mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Seth Shelnutt
bddd73d5d2
Bumps Go toolchain from 1.25.9 to 1.25.10 on the v2.31.x release branch to address 11 Go stdlib CVEs identified in the IronBank v2.31.11 scan. Go 1.25.10 ([release notes](https://go.dev/doc/devel/release#go1.25.10)) includes security fixes to the go command, the pack tool, and the `html/template`, `net`, `net/http`, `net/http/httputil`, `net/mail`, and `syscall` packages. Fixes: https://linear.app/codercom/issue/ENT-2 <details> <summary>CVEs addressed</summary> **High** - CVE-2026-42501: Malicious module proxy can bypass checksum database validation - CVE-2026-39820: net/mail ParseAddress/ParseAddressList excessive CPU/memory - CVE-2026-33811: net LookupCNAME double-free and crash (cgo resolver) - CVE-2026-33814: net/http HTTP/2 SETTINGS MAX_FRAME_SIZE=0 infinite loop - CVE-2026-39836: net Dial/LookupPort panic on Windows with NUL byte (Windows-only) **Medium** - CVE-2026-39819: go bug writes to predictable temp file names (symlink attack) - CVE-2026-39817: go tool pack unsanitized output filenames (arbitrary file write) **Low** - CVE-2026-42499: net/mail consumePhrase DoS - CVE-2026-39826: html/template incorrect escaping in script tags - CVE-2026-39825: net/http/httputil ReverseProxy hidden query parameters - CVE-2026-39823: html/template XSS via whitespace in meta content attribute </details> <details> <summary>Note on Terraform binary</summary> The Terraform binary bundled in the IronBank image is downloaded from HashiCorp releases. Rebuilding it with Go 1.25.10+ requires an upstream Terraform release. This PR addresses the Coder binary; the Terraform binary fix depends on upstream. </details> > 🤖 Generated with [Coder Agents](https://coder.com) > Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>