Skip to content

fix: upgrade Go toolchain to 1.26.5 for GO-2026-4970-stdlib#3278

Merged
migmartri merged 1 commit into
mainfrom
chainloop/fix-go-2026-4970-stdlib-20260710-003456
Jul 10, 2026
Merged

fix: upgrade Go toolchain to 1.26.5 for GO-2026-4970-stdlib#3278
migmartri merged 1 commit into
mainfrom
chainloop/fix-go-2026-4970-stdlib-20260710-003456

Conversation

@chainloop-platform

@chainloop-platform chainloop-platform Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumped the repository Go toolchain directive from 1.26.4 to 1.26.5 and updated the goreleaser builder images to the matching golang:1.26.5 pinned digest. This applies the minimum patch recommended for the vulnerable Go standard library release line.

Vulnerability Fixed

GO-2026-4970-stdlib (HIGH): on Unix systems, os.Root can improperly follow a final-component symlink outside the intended root when the path ends with /.

Changes Made

  • Updated go.mod from go 1.26.4 to go 1.26.5 so local and CI builds use the fixed Go standard library release.
  • Updated app/controlplane/Dockerfile.goreleaser, app/cli/Dockerfile.goreleaser, and app/artifact-cas/Dockerfile.goreleaser from golang:1.26.4@sha256:68cb6d68bed024785b69195b89af7ac7a444f27791435f98647edff595aa0479 to golang:1.26.5@sha256:079e59808d2d252516e27e3f3a9c003740dee7f75e55aa71528766d52bcfc16a to keep the release builders on the same fixed toolchain.

Verification

Ran syft dir:. -o cyclonedx-json=/tmp/chainloop-sbom-jVCFKl.json followed by grype sbom:/tmp/chainloop-sbom-jVCFKl.json --only-fixed -o json against the patched repo/. Classification: resolved. grype completed successfully and GO-2026-4970-stdlib was not present in the scan results.

Risk Assessment

View the risk assessment in Chainloop

Review in cubic

@migmartri migmartri merged commit ff93ea4 into main Jul 10, 2026
13 of 14 checks passed
@migmartri migmartri deleted the chainloop/fix-go-2026-4970-stdlib-20260710-003456 branch July 10, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants