fix: upgrade Go toolchain from 1.26.2 to 1.26.4 by Shelnutt2 · Pull Request #26066 · coder/coder · GitHub
Skip to content

fix: upgrade Go toolchain from 1.26.2 to 1.26.4#26066

Merged
Shelnutt2 merged 1 commit into
mainfrom
upgrade-go-1.26.4
Jun 4, 2026
Merged

fix: upgrade Go toolchain from 1.26.2 to 1.26.4#26066
Shelnutt2 merged 1 commit into
mainfrom
upgrade-go-1.26.4

Conversation

@Shelnutt2

@Shelnutt2 Shelnutt2 commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Upgrades the Go toolchain from 1.26.2 to 1.26.4 to address two stdlib CVEs:

  • CVE-2026-27145 (Low): crypto/x509 VerifyHostname has quadratic cost with large DNS SAN lists, enabling DoS with untrusted certificates.
  • CVE-2026-42507 (Low): net/textproto includes attacker-controlled input in errors without escaping, enabling log injection.

Changes

  • go.mod: Bump go directive from 1.26.2 to 1.26.4
  • mise.toml: Bump go tool version from 1.26.2 to 1.26.4
  • mise.lock: Regenerated with updated Go checksums

Resolves ENT-104

Generated by Coder Agents on behalf of @Shelnutt2

@Shelnutt2
fix: upgrade Go toolchain from 1.26.2 to 1.26.4
4e83970 
Addresses CVE-2026-27145 (crypto/x509 VerifyHostname quadratic cost)
and CVE-2026-42507 (net/textproto unescaped attacker input in errors).

Resolves ENT-104
@linear-code

linear-code Bot commented Jun 4, 2026

Copy link
Copy Markdown

@Shelnutt2 Shelnutt2 marked this pull request as ready for review June 4, 2026 13:39
Emyrk
Emyrk requested changes Jun 4, 2026
View reviewed changes

@Emyrk Emyrk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate of https://github.com/coder/coder/pull/26064/changes?

@Shelnutt2

Shelnutt2 commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

@Shelnutt2 Shelnutt2 merged commit 61a3518 into main Jun 4, 2026
58 checks passed
@Shelnutt2 Shelnutt2 deleted the upgrade-go-1.26.4 branch June 4, 2026 15:22
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 4, 2026
@Shelnutt2 Shelnutt2 added dependencies Pull requests that update a dependency file cherry-pick labels Jun 4, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes
@f0ssel f0ssel Awaiting requested review from f0ssel
@jdomeracki-coder jdomeracki-coder Awaiting requested review from jdomeracki-coder

Assignees

@Shelnutt2 Shelnutt2

Labels

cherry-pick dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shelnutt2 @Emyrk