update to go1.24.13, go1.25.7 by thaJeztah · Pull Request #12869 · containerd/containerd

thaJeztah · 2026-02-07T20:58:41Z

go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved

full diff: golang/go@go1.25.6...go1.25.7

From the security mailing list:

Hello gophers,

We have just released Go versions 1.25.7 and 1.24.13, minor point releases.

These releases include 2 security fixes following the security policy:

cmd/cgo: remove user-content from doc strings in cgo ASTs

A discrepancy between how Go and C/C++ comments
were parsed allowed for code smuggling into the
resulting cgo binary.

To prevent this behavior, the cgo compiler
will no longer parse user-provided doc
comments.

Thank you to RyotaK (https://ryotak.net) of
GMO Flatt Security Inc. for reporting this issue.

This is CVE-2025-61732 and https://go.dev/issue/76697.

crypto/tls: unexpected session resumption when using Config.GetConfigForClient

Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected behavior if
the returned Config modifies authentication parameters, like ClientCAs: a
connection initially established with the parent (or a sibling) Config can be
resumed, bypassing the modified authentication requirements.

If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the
server) or InsecureSkipVerify is false (on the client), crypto/tls now checks
that the root of the previously-verified chain is still in ClientCAs/RootCAs
when resuming a connection.

Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue
related to session ticket keys being implicitly shared by Config.Clone. Since
this fix is broader, the Config.Clone behavior change has been reverted.

Note that VerifyPeerCertificate still behaves as documented: it does not apply
to resumed connections. Applications that use Config.GetConfigForClient or
Config.Clone and do not wish to blindly resume connections established with the
original Config must use VerifyConnection instead (or SetSessionTicketKeys or
SessionTicketsDisabled).

Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.

go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: golang/go@go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <[email protected]>

thaJeztah · 2026-02-08T12:58:17Z

/cherry-pick release/2.2
/cherry-pick release/2.1

k8s-infra-cherrypick-robot · 2026-02-08T12:59:02Z

@thaJeztah: #12869 failed to apply on top of branch "release/2.1":

Applying: update to go1.24.13, go1.25.7
Using index info to reconstruct a base tree...
M	.devcontainer/devcontainer.json
M	.github/actions/install-go/action.yml
M	.github/workflows/api-release.yml
M	.github/workflows/ci.yml
M	.github/workflows/release/Dockerfile
M	Vagrantfile
M	contrib/Dockerfile.test
M	contrib/fuzz/oss_fuzz_build.sh
M	script/setup/prepare_env_windows.ps1
Falling back to patching base and 3-way merge...
Auto-merging script/setup/prepare_env_windows.ps1
CONFLICT (content): Merge conflict in script/setup/prepare_env_windows.ps1
Auto-merging contrib/fuzz/oss_fuzz_build.sh
CONFLICT (content): Merge conflict in contrib/fuzz/oss_fuzz_build.sh
Auto-merging contrib/Dockerfile.test
CONFLICT (content): Merge conflict in contrib/Dockerfile.test
Auto-merging Vagrantfile
CONFLICT (content): Merge conflict in Vagrantfile
Auto-merging .github/workflows/release/Dockerfile
CONFLICT (content): Merge conflict in .github/workflows/release/Dockerfile
Auto-merging .github/workflows/ci.yml
CONFLICT (content): Merge conflict in .github/workflows/ci.yml
Auto-merging .github/workflows/api-release.yml
CONFLICT (content): Merge conflict in .github/workflows/api-release.yml
Auto-merging .github/actions/install-go/action.yml
CONFLICT (content): Merge conflict in .github/actions/install-go/action.yml
Auto-merging .devcontainer/devcontainer.json
CONFLICT (content): Merge conflict in .devcontainer/devcontainer.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 update to go1.24.13, go1.25.7

Details

In response to this:

/cherry-pick release/2.2
/cherry-pick release/2.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-infra-cherrypick-robot · 2026-02-08T12:59:36Z

@thaJeztah: #12869 failed to apply on top of branch "release/2.2":

Applying: update to go1.24.13, go1.25.7
Using index info to reconstruct a base tree...
M	.devcontainer/devcontainer.json
M	.github/actions/install-go/action.yml
M	.github/workflows/api-release.yml
M	.github/workflows/ci.yml
M	.github/workflows/release/Dockerfile
M	Vagrantfile
M	contrib/Dockerfile.test
M	contrib/fuzz/oss_fuzz_build.sh
M	script/setup/prepare_env_windows.ps1
Falling back to patching base and 3-way merge...
Auto-merging script/setup/prepare_env_windows.ps1
CONFLICT (content): Merge conflict in script/setup/prepare_env_windows.ps1
Auto-merging contrib/fuzz/oss_fuzz_build.sh
CONFLICT (content): Merge conflict in contrib/fuzz/oss_fuzz_build.sh
Auto-merging contrib/Dockerfile.test
CONFLICT (content): Merge conflict in contrib/Dockerfile.test
Auto-merging Vagrantfile
CONFLICT (content): Merge conflict in Vagrantfile
Auto-merging .github/workflows/release/Dockerfile
CONFLICT (content): Merge conflict in .github/workflows/release/Dockerfile
Auto-merging .github/workflows/ci.yml
CONFLICT (content): Merge conflict in .github/workflows/ci.yml
Auto-merging .github/workflows/api-release.yml
CONFLICT (content): Merge conflict in .github/workflows/api-release.yml
Auto-merging .github/actions/install-go/action.yml
CONFLICT (content): Merge conflict in .github/actions/install-go/action.yml
Auto-merging .devcontainer/devcontainer.json
CONFLICT (content): Merge conflict in .devcontainer/devcontainer.json
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 update to go1.24.13, go1.25.7

Details

In response to this:

/cherry-pick release/2.2
/cherry-pick release/2.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

thaJeztah added cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch labels Feb 7, 2026

github-project-automation Bot added this to Pull Request Review Feb 7, 2026

github-project-automation Bot moved this to Needs Triage in Pull Request Review Feb 7, 2026

k8s-ci-robot added the size/S label Feb 7, 2026

dosubot Bot added the area/toolchain Build and Release Toolchain label Feb 7, 2026

fuweid approved these changes Feb 7, 2026

View reviewed changes

mxpv approved these changes Feb 8, 2026

View reviewed changes

github-project-automation Bot moved this from Needs Triage to Review In Progress in Pull Request Review Feb 8, 2026

mxpv enabled auto-merge February 8, 2026 01:05

mxpv disabled auto-merge February 8, 2026 04:29

mxpv added this pull request to the merge queue Feb 8, 2026

Merged via the queue into containerd:main with commit 10a5bad Feb 8, 2026
54 checks passed

github-project-automation Bot moved this from Review In Progress to Done in Pull Request Review Feb 8, 2026

thaJeztah deleted the bump_go branch February 8, 2026 12:55

thaJeztah mentioned this pull request Feb 8, 2026

[release/2.2 backport] update to go1.24.13, go1.25.7 #12871

Merged

thaJeztah added cherry-picked/2.2.x PR commits are cherry-picked into release/2.2 branch and removed cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch labels Feb 8, 2026

thaJeztah mentioned this pull request Feb 8, 2026

[release/2.1 backport] update to go1.24.13, go1.25.7 #12872

Merged

thaJeztah added cherry-picked/2.1.x PR commits are cherry picked into the release/2.1 branch and removed cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch labels Feb 8, 2026

thaJeztah mentioned this pull request Feb 8, 2026

[release/1.7 backport] update to go1.24.13, go1.25.7 #12873

Merged

thaJeztah added cherry-picked/1.7.x PR commits are cherry-picked into release/1.7 branch and removed cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch labels Feb 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

update to go1.24.13, go1.25.7#12869

update to go1.24.13, go1.25.7#12869
mxpv merged 1 commit intocontainerd:mainfrom
thaJeztah:bump_go

thaJeztah commented Feb 7, 2026

Uh oh!

Uh oh!

thaJeztah commented Feb 8, 2026

Uh oh!

k8s-infra-cherrypick-robot commented Feb 8, 2026

Uh oh!

k8s-infra-cherrypick-robot commented Feb 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

thaJeztah commented Feb 7, 2026

Uh oh!

Uh oh!

thaJeztah commented Feb 8, 2026

Uh oh!

k8s-infra-cherrypick-robot commented Feb 8, 2026

Uh oh!

k8s-infra-cherrypick-robot commented Feb 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants