Skip to content

[cherry-pick v20260107] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0#8561

Closed
djsly wants to merge 1 commit into
Azure:official/v20260107from
djsly:djsly/icm-796913379-cve-go-1.25.10-v20260107
Closed

[cherry-pick v20260107] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0#8561
djsly wants to merge 1 commit into
Azure:official/v20260107from
djsly:djsly/icm-796913379-cve-go-1.25.10-v20260107

Conversation

@djsly
Copy link
Copy Markdown
Collaborator

@djsly djsly commented May 22, 2026
edited
Loading

Summary

Cherry-pick of #8551 to official/vv20260107.

Bumps the Go toolchain and golang.org/x/net to address upstream CVEs:

Vulnerability CVE Component Fixed by
net/mail DoS via crafted addresses CVE-2026-39820 net/mail (stdlib) Go 1.25.10
cmd/go pack subcommand directory traversal CVE-2026-39817 cmd/go (stdlib) Go 1.25.10
HTTP/2 + IPv6 host parsing fixes (various, see x/net release notes) golang.org/x/net v0.55.0

Why bump to Go 1.25 (and not a 1.24.x patch)

Go 1.24 reached EOL in February 2026 and does NOT receive security backports. go1.25.10 is the only release stream that contains these fixes.

golang.org/x/net v0.51.0+ also requires go 1.25.0 in its own go.mod, so the Go bump is required regardless.

Verification

  • go mod tidy succeeds for every module in the branch.
  • go build ./... clean across every module.
  • PR CI must pull go 1.25 runners.

Release plan

Once merged, two tags are pushed off the resulting commit:

  • v0.v20260107.<N+1> (AgentBaker module)
  • aks-node-controller/v0.v20260107.<N+1> (aks-node-controller submodule)

🤖 Generated with GitHub Copilot CLI

@djsly
fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0
a588c2d 
Backport the Go 1.25.10 and golang.org/x/net v0.55.0 CVE fix from Azure#8551 to official/v20260107.

IcM 796913379.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 22, 2026 17:18
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backports the security-motivated Go toolchain bump to Go 1.25.10 and upgrades golang.org/x/net (and related x/* libs) on the official/v20260107 branch to address the CVEs tracked in IcM 796913379.

Changes:

  • Bump Go version to 1.25.10 across the repo’s Go modules.
  • Upgrade golang.org/x/net to v0.55.0 (plus related x/sys, x/text, x/tools, x/crypto updates where applicable) and refresh go.sum files.
  • Update GitHub Actions workflows to use Go 1.25.

Reviewed changes

Copilot reviewed 12 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
go.mod Bumps root module Go version and upgrades indirect golang.org/x/* dependencies (incl. x/net v0.55.0).
go.sum Updates checksums for upgraded golang.org/x/* dependencies.
e2e/go.mod Bumps Go version and upgrades golang.org/x/net (indirect) and golang.org/x/crypto.
e2e/go.sum Updates checksums for upgraded golang.org/x/* dependencies in e2e module.
aks-node-controller/go.mod Bumps Go version and updates indirect golang.org/x/sys.
aks-node-controller/go.sum Updates checksums for upgraded golang.org/x/net and related x/* deps.
vhdbuilder/lister/go.mod Bumps Go version for the lister submodule.
vhdbuilder/prefetch/go.mod Bumps Go version for the prefetch submodule.
hack/tools/go.mod Bumps Go version for the tools module.
.github/workflows/validate-components.yml Updates workflow Go version to 1.25.
.github/workflows/shellspec.yaml Updates workflow Go version to 1.25.
.github/workflows/shellcheck.yml Updates workflow Go version to 1.25.
.github/workflows/golangci-lint.yml Updates workflow Go version to 1.25.
.github/workflows/go-test.yml Updates workflow Go version to 1.25.
.github/workflows/check-coverage.yml Updates workflow Go version to 1.25.

Comment thread vhdbuilder/lister/go.mod
Comment on lines 1 to 4
module github.com/Azure/agentbaker/vhdbuilder/lister

go 1.23.0

toolchain go1.24.1
go 1.25.10

@djsly djsly changed the title [cherry-pick v20260107] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0 [IcM 796913379] [cherry-pick v20260107] fix(security): bump Go to 1.25.10 and golang.org/x/net to v0.55.0 May 22, 2026
@djsly
Copy link
Copy Markdown
Collaborator Author

djsly commented May 22, 2026

Closing in favor of #8573 (recreated from Azure/AgentBaker branch — repo policy rejects fork-sourced PRs).

@djsly djsly closed this May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@djsly