[release/2.2 backport] update to go1.24.13, go1.25.7#12871
Merged
mxpv merged 2 commits intocontainerd:release/2.2from Feb 9, 2026
Merged
[release/2.2 backport] update to go1.24.13, go1.25.7#12871mxpv merged 2 commits intocontainerd:release/2.2from
mxpv merged 2 commits intocontainerd:release/2.2from
Conversation
thaJeztah
changed the title
Member
|
The kubernetes node e2e tests should pass once #12875 is merged. |
akhilerm
approved these changes
Feb 9, 2026
estesp
approved these changes
Feb 9, 2026
github-project-automation
Bot
moved this from Needs Triage
to Review In Progress
in Pull Request Review
Signed-off-by: Akhil Mohan <[email protected]> (cherry picked from commit bde3dea) Signed-off-by: Sebastiaan van Stijn <[email protected]>
go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: golang/go@go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 1551986) Signed-off-by: Sebastiaan van Stijn <[email protected]>
estesp
force-pushed
the
release_2.2_backport_bump_go
branch
from
f6ba8b5 to
b4240ef
Compare
dmcgowan
approved these changes
Feb 9, 2026
Member
|
Looks like actions is having issues, needs to still wait for CI even though its green |
dosubot
Bot
added
the
github_actions
Member
Yeah, the rebase happened right during a brief GH outage and seems it never triggered the CI run. I think one of us will have to check out the PR and push to get it to trigger? |
Member
Author
|
let's see if an old-school close and reopen works |
github-project-automation
Bot
moved this from Review In Progress
to Done
in Pull Request Review
github-project-automation
Bot
moved this from Done
to Needs Triage
in Pull Request Review
github-project-automation
Bot
moved this from Needs Triage
to Done
in Pull Request Review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backports of: