Skip to content

Bump Go toolchain to 1.25.11 to resolve stdlib CVEs (v1.1.1)#294

Merged
Lusitaniae merged 1 commit into
masterfrom
security/go-1.25.11
Jun 22, 2026
Merged

Bump Go toolchain to 1.25.11 to resolve stdlib CVEs (v1.1.1)#294
Lusitaniae merged 1 commit into
masterfrom
security/go-1.25.11

Conversation

@Lusitaniae

Copy link
Copy Markdown
Owner

What

Bumps the build toolchain to go1.25.11 and tags v1.1.1 so freshly published images are recompiled with a patched Go.

These advisories live in the Go standard library / toolchain — not in apache_exporter code or its module dependencies — so they're cleared by recompiling, not by an app change. go1.25.11 satisfies every flagged fix:

Advisory Fixed in Notes
CVE-2025-68121 1.25.7 already cleared by the prior 1.25.8 pin
CVE-2026-27143 1.25.9 still open under 1.25.8 — the reason for this bump
GO-2026-4868 cmd/compile
GO-2026-4337 crypto/tls

Changes

  • go.mod: toolchain go1.25.8go1.25.11
  • VERSION: 1.1.01.1.1
  • CHANGELOG.md: 1.1.1 security entry

Verification

  • Fresh go build embeds go1.25.11 (go version -m)
  • go vet ./... passes

Note

The fix only reaches users once images are rebuilt: merge, then tag v1.1.1 to trigger the publish_release job. Confirm the published image reports go1.25.11 via go version -m /bin/apache_exporter before closing the upstream issue (CVE-2025-68121).

🤖 Generated with Claude Code

These advisories are in the Go standard library/toolchain, not in
apache_exporter code or its module dependencies, so they are cleared by
recompiling with a patched Go rather than by an app change.

go1.25.11 satisfies every fixed version flagged:
- CVE-2025-68121  (fixed in 1.25.7)
- CVE-2026-27143  (fixed in 1.25.9)
- GO-2026-4868    (cmd/compile)
- GO-2026-4337    (crypto/tls)

The previous toolchain pin (go1.25.8) still left CVE-2026-27143 open.
Release v1.1.1 so the published images are rebuilt with the fixed toolchain.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Lusitaniae

Copy link
Copy Markdown
Owner Author

Closes #293

@Lusitaniae Lusitaniae merged commit d9b0698 into master Jun 22, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant