Update Go to 1.24.13 to fix remaining critical vulnerability (CVE-2025-68121)#21327
Merged
Conversation
The local-app Go binaries are embedded in the ide-proxy Docker image. They were compiled with Go 1.24.9 (from the CI environment), which contains CVE-2025-68121 (critical Go stdlib vulnerability). Bump the toolchain directive in local-app/go.mod to go1.24.13, which forces the Go tool to auto-download 1.24.13 regardless of the CI environment's installed Go version. Also add apk upgrade to the ide-proxy Dockerfile to pick up Alpine security patches at build time (matching the proxy Dockerfile pattern). The .devcontainer/Dockerfile Go version bump is included for dev environment consistency but does not affect CI builds. Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
a785ad1 to
ada8491
Compare
The CI image (dev/image/Dockerfile) inherits Go from the base image gitpod/workspace-gitpod-dev, which ships Go 1.24.9. That version contains CVE-2025-68121 (critical Go stdlib vulnerability). Install Go 1.24.13 explicitly in the CI image so all Go binaries built in CI use a patched toolchain. Bump TRIGGER_REBUILD to force an image rebuild. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
a00035a to
ef9107d
Compare
corneliusludmann
approved these changes
Mar 4, 2026
Co-authored-by: Ona <no-reply@ona.com>
geropl
force-pushed
the
fix/go-1.24.13-cve-2025-68121
branch
from
20b4c34 to
1544040
Compare
…onment:fix-go-1-24-13-cve-2025-68121-gha.181
Contributor
|
|
15 tasks
geropl
added a commit
that referenced
this pull request
Apr 23, 2026
The previous commit bumped 'toolchain go1.25.9' across all 71 go.mod
files. That worked locally but broke the existing CI dev-environment
image, which:
1. ships golangci-lint v1.64.8 built with Go 1.24 (rejects modules
declaring toolchain >= 1.25)
2. has system Go 1.24.13, so GOTOOLCHAIN=auto downloads the 1.25.9
toolchain module — but that module's prebuilt tools dir lacks
'covdata', breaking 'go test -coverprofile' for any Go library
package.
Instead, leave the 'toolchain' directive at go1.24.13 and rely on the
new dev-environment image (which has system Go 1.25.9 from
dev/image/Dockerfile) to compile binaries with the patched stdlib.
Once branch CI publishes the new image, a follow-up commit will update
the image tag references in .gitpod.yml and the workflow files (same
two-step pattern as #21327).
Co-authored-by: Ona <no-reply@ona.com>
geropl
added a commit
that referenced
this pull request
Apr 23, 2026
* Fix CVE-2026-27143: bump Go toolchain to 1.25.9 Daily vulnerability scan (CLC-2243) flagged 13 Classic component images with a critical Go stdlib vulnerability: - CVE-2026-27143 (GO-2026-4868): compiler did not correctly check underflow/overflow on arithmetic over induction variables in loops, allowing invalid indexing at runtime that could lead to memory corruption. The vulnerability is fixed in Go 1.25.9 (and 1.26.2). Bump the toolchain across the workspace: - Set toolchain to go1.25.9 in all 71 go.mod files - Update GO_VERSION in dev/image/Dockerfile and bump TRIGGER_REBUILD so the CI dev-environment image installs the patched compiler - Update GO_VERSION in .devcontainer/Dockerfile for dev consistency Verified locally by rebuilding all 13 affected components with GOTOOLCHAIN=go1.25.9 and confirming grype reports zero critical findings. Co-authored-by: Ona <no-reply@ona.com> * Pin golangci-lint --go=1.24 to match CI image toolchain The CI dev-environment image bundles golangci-lint v1.64.8 built with Go 1.24, which refuses to lint code declaring "toolchain go1.25.9". Pin the lint target to 1.24 so the existing image keeps working without a rebuild. We don't use any 1.25 language features; the toolchain bump only addresses CVE-2026-27143 in the Go stdlib. Co-authored-by: Ona <no-reply@ona.com> * Revert toolchain bumps; rely on CI image's system Go for fix The previous commit bumped 'toolchain go1.25.9' across all 71 go.mod files. That worked locally but broke the existing CI dev-environment image, which: 1. ships golangci-lint v1.64.8 built with Go 1.24 (rejects modules declaring toolchain >= 1.25) 2. has system Go 1.24.13, so GOTOOLCHAIN=auto downloads the 1.25.9 toolchain module — but that module's prebuilt tools dir lacks 'covdata', breaking 'go test -coverprofile' for any Go library package. Instead, leave the 'toolchain' directive at go1.24.13 and rely on the new dev-environment image (which has system Go 1.25.9 from dev/image/Dockerfile) to compile binaries with the patched stdlib. Once branch CI publishes the new image, a follow-up commit will update the image tag references in .gitpod.yml and the workflow files (same two-step pattern as #21327). Co-authored-by: Ona <no-reply@ona.com> * Update dev-environment image to ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275 This image was published by the previous run of this PR and contains Go 1.25.9, which is needed to compile binaries free of CVE-2026-27143. Switching the workflow and devcontainer references over so subsequent CI runs use the patched toolchain. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the remaining critical vulnerability from the build after #21326, where
ide-proxy:dockerstill reported 1 critical finding.Root cause
The local-app Go binaries embedded in the ide-proxy image are compiled with Go 1.24.9 (from the CI build environment), which contains CVE-2025-68121 (critical Go stdlib vulnerability, fixed in 1.24.13).
The
.devcontainer/DockerfileGo version does not affect CI — the CI uses a separate pre-built image (dev/image/Dockerfile→gitpod/workspace-gitpod-dev). However, Go'stoolchaindirective ingo.modforces auto-download of the specified version regardless of what's installed.Changes
components/local-app/go.mod: Bumptoolchainfrom go1.24.3 to go1.24.13 — this forces the Go tool to download and use 1.24.13 in CI even though the environment has 1.24.9components/ide-proxy/Dockerfile: Addapk upgrade --no-cacheto match the proxy Dockerfile pattern.devcontainer/Dockerfile: BumpGO_VERSIONto 1.24.13 for dev environment consistencyFollow-up to #21326. Resolves: CLC-2225