Skip to content

fix(security): upgrade Go to 1.25.7 to address crypto/tls CVE#709

Merged
michaeljguarino merged 1 commit intomainfrom
agent/fix-crypto-tls-vulnerability-1740436538000
Feb 25, 2026
Merged

fix(security): upgrade Go to 1.25.7 to address crypto/tls CVE#709
michaeljguarino merged 1 commit intomainfrom
agent/fix-crypto-tls-vulnerability-1740436538000

Conversation

@plural-copilot
Copy link
Copy Markdown
Contributor

@plural-copilot plural-copilot Bot commented Feb 24, 2026

Summary

  • Upgrade Go from v1.25.6 to v1.25.7 to fix crypto/tls session resumption vulnerability
  • Updated go.mod directive and all Dockerfile base images to use the fixed Go version

Vulnerability Details

CVE: crypto/tls unexpected session resumption

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This can cause clients or servers to resume sessions improperly.

Fix Versions: 1.24.13, 1.25.7, 1.26.0-rc.3

Changes

  • go.mod: Updated go directive from 1.25.6 to 1.25.7
  • Dockerfile: Updated golang base images (builder and final stages) from 1.25.6-alpine3.22 to 1.25.7-alpine3.22
  • dockerfiles/Dockerfile.cloud: Updated golang base image from 1.25.6-alpine3.22 to 1.25.7-alpine3.22

Test plan

  • Docker build completes successfully with Go 1.25.7
  • All source code compiles without errors

🤖 Generated with Claude Code

@michaeljguarino
fix(security): upgrade Go to 1.25.7 to address crypto/tls CVE
8ea6b1f 
Upgrade Go from v1.25.6 to v1.25.7 to fix crypto/tls session resumption
vulnerability where ClientCAs/RootCAs mutations between initial and
resumed handshakes could cause improper session resumption.

Files updated:
- go.mod: Updated go directive to 1.25.7
- Dockerfile: Updated both builder and final stage images
- dockerfiles/Dockerfile.cloud: Updated builder stage image
plural-copilot[bot]
plural-copilot Bot commented Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@plural-copilot plural-copilot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude (engine: claude) agent runtime. Here's some useful information you might want to know to evaluate
the ai's perfomance:

Name Details
💬 Prompt Security scanners have found the following vulnerability in our cluster:...
🔗 Run history View run history

@michaeljguarino michaeljguarino added the enhancement New feature or request label Feb 25, 2026
@michaeljguarino michaeljguarino merged commit 53cf279 into main Feb 25, 2026
14 of 15 checks passed
@michaeljguarino michaeljguarino deleted the agent/fix-crypto-tls-vulnerability-1740436538000 branch February 25, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino