Skip to content

fix(rest-api): bump affected Go builders to 1.26.5#1

Open
osu wants to merge 1 commit into
mainfrom
security/go-2026-4970-go-1.26.5
Open

fix(rest-api): bump affected Go builders to 1.26.5#1
osu wants to merge 1 commit into
mainfrom
security/go-2026-4970-go-1.26.5

Conversation

@osu

@osu osu commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Note

Demonstration draft generated from a validated review-only patch artifact. Do not merge until the REST image builds and scans complete.

Updates the Go builder image from golang:1.26.4 to golang:1.26.5 in the nine affected REST production Dockerfiles. This addresses the publicly disclosed Go standard-library vulnerability GO-2026-4970 / CVE-2026-39822.

Related issues

Type of Change

  • Add - New feature or capability
  • Change - Changes in existing functionality
  • Fix - Bug fixes
  • Remove - Removed features or deprecated functionality
  • Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

  • This PR contains breaking changes

No breaking changes are expected.

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed
  • No testing required (docs, internal refactor, etc.)

Validation completed:

  • Patch artifact status: patch_ready
  • Trusted validation outcome: fixed
  • Patch SHA-256: 4af21804c49da928795a70bdbf313549b1cbb26edcb45067dc4f166a84e0c168
  • Applied unchanged to base 6a5316b
  • Regenerated binary/full-index diff is byte-identical to the artifact
  • Scope is nine production Dockerfiles with one builder-pin replacement each
  • git diff --check passed
  • The official golang:1.26.5 OCI index contains linux/amd64 and linux/arm64 manifests

Pending before review:

  • REST CI and production image builds
  • Follow-up inspection of all nine amd64 Grype artifacts to confirm GO-2026-4970 is absent
  • ARM64 build verification; the source scan evidence covered amd64 only

Additional Notes

This is a demonstration draft. The validation artifact and internal pipeline evidence are retained privately and are not linked from this public PR. nico-mcp, local/development images, workflow pins, documentation, and the unrelated Envoy 1.26.4 prerequisite remain unchanged because they were outside the grouped scanner finding.

Remediate GO-2026-4970 (CVE-2026-39822) in the nine scanned production REST images using the validated artifact from github-security-pipeline-codex run 29175343028.

Signed-off-by: Hasan Khan <hasank@nvidia.com>
@osu osu marked this pull request as ready for review July 12, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant