mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Seth Shelnutt
8b8496f09e
## Summary Overarching security remediation for compliance on the v2.24.x ESR branch. Addresses all 11 sub-issues from [ENT-68](https://linear.app/codercom/issue/ENT-68). Each fix is an independent commit for easy review and bisection. ## Changes | Commit | Sub-Issue | Package | Before | After | CVEs | |--------|-----------|---------|--------|-------|------| | 1 | ENT-75 | Go toolchain | 1.24.6 (EOL) | 1.25.10 | 20+ CVEs (Critical/High) | | 2 | ENT-76 | `google.golang.org/grpc` | v1.73.0 | v1.80.0 | CVE-2026-33186 (Critical) | | 3 | ENT-79 | `golang.org/x/crypto` | v0.38.0 | v0.51.0 | CVE-2025-47913, CVE-2025-47914, CVE-2025-58181 | | 4 | ENT-78 | `golang.org/x/net` | v0.40.0 | v0.54.0 | CVE-2026-33814 | | 5 | ENT-77 | `go-jose/go-jose/v4` | v4.1.0 | v4.1.4 | CVE-2026-34986 | | 6 | ENT-70 | `go.opentelemetry.io/otel/sdk` | v1.35.0 | v1.43.0 | CVE-2026-24051, CVE-2026-39883 | | 7 | ENT-72 | `github.com/yuin/goldmark` | v1.7.10 | v1.7.17 | CVE-2026-5160 | | 8 | ENT-69 | `github.com/gomarkdown/markdown` | pseudo-ver | latest | GHSA-77fj-vx54-gvh7 | | 9 | ENT-74 | `filippo.io/edwards25519` | v1.1.0 | v1.1.1 | CVE-2026-26958 | | 10 | ENT-73 | `github.com/cloudflare/circl` | v1.6.1 | v1.6.3 | CVE-2026-1229 | | 11 | ENT-71 | Base image (urllib3, tar, util-linux) | UBI8 8.7 | patched | CVE-2026-44431, CVE-2026-26960, CVE-2026-5704, CVE-2026-27456 | ### CI fix commits (not security-related) | Commit | Fix | Reason | |--------|-----|--------| | 12 | `mockgen` v0.5.0 -> v0.6.0 | v0.5.0 depends on `x/tools` v0.22.0 which doesn't compile under Go 1.25 | | 13 | Regenerate swagger docs | `x/oauth2` v0.35 changed a doc comment on `Token.Expiry` | | 14 | `hc-install` v0.9.2 -> v0.9.4 | Expired HashiCorp PGP key (72D7468F) causing `TestInstall` failures | | 15 | Rust toolchain 1.86.0 -> 1.88.0, pin cargo versions | `time@0.3.47` (transitive of watchexec-cli) requires rustc 1.88+ | | 16 | Fix test error casing | `hashicorp/go-version` lowercased "Malformed" to "malformed" | | 17 | Pin docker-ce to 27.x in dogfood | Docker 28+ requires containerd.io >= 1.7.27 (pinned at 1.7.23) | | 18 | Bump goimports/gopls in dogfood | Older versions pull x/tools with code incompatible with Go 1.25 | ## CI Status **All 19/20 CI jobs pass.** The only failure is `test-go-pg (windows-2022)` due to `TestLabelsAggregation` — a **known flaky test** (timing issue fixed on `main` by PR #19654 but never backported to `release/2.24`). The dogfood workflow fails on a transient external tool download (`gzip: stdin: not in gzip format`), unrelated to our changes and not a required check. ## Validation - `go build ./...` passes - `go vet ./...` has same 3 pre-existing warnings (no regressions) - `scripts/check_go_versions.sh` passes (all 4 Go version references consistent) - No new `replace` directives needed ## Notes - Go 1.24 is EOL with unpatched Critical CVEs. Upgrade to 1.25.10 is the minimum viable path. - gRPC ended up at v1.80.0 (above target v1.79.3) because OTel v1.43.0 requires it transitively. - OTel CVEs (CVE-2026-24051, CVE-2026-39883) are only exploitable on macOS/BSD, not Linux, but upgraded for compliance. <details><summary>Decision log</summary> | Decision | Rationale | |----------|----------| | Go 1.25.10 over 1.26.2 | ESR stability; 1.25 is closest supported release to 1.24 | | Bump to latest where possible | Maximize CVE coverage without additional risk | | `\|\| true` for python3-urllib3 in Dockerfile | May not be present on UBI8 minimal | | Single branch, per-fix commits | Requested for easy review + single PR management | | Rust 1.88.0 | Minimum version satisfying all transitive deps (time@0.3.47 needs 1.88) | | Pin docker-ce 27.x | Docker 28+ requires containerd.io >= 1.7.27, but dogfood pins 1.7.23 | | goimports v0.33.0 / gopls v0.21.0 | Older versions transitively pull x/tools with Go 1.25 compile errors | </details> > Generated by [Coder Agents](https://coder.com) --------- Co-authored-by: Steven Masley <stevenmasley@gmail.com>