Skip to content

update to go1.25.5 #6688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thaJeztah merged 1 commit into from
Dec 2, 2025
Merged

update to go1.25.5 #6688

thaJeztah merged 1 commit into from
Dec 2, 2025
+8 −8

Conversation

@vvoland
Copy link
Collaborator

@vvoland vvoland commented Dec 2, 2025
edited
Loading

These releases include 2 security fixes following the security policy:

  • crypto/x509: excessive resource consumption in printing error string for host certificate validation

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
    Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.

    Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
    HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.

    Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

    This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.

  • crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

    An excluded subdomain constraint in a certificate chain does not restrict the
    usage of wildcard SANs in the leaf certificate. For example a constraint that
    excludes the subdomain test.example.com does not prevent a leaf certificate from
    claiming the SAN *.example.com.

    This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.

View the release notes for more information

- Description for the changelog

Update Go runtime to [1.25.5](https://go.dev/doc/devel/release#go1.25.5)

@vvoland
update to go1.25.5
d544885 
These releases include 2 security fixes following the security policy:

- crypto/x509: excessive resource consumption in printing error string for host certificate validation

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
    Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.

    Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
    HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.

    Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

    This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.

- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs

    An excluded subdomain constraint in a certificate chain does not restrict the
    usage of wildcard SANs in the leaf certificate. For example a constraint that
    excludes the subdomain test.example.com does not prevent a leaf certificate from
    claiming the SAN *.example.com.

    This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5

Signed-off-by: Paweł Gronowski <[email protected]>
@vvoland vvoland added this to the 29.1.2 milestone Dec 2, 2025
@vvoland vvoland self-assigned this Dec 2, 2025
@codecov-commenter
Copy link

codecov-commenter commented Dec 2, 2025

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

thaJeztah
thaJeztah approved these changes Dec 2, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvoland vvoland closed this Dec 2, 2025
@vvoland vvoland reopened this Dec 2, 2025
@thaJeztah thaJeztah merged commit 890dcca into docker:master Dec 2, 2025
108 of 189 checks passed
kaosagnt added a commit to kaosagnt/toolbox2docker that referenced this pull request Dec 4, 2025
@kaosagnt
Docker 29.1.2
d5b89fc 
Update Go runtime to 1.25.5. moby/moby#51648, docker/cli#6688

Fixes a potential DoS via excessive resource usage when formatting hostname
validation errors CVE-2025-61729

Fixes incorrect enforcement of excluded subdomain constraints for wildcard
SANs, which could allow improperly trusted certificates CVE-2025-61727
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

Assignees

@vvoland vvoland

Labels

area/dependencies impact/changelog kind/bugfix PR's that fix bugs

Projects

None yet

Milestone

29.1.2

Development

Successfully merging this pull request may close these issues.

3 participants

@vvoland @codecov-commenter @thaJeztah