Skip to content

Upgrade Go to 1.26.2 to fix stdlib CVEs (v6.2.2)#4172

Merged
reinkrul merged 1 commit intoV6.2from
fix/go-1.26.2-v6.2
Apr 10, 2026
Merged

Upgrade Go to 1.26.2 to fix stdlib CVEs (v6.2.2)#4172
reinkrul merged 1 commit intoV6.2from
fix/go-1.26.2-v6.2

Conversation

@reinkrul
Copy link
Copy Markdown
Member

@reinkrul reinkrul commented Apr 10, 2026
edited
Loading

Summary

  • Upgrade Go from 1.26.1 to 1.26.2 in go.mod and Dockerfile
  • Add release notes for v6.2.2

Fixes the following Go stdlib vulnerabilities:

Advisory Package Description
GO-2026-4865 html/template XSS via incorrect JS template literal escaping
GO-2026-4866 crypto/x509 Auth bypass via excluded DNS name constraints not applied to wildcard SANs
GO-2026-4869 archive/tar DoS via unbounded memory allocation in tar reader
GO-2026-4870 crypto/tls DoS via TLS 1.3 connection deadlock on multiple KeyUpdate messages
GO-2026-4946 crypto/x509 DoS via inefficient policy validation with many policy mappings

Test plan

  • CI passes (govulncheck should report no stdlib vulnerabilities)
  • Docker image builds with golang:1.26.2-alpine

🤖 Generated with Claude Code

@reinkrul @claude
Upgrade Go to 1.26.2 to fix stdlib CVEs (v6.2.2)
2c1d3f9 
Fixes GO-2026-4865 (html/template XSS), GO-2026-4866 (crypto/x509 auth bypass),
GO-2026-4869 (archive/tar DoS), GO-2026-4870 (crypto/tls DoS), GO-2026-4946 (crypto/x509 DoS)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@qltysh
Copy link
Copy Markdown

qltysh bot commented Apr 10, 2026

Qlty

Coverage Impact

⬆️ Merging this pull request will increase total coverage on V6.2 by 0.01%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@reinkrul reinkrul merged commit 5275f35 into V6.2 Apr 10, 2026
8 checks passed
@reinkrul reinkrul deleted the fix/go-1.26.2-v6.2 branch April 10, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevenvegt stevenvegt stevenvegt approved these changes

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reinkrul @stevenvegt