26.5#1338

Merged
thaJeztah merged 1 commit into
docker:masterfrom
thaJeztah:update_go1.26.5
Jul 8, 2026
Merged

update to go1.26.5#1338
thaJeztah merged 1 commit into
docker:masterfrom
thaJeztah:update_go1.26.5

Conversation

@thaJeztah

Copy link
Copy Markdown
Member

go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls and os packages, as well as bug fixes to the compiler, the runtime, the go command, and the net, os, and syscall packages. See the Go 1.26.5 milestone on our issue tracker for details;

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

  • os: Root escape via symlink plus trailing slash

    On Unix systems, opening a file in an os.Root improperly
    followed symlinks to locations outside of the Root when
    the final path component of the a path is a symbolic link
    and the path ends in /.

    For example, root.Open("symlink/") would open "symlink"
    even when "symlink" is a symbolic link pointing outside of the root.

    On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
    in path when path ends in a /. Root failed to account for
    this behavior, permitting paths with a trailing / to escape.
    It now properly sanitizes the path parameter provided to openat.

    hanks to Mundur for reporting this issue.

    This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

  • crypto/tls: Encrypted Client Hello privacy leak

    he Encrypted Client Hello implementation would leak the pre-shared key
    dentities during the handshake, allowing a passive network observer who can
    ollect handshakes to de-anonymize the hostname of the server, even when ECH was
    eing used.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

- What I did

- Description for the changelog

go1.26.5 (released 2026-07-07) includes security fixes to the crypto/tls
and os packages, as well as bug fixes to the compiler, the runtime, the
go command, and the net, os, and syscall packages. See the Go 1.26.5
milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.26.5+label%3ACherryPickApproved
- full diff: golang/go@go1.26.4...go1.26.5

From the security announcement:

We have just released Go versions 1.26.5 and 1.25.12, minor point releases.

These releases include 2 security fixes following the security policy:

- os: Root escape via symlink plus trailing slash

  On Unix systems, opening a file in an os.Root improperly
  followed symlinks to locations outside of the Root when
  the final path component of the a path is a symbolic link
  and the path ends in /.

  For example, root.Open("symlink/") would open "symlink"
  even when "symlink" is a symbolic link pointing outside of the root.

  On Unix, openat(fd, path, O_NOFOLLOW) will follow symlinks
  in path when path ends in a /. Root failed to account for
  this behavior, permitting paths with a trailing / to escape.
  It now properly sanitizes the path parameter provided to openat.

  hanks to Mundur for reporting this issue.

  This is CVE-2026-39822 and Go issue https://go.dev/issue/79005.

- crypto/tls: Encrypted Client Hello privacy leak

  he Encrypted Client Hello implementation would leak the pre-shared key
  dentities during the handshake, allowing a passive network observer who can
  ollect handshakes to de-anonymize the hostname of the server, even when ECH was
  eing used.

  Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

  This is CVE-2026-42505 and Go issue https://go.dev/issue/79282.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah merged commit 4627bfe into docker:master Jul 8, 2026
38 of 73 checks passed
@thaJeztah thaJeztah deleted the update_go1.26.5 branch July 8, 2026 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants