Skip to content

security: upgrade golang to 1.25.6 to fix CVE-2025-61729#4358

Merged
efiacor merged 11 commits into
kptdev:mainfrom
menahyouyeah:upgrade-go-version
Jan 22, 2026
Merged

security: upgrade golang to 1.25.6 to fix CVE-2025-61729#4358
efiacor merged 11 commits into
kptdev:mainfrom
menahyouyeah:upgrade-go-version

Conversation

@menahyouyeah
Copy link
Copy Markdown
Contributor

@menahyouyeah menahyouyeah commented Jan 21, 2026

Description

This PR upgrades the Go toolchain and base images to version 1.25.6.

Why is this needed?

This update addresses CVE-2025-61729, a high-severity vulnerability in crypto/x509 that allows for potential Denial of Service (DoS) via resource exhaustion when processing malicious certificates.

Changes

  • Updated go.mod to go 1.25
  • Ran go mod tidy to refresh dependencies

@netlify
Copy link
Copy Markdown

netlify Bot commented Jan 21, 2026
edited
Loading

Deploy Preview for kptdocs ready!

Name Link
🔨 Latest commit feaca8e
🔍 Latest deploy log https://app.netlify.com/projects/kptdocs/deploys/69723942432adf0008dd6f56
😎 Deploy Preview https://deploy-preview-4358--kptdocs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@menahyouyeah
security: upgrade golang to 1.25.6 to fix CVE-2025-61729
75db948 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
security: upgrade golang to 1.25.5 to fix CVE-2025-61729
0c781fb 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah menahyouyeah changed the title security: upgrade golang to 1.25.6 to fix CVE-2025-61729 security: upgrade golang to 1.25.5 to fix CVE-2025-61729 Jan 21, 2026
@menahyouyeah
security: upgrade golang to 1.25.5 to fix CVE-2025-61729
b157db1 
Signed-off-by: Minna Howell <minnah@google.com>
efiacor
efiacor reviewed Jan 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efiacor efiacor left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be good to bump the version in the .github workflows also.
ie.

with:
go-version: '>=1.24'

@menahyouyeah
update workflows and update everything to 1.25.6
e9447a7 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
update workflows
cb0974d 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
update workflows
8567e88 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
fix workflows
d54640c 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
more workflow troubles
d551df3 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
more workflow troubles
672f991 
Signed-off-by: Minna Howell <minnah@google.com>
@menahyouyeah
Copy link
Copy Markdown
Contributor Author

menahyouyeah commented Jan 21, 2026

It might be good to bump the version in the .github workflows also. ie.

with: go-version: '>=1.24'

Updated the workflows. Since I bumped the go.mod to 1.25.6, the default GitHub runners (which often lag by a patch version or two, currently at 1.25.5) were failing because they couldn't satisfy the strict version check under GOTOOLCHAIN=local. So I updated to 1.25.6 specifically in a few places.

@menahyouyeah menahyouyeah changed the title security: upgrade golang to 1.25.5 to fix CVE-2025-61729 security: upgrade golang to 1.25.6 to fix CVE-2025-61729 Jan 21, 2026
@CsatariGergely CsatariGergely mentioned this pull request Jan 22, 2026
Closed
efiacor
efiacor reviewed Jan 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efiacor efiacor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we go with the following for all workflows?

name: Set up Go
uses: actions/setup-go@v6
with:
go-version-file: go/src/github.com/kptdev/kpt/go.mod
cache: true

the check-latest is redundant if cache=true

@menahyouyeah
update workflows per comment
46a4fa6 
Signed-off-by: Minna Howell <minnah@google.com>
@liamfallon liamfallon mentioned this pull request Jan 22, 2026
Merged
@menahyouyeah
fix e2e workflow
feaca8e 
Signed-off-by: Minna Howell <minnah@google.com>
@liamfallon
Copy link
Copy Markdown
Contributor

liamfallon commented Jan 22, 2026

See also:
#4364
kptdev/krm-functions-sdk#748
kptdev/krm-functions-catalog#1214

@menahyouyeah
Copy link
Copy Markdown
Contributor Author

menahyouyeah commented Jan 22, 2026

Can we go with the following for all workflows?

name: Set up Go uses: actions/setup-go@v6 with: go-version-file: go/src/github.com/kptdev/kpt/go.mod cache: true

the check-latest is redundant if cache=true

yep done thanks for the feedback

@efiacor efiacor merged commit 4eca0a8 into kptdev:main Jan 22, 2026
15 checks passed
@menahyouyeah menahyouyeah deleted the upgrade-go-version branch February 11, 2026 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liamfallon liamfallon liamfallon approved these changes

@efiacor efiacor efiacor approved these changes

@kispaljr kispaljr Awaiting requested review from kispaljr kispaljr is a code owner

@mozesl-nokia mozesl-nokia Awaiting requested review from mozesl-nokia mozesl-nokia is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@menahyouyeah @liamfallon @efiacor