Skip to content

fix: bump Go toolchain to 1.26.4 to address CVE-2026-42504, CVE-2026-27145, CVE-2026-42507#758

Merged
michaeljguarino merged 1 commit into
mainfrom
agent/bump-go-toolchain-1-26-4-1749134097000
Jun 5, 2026
Merged

fix: bump Go toolchain to 1.26.4 to address CVE-2026-42504, CVE-2026-27145, CVE-2026-42507#758
michaeljguarino merged 1 commit into
mainfrom
agent/bump-go-toolchain-1-26-4-1749134097000

Conversation

@plural-copilot

@plural-copilot plural-copilot Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps the Go toolchain to 1.26.4 to remediate three stdlib CVEs identified by Trivy scans of the mgmt/console Plural service.

CVEs Fixed

CVE Package Fixed In Description
CVE-2026-42504 stdlib 1.25.11 / 1.26.4 Malicious MIME header causes excessive CPU usage in net/mime
CVE-2026-27145 stdlib 1.25.11 / 1.26.4 x509.VerifyHostname quadratic cost with large DNS SAN lists
CVE-2026-42507 stdlib 1.25.11 / 1.26.4 net/textproto error injection via raw input in error messages

Affected Images

  • ghcr.io/pluralsh/oci-auth
  • ghcr.io/pluralsh/kubernetes-agent

Plural Service: mgmt/console

plural-copilot[bot]
plural-copilot Bot commented Jun 5, 2026
View reviewed changes

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt ## Task: Bump Go toolchain to 1.26.4 to fix CVEs...
🔗 Run history View run history

@michaeljguarino michaeljguarino added bug-fix This pull request fixes a bug dependencies labels Jun 5, 2026
@michaeljguarino michaeljguarino removed the bug-fix This pull request fixes a bug label Jun 5, 2026
@michaeljguarino michaeljguarino merged commit 3608fe2 into main Jun 5, 2026
14 of 17 checks passed
@michaeljguarino michaeljguarino deleted the agent/bump-go-toolchain-1-26-4-1749134097000 branch June 5, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

@zreigz zreigz Awaiting requested review from zreigz zreigz is a code owner

@floreks floreks Awaiting requested review from floreks floreks is a code owner

@maciaszczykm maciaszczykm Awaiting requested review from maciaszczykm maciaszczykm is a code owner

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaeljguarino