Skip to content

fix: bump Go to 1.25.11 to fix CVE-2026-42504 and CVE-2026-33811#2101

Merged
shibd merged 1 commit into
branch-4.2from
fix/branch-4.2-go-1.25.11
Jun 15, 2026
Merged

fix: bump Go to 1.25.11 to fix CVE-2026-42504 and CVE-2026-33811#2101
shibd merged 1 commit into
branch-4.2from
fix/branch-4.2-go-1.25.11

Conversation

@shibd

@shibd shibd commented Jun 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Upgrades Go stdlib from 1.25.10 to 1.25.11 across all CI workflows, go.mod, and test Dockerfile
  • Fixes CVE-2026-42504 (HIGH): DoS via maliciously-crafted MIME header with many parameters (fixed in 1.25.11)
  • Fixes CVE-2026-33811 (HIGH): net package DoS via long host names (fixed in 1.25.10, present in pulsarctl-kube binary still at 1.25.9)

These vulnerabilities were detected by Trivy in sn-platform-slim:4.2.1.1:

  • pulsar/bin/pulsarctl compiled with stdlib v1.25.10, vulnerable to CVE-2026-42504
  • pulsar/plugins/pulsarctl-kube compiled with stdlib v1.25.9, vulnerable to CVE-2026-33811

Files changed

  • go.mod: bumped go directive from 1.25.10 to 1.25.11
  • .github/workflows/ci-*.yml: updated go-version from 1.25.10 to 1.25.11
  • scripts/test-docker/Dockerfile: updated base image from golang:1.25.10-alpine to golang:1.25.11-alpine

Related Issues

  • Fixes streamnative/eng-support-tickets#4626
  • Fixes streamnative/eng-support-tickets#4627

Test plan

  • CI Trivy scan passes with no HIGH/CRITICAL stdlib CVEs after build
  • All existing CI checks pass on branch-4.2

🤖 Generated with Claude Code

@shibd @claude
fix: bump Go to 1.25.11 to fix CVE-2026-42504 and CVE-2026-33811
e34c106 
Upgrade Go stdlib from 1.25.10 to 1.25.11 to remediate:
- CVE-2026-42504 (HIGH): maliciously-crafted MIME header DoS
- CVE-2026-33811 (HIGH): net package DoS via long host names

Fixes: streamnative/eng-support-tickets#4626
Fixes: streamnative/eng-support-tickets#4627

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@shibd shibd requested review from a team, mattisonchao and zymap as code owners June 15, 2026 07:29
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

@shibd:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions Bot added the doc-info-missing This pr needs to mark a document option in description label Jun 15, 2026
@shibd shibd merged commit 399b269 into branch-4.2 Jun 15, 2026
11 checks passed
@shibd shibd deleted the fix/branch-4.2-go-1.25.11 branch June 15, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@zymap zymap Awaiting requested review from zymap zymap is a code owner

Assignees

@shibd shibd

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shibd