Skip to content

Commit 7121b6a

Browse files
authored
fix(security): bump Go 1.26.4 → 1.26.5 for CVE-2026-39822 (#200)
Go 1.26.5 fixes CVE-2026-39822 (HIGH) — os.Root symlink following vulnerability allows directory traversal. Updated in: go.mod, Dockerfile, Makefile.
1 parent bc84872 commit 7121b6a

3 files changed

Lines changed: 3 additions & 3 deletions

File tree

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1212
# See the License for the specific language governing permissions and
1313
# limitations under the License.
14-
ARG GOLANG_BASE_IMG=golang:1.26.4-alpine3.23
14+
ARG GOLANG_BASE_IMG=golang:1.26.5-alpine3.23
1515
ARG ALPINE_BASE_IMG=alpine:3.23.5
1616
FROM ${GOLANG_BASE_IMG}
1717
RUN apk --no-cache add git pkgconfig build-base libdrm-dev

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ DEVICE_PLUGIN_TAG ?= $(IMAGE_VERSION)
2323
LABELLER_TAG ?= labeller-$(IMAGE_VERSION)
2424
UBI_DEVICE_PLUGIN_TAG ?= rhubi-$(IMAGE_VERSION)
2525
UBI_LABELLER_TAG ?= labeller-rhubi-$(IMAGE_VERSION)
26-
GOLANG_BASE_IMG ?= golang:1.26.4-alpine3.23
26+
GOLANG_BASE_IMG ?= golang:1.26.5-alpine3.23
2727
ALPINE_BASE_IMG ?= alpine:3.23.5
2828

2929
# Output directory for tar.gz files

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/ROCm/k8s-device-plugin
22

3-
go 1.26.4
3+
go 1.26.5
44

55
require (
66
github.com/go-logr/logr v1.4.3

0 commit comments

Comments
 (0)