From 903ccf5798c5804f74445c930885dc21ec78f351 Mon Sep 17 00:00:00 2001 From: Michael Guarino Date: Mon, 9 Feb 2026 18:17:17 +0000 Subject: [PATCH] fix(security): upgrade Go from 1.25.6 to 1.25.7 Addresses crypto/tls session resumption vulnerability where Config.ClientCAs or RootCAs field mutations between initial and resumed handshakes could cause sessions to succeed when they should fail. Fixed files: - go.mod: Updated Go version directive - Dockerfile: Updated builder and final stage images - dockerfiles/Dockerfile.cloud: Updated builder image Fix Version: 1.25.7 Current Version: 1.25.6 Package: stdlib --- Dockerfile | 4 ++-- dockerfiles/Dockerfile.cloud | 2 +- go.mod | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index f004102f..32039d35 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM ubuntu:22.10 AS user # Create a nonroot user for final image RUN useradd -u 10001 nonroot -FROM golang:1.25.6-alpine3.22 AS builder +FROM golang:1.25.7-alpine3.22 AS builder WORKDIR /workspace @@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} \ -X "github.com/pluralsh/plural-cli/pkg/common.Date=${APP_DATE}"' \ -o plural ./cmd/plural -FROM golang:1.25.6-alpine3.22 AS final +FROM golang:1.25.7-alpine3.22 AS final WORKDIR / diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 846481f2..8aaaf014 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -1,4 +1,4 @@ -FROM golang:1.25.6-alpine3.22 AS builder +FROM golang:1.25.7-alpine3.22 AS builder WORKDIR /workspace diff --git a/go.mod b/go.mod index db1a4ed4..225e8825 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/pluralsh/plural-cli -go 1.25.6 +go 1.25.7 require ( cloud.google.com/go/compute v1.49.1